Home Malware Programs Ransomware Koko Ransomware

Koko Ransomware

Posted: September 18, 2019

The Koko Ransomware is a file-locker Trojan that blocks your PC's personal and work files by encrypting them. This attack isn't always curable, and users should establish thorough backup plans for recovering from possible infection. Anti-malware products can offer additional safety by removing the Koko Ransomware on its detection, although most vendors identify it generically.

Double the Trouble on Your Filenames

When a file-locking Trojan blocks a file, it, usually, will leave behind some visual tag or signifier of the change, both for the benefit of the victim and the threat actor. Although some samples will prepend content at the start of a name, or change icons, the majority content themselves with adding a single extension onto the end. This crucial, identifying factor is one of the most identifiable symptoms, and changes to the format are noteworthy, as per the payload of the Koko Ransomware.

The Koko Ransomware, unlike most, similar threats, uses a double extension on everything that it blocks. Doubled extensions are, often, a programming error or glitch, as malware experts saw in the SYSDOWN Ransomware. The Koko Ransomware's usage seems deliberate; the Trojan uses a first extension for delivering e-mail-negotiating information, and a second one with randomized characters.

Besides that oddity, the Koko Ransomware also avoids using the preferred AES and RSA combination for encrypting files' data. Its payload encrypts content with Salsa20 – just like the Euclid Ransomware or the GetCrypt Ransomware. While this behavior doesn't make its file-locking attack any less secure, malware analysts are uncertain as to the Koko Ransomware's possible compatibility with free decryption utilities.

The Cheapest Key to a Costly Lock

Ransoms from file-locking Trojans, typically, start at several hundred dollars and go up to thousands, depending on the target. The Koko Ransomware – which is notably unrelated to the much older KoKo Locker Ransomware – gives no upfront price for its unlocking help. However, users can easily avoid the ransom situation by keeping at least one backup of their work somewhere else, such as on a USB.

Malware experts see a few unusual choices in the Koko Ransomware's preferences for 'hostages.' Besides the traditional text, movies, audio, etc., it also will block REGs (Windows Registry files), ENGs (dictionary files), and plugin components like HLFs, along with others. It shouldn't, however, harm the Windows OS – but its encryption may prevent non-essential programs from running.

Besides having a backup, Windows users should protect themselves with updated anti-malware products. Most anti-malware vendors can identify and remove the Koko Ransomware as a heuristic or generically-IDed Trojan.

The taste of Salsa20 on your files is like a real salsa that's made only of ghost peppers – an ostensibly positive dish with weaponization in the serving. Just as you shouldn't order food without knowing what's in it, you shouldn't download or run a file before confirming its safety, unless you're happy with risking a Koko Ransomware infection.

Related Posts

Loading...