Catb
Description
CatB ransomware was first observed in late 2022, gaining attention for abusing DLL hijacking via the Microsoft Distributed Transaction Coordinator (MSDTC) service—loading a malicious payload through DLL sideloading methods. The malware arrives in a two-stage dropper: the first DLL unpacks and launches the main payload (commonly named oci.dll), which subsequently encrypts files using hybrid RSA/AES cryptography. Unlike conventional ransomware, CatB does not rename files or distribute typical ransom notes; instead, it prepends the ransom message directly to the start of each encrypted file, making detection more difficult. Victims are instructed to contact the attackers via email (e.g., catB9991@protonmail.com or fishA001@protonmail.com), with the ransom demand escalating daily. Initial analysis suggests CatB may be a rebrand or evolution of Pandora ransomware, sharing various code artifacts and operational behavior.
| External Analysis |
| https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/ |
| https://www.fortinet.com/blog/threat-research/ransomware-roundup-catb-ransomware |
| https://www.vmray.com/catb-ransomware-a-new-threat-exploiting-dll-side-loading/ |
| https://cymulate.com/threats/catb-ransomware/ |