Geeks for your information
Kolz Ransomware 101: The STOP Djvu Variant to Watch Out for - Printable Version

+- Geeks for your information (https://www.geeks.fyi)
+-- Forum: Security (https://www.geeks.fyi/forumdisplay.php?fid=68)
+--- Forum: Security Vendors (https://www.geeks.fyi/forumdisplay.php?fid=87)
+---- Forum: Heimdal Security (https://www.geeks.fyi/forumdisplay.php?fid=130)
+----- Forum: Heimdal Security Blog Articles (https://www.geeks.fyi/forumdisplay.php?fid=138)
+----- Thread: Kolz Ransomware 101: The STOP Djvu Variant to Watch Out for (/showthread.php?tid=12999)

Kolz Ransomware 101: The STOP Djvu Variant to Watch Out for - harlan4096 - 01 October 20

Quote:
[Image: heimdal-logo.svg]

Kolz Ransomware is Part of the Infamous STOP Djvu Family. Find Out How to Prevent Encryption and Keep Your Devices Safe.

A new cyber-threat is making waves online, as more and more users are starting to report infections. I’m talking about Kolz ransomware, a relatively unknown strain that is as nefarious as better-known names in the industry such as Netwalker or Sodinokibi.
 
But what is it that makes Kolz ransomware so hard to pin down? Below, I have gathered a brief compendium of the available information on it, as well as offered some pieces of advice for your protection. So, if you want to learn what Kolz ransomware is and, more importantly, how to deal with it, then keep on reading.

What is Kolz Ransomware?

Kolz is a ransomware strain that is part of the STOP Djvu ransomware family that was discovered by independent ransomware hunter Michael Gillespie. The operation has been active since at least December 2016, when the first variant was spotted. As of September 2020, as many as 160 variants of Djvu ransomware have been released, if not more.

The STOP Djvu cybercrime family has made over 116,000 confirmed victims over the years, with the real estimate being around a whopping 460,000. In fact, more than half of the deployed ransomware attacks from around the globe consist of a form of Djvu.

Strains from the STOP Djvu family run on RSA-1024 cryptography, an asymmetric encryption algorithm that generates both public and private keys for each victim. While the former facilitates encryption, its latter counterpart is created for decryption purposes. This method of operation applies Kolz ransomware as well.

How Kolz Ransomware Encrypts Devices

We still aren’t 100% sure of how Kolz ransomware spreads, as its preferred infection medium has not been reported on thus far. However, this type of cyber-threat usually propagates through one (or more) of the following five ways:
  • malspam campaigns
  • network Trojans
  • unofficial third-party tools
  • fraudulent files
  • peer-to-peer (P2P) networks
Once Kolz ransomware has successfully infiltrated your device, it proceeds to encrypt any pictures, documents, databases, and other files on your device. You can tell which files have been encrypted because an additional .kolz extension is added to their name in the process. So, for example, gerbil.jpg would become gerbil.jpg.kolz.

After corrupting all viable files, Kolz deploys a text file entitled _readme.txt in all folders containing encrypted resources. You can see what the document looks like in the image embedded below:
...
Continue Reading