COLORIT Ransomware

Posted: April 23, 2019

The COLORIT Ransomware is a file-locking Trojan that can encrypt media on your computer to keep it from opening. Its attacks may impact such formats as text documents, archives, music, pictures, or others, and can include removing any backups or compromising the rest of a local network. Although its distribution model isn't known to malware experts, most anti-malware tools should delete the COLORIT Ransomware on sight.

A Trojan that's Coloring Inside Your Files

A file-locking Trojan with no known family is attacking PCs in Britain. The threat of the moment, the COLORIT Ransomware, includes some semi-unusual choices in what content it holds hostage, as well as an untraditional ransom note. The mechanics and fundamentals of its attacks, however, stay true to those from previous campaigns by other Trojans of its kind: encrypting content, labeling them as hostages, and giving vague ransom demands to the victim.

Malware researchers are only noting the COLORIT Ransomware infections on Windows environments, for now, although the sightings are highly limited. Besides encrypting media like documents, the COLORIT Ransomware also blocks 'MSI' files, which are installers that most file-locker Trojans' families ignore. The more general nature of the COLORIT Ransomware's payload configuration could imply that it's harming a much wider variety of files, although damage to the Windows OS is unlikely.

The COLORIT Ransomware's encryption includes the cosmetic addition of a 'COLORIT' (note the capitalization) extension into the names of your files. The rest of the filename remains intact and shouldn't hinder identifying the content that the COLORIT Ransomware holds in captivity.

Malware researchers require more data for identifying what encryption method the COLORIT Ransomware uses, and whether or not it's reversible without the threat actor's help. Similarly, the status of the Shadow Volume Copies for the System Restore-based data recovery is in dispute.

Averting a Rainbow of Ransoms

Until more is clear about how the COLORIT Ransomware is locking files and how thorough the cleanup procedure is, it's essential that all users protect their media from it by backing up to other drives. Removable devices like USBs or systems with cloud-based protection are choices that are immune to many, if not all of the payloads of file-locking Trojans. At this stage, the ransom that the COLORIT Ransomware asks for in exchange for a decryptor is entirely unknown and could be a scam.

Casual, untargeted infection methods for Trojans of the COLORIT Ransomware's type may use illicit torrents, spam or corrupted advertisements. More-focused infection attempts than those exploits can brute-force a server that's using a weak password or send crafted e-mail messages with disguised attachments (especially, documents). Anti-malware protection can defend your files against the majority of these vulnerabilities and remove the COLORIT Ransomware when it's appropriate.

The only color that the COLORIT Ransomware's threat actors see is green – the color of ransom-collected money. Bleaching the hue from their wallets is as easy as backing up your files and staying to all of the settled Windows safety standards.