Since it was spotted in 2018, Djvu/STOP ransomware has strained to over 240 variants, becoming one of the most prominent ransomware families. Now, another member of the ever-growing family was recently detected. Dubbed Kolz, after the extension it uses, the ransomware is a high-severity level threat, designed to corrupt data and extort ransoms.
What is Kolz Ransomware
Kolz is a typical representative of the Djvu ransomware family. Following successful infiltration, it launches a scan that detects all user-generated files. The threat is after any file that might contain valuable information, including spreadsheets, databases, pictures, archives, and videos.
Kolz will use strong encryption algorithms to lock the files and prevent the user from accessing them.
All files encrypted by Kolz are easily recognizable as the ransomware appends the ".kolz" extension to them. For example, a file named "documents.rar" will be renamed to "documents.rar.kols."
Additionally, the ransomware will drop a ransom note named "_readme.txt" which contains brief information about the ransomware, as well as outlines the ransom demands.
Kolz's operators promise a decryption key and software in exchange for $980. However, they offer a 50% discount to the victims who establish communication within 72 hours after encryption.
Victims are instructed to contact the criminals via email. The messages should be addressed either to firstname.lastname@example.org or email@example.com.
Ransom Note Text:
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID: ---”
As proof of their abilities to decrypt data, the criminals offer free decryption of one file. However, their offer has one limiting condition. The victims can decrypt only files that don't contain valuable information, such as large Excel files and databases.
As Kolz is a newly-found threat, its code is not analyzed yet and third-party decryption is not available. However, experts recommend against involving the ransomware operators. These criminals are experienced manipulators who know how to trick their victims into unwanted action.
Victims should be aware that by paying the ransom, they finance crime and encourage the criminals to continue their malicious business.
Backups stored on cloud and external storage can be used for file recovery. However, victims are advised to remove Kolz before they attempt any data-recovery operations. Otherwise, the ransomware will corrupt their newly-recovered files.
The old but gold spam emails are the preferred distribution method of the Djvu family. Criminals use various popular topics and social engineering tricks to reach a broad spectrum of potential victims.
Ransomware operators often use a technique called "spoofing" to make their emails appear as if they are coming from legitimate sources. Usually, they impersonate well-known and trusted organizations and companies, such as shipping companies, banks, and government institutions. Kolz ransomware infects a device when an unprepared user downloads a malicious attachment or follows a weaponized link.
Trojans could also deliver Kolz ransomware as a second-stage malware. Although this method is usually used for targeted attacks, the trojan infection should not be underestimated as it can quickly evolve into a ransomware infection.