Home Malware Programs Ransomware Cosakos Ransomware

Cosakos Ransomware

Posted: August 2, 2019

The Cosakos Ransomware is a file-locking Trojan that can stop media, including documents, pictures, and dozens of other data formats, from opening. Besides blocking files and delivering ransom notes for profiting from it, the Cosakos Ransomware also may include other attacks, such as wiping backups or installing spyware. Users can protect their work by backing it up regularly and having anti-malware products active for removing the Cosakos Ransomware at the first chance.

Media Ransoms Traveling the World

While many variants of the STOP Ransomware favor 'vacationing' in such places as India or Indonesia, Ransomware-as-a-Service is a flexible and turbulent business. A new threat actor hiring the family for extortion is using infection methods that aren't targeting any specific location of the world or type of victim. Just shortly after confirming its existence, malware experts also can confirm the Cosakos Ransomware's spread throughout Brazil, South Africa and Turkey.

Besides attacking a colorful range of users, the Cosakos Ransomware is similar to most versions of the RaaS family. As a file-locking Trojan, it can block content by encrypting it with a (usually) secure form of AES and another algorithm using built-in or server-retrieved information. The user's non-opening documents and other, digital media are kept as hostages while the Cosakos Ransomware delivers its text ransom note.

Windows users should operate on the assumption that the Cosakos Ransomware will erase the Shadow Volume Copies, by default. This function is a traditional inclusion of the family's payload and is evident with variants like the Besub Ransomware, the Godes Ransomware, the Dutan Ransomware, and the Fedasot Ransomware. Although, at 1.34, the Cosakos Ransomware is the newest version of STOP Ransomware, there are no indications of the feature's removal. A highly-significant side effect of this attack is users being incapable of recovering the files that the Cosakos Ransomware encrypts via Windows Restore Points.

Ending the Cosakos Ransomware's Global Travels

The most efficient means of blocking the damages of file-locking Trojans' infections always involves having previously-prepared backups. Victims can contact members of the cyber-security industry with some cryptographic experience for other recovery options, but free decryption is possible with Ransomware-as-a-Service families infrequently. Malware experts strongly recommend keeping a backup updated on another device.

The Cosakos Ransomware's method of spreading remains open to inquiry. Its boundary-crossing behavior suggests attacks of opportunity involving brute-forcing or RDP-abusing a vulnerable server as the threat actor finds it, or generalized distribution channels like torrents. Preventing infections by disabling JavaScript, refusing illicit downloads, and turning off macros will head the Cosakos Ransomware off before it can cause what can be permanent file damage.

Anti-malware products still are ideal uninstallation methods for this family. Most brands from major vendors should uninstall the Cosakos Ransomware easily or stop an installation exploit.

Windows-based extortion is a hydra that steadily grows new heads, of which, the Cosakos Ransomware is just one. Until victims stop paying the ransoms, STOP Ransomware's 'businessmen' have no reason for stopping.