Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kozy.Jozy Ransomware Help & Support (w.jpg / .31392E30362E32303136_<num>_LSBJ1)


  • Please log in to reply
1 reply to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:55 AM

Posted 20 June 2016 - 11:34 AM

A new ransomware was reported by @JaromirHorejsi that encrypts a victim's files and sets the background to a ransom note in Russian with the filename "w.jpg" that asks to contact the criminals at kozy.jozy@yahoo.com.
 
ClZrxP1XIAIRSdS.jpg
 
 
A random extension is selected from an array to append to files, with the pattern .31392E30362E32303136_(0-20)_LSBJ1: for example, ".31392E30362E32303136_14_LSBJ1".

 

Other variants seem to exist as well, with different numbers at the beginning, and different letters at the end, suggesting that this ransomware may be sold as a kit. Other extensions spotted include .31392E30362E32303136_(0-20)_ZHM1 and .31342E30362E32303136_(0-20)_KTR1.
 
The following extensions are targeted:
 

.cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .pdf, .ppt, .xls, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .bmp, .png, .cdr, .psd, .jpeg, .docx, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .odb, .odg,

 

Shadow copies are deleted using the following command.

vssadmin.exe Delete Shadows /All /Quiet

Unfortunately, the claim in the ransom note about the use of RSA-2048 is true. The malware has 20 embedded RSA keys, and encrypts the victim's data with one of the keys chosen at random, in chunks of 245 bytes. There is currently no way to decrypt data for free due to the use of this asymmetric encryption. I do recommend trying undelete programs such as Recuva, as the malware does not securely delete files.


Edited by Demonslay335, 20 June 2016 - 01:13 PM.

Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Third station from Sun
  • Local time:06:55 PM

Posted 20 June 2016 - 12:48 PM

translation ransom note from Russian
 
YOUR FILES ARE ENCRYPTED!
with using very resistant algorithm's RSA-2048.
Attempts to restore the files himself will lead only 
to their irrevocable damage. If you need them then
send one of the affected files on the email 
kozy.jozy@yahoo.com

Edited by Amigo-A, 20 June 2016 - 12:50 PM.

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users