Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kozy.Jozy Ransomware Help & Support (w.jpg / .31392E30362E32303136_<num>_LSBJ1)


  • Please log in to reply
1 reply to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:37 AM

Posted 20 June 2016 - 11:34 AM

A new ransomware was reported by @JaromirHorejsi that encrypts a victim's files and sets the background to a ransom note in Russian with the filename "w.jpg" that asks to contact the criminals at kozy.jozy@yahoo.com.
 
ClZrxP1XIAIRSdS.jpg
 
 
A random extension is selected from an array to append to files, with the pattern .31392E30362E32303136_(0-20)_LSBJ1: for example, ".31392E30362E32303136_14_LSBJ1".

 

Other variants seem to exist as well, with different numbers at the beginning, and different letters at the end, suggesting that this ransomware may be sold as a kit. Other extensions spotted include .31392E30362E32303136_(0-20)_ZHM1 and .31342E30362E32303136_(0-20)_KTR1.
 
The following extensions are targeted:
 

.cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .pdf, .ppt, .xls, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .bmp, .png, .cdr, .psd, .jpeg, .docx, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .odb, .odg,

 

Shadow copies are deleted using the following command.

vssadmin.exe Delete Shadows /All /Quiet

Unfortunately, the claim in the ransom note about the use of RSA-2048 is true. The malware has 20 embedded RSA keys, and encrypts the victim's data with one of the keys chosen at random, in chunks of 245 bytes. There is currently no way to decrypt data for free due to the use of this asymmetric encryption. I do recommend trying undelete programs such as Recuva, as the malware does not securely delete files.


Edited by Demonslay335, 20 June 2016 - 01:13 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:09:37 PM

Posted 20 June 2016 - 12:48 PM

translation ransom note from Russian
 
YOUR FILES ARE ENCRYPTED!
with using very resistant algorithm's RSA-2048.
Attempts to restore the files himself will lead only 
to their irrevocable damage. If you need them then
send one of the affected files on the email 
kozy.jozy@yahoo.com

Edited by Amigo-A, 20 June 2016 - 12:50 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users