Home Malware Programs Ransomware Kolz Ransomware

Kolz Ransomware

Posted: September 21, 2020

The Kolz Ransomware is a file-locking Trojan that's part of STOP Ransomware's Ransomware-as-a-Service. The Kolz Ransomware can destroy the users' default Windows backups while encrypting their media files and holding them hostage. Users can protect any important files through diligent backup standards, and traditional anti-malware services will comfortably delete the Kolz Ransomware.

Some More Random Entries into a Trojan's Family

The Ransomware-as-a-Service industry's near-stranglehold on encryption as an extortionist tool shows itself anew each day, with new releases from such families as the STOP Ransomware (or Djvu Ransomware) exemplify with each campaign. Samples of a Kolz Ransomware variant of that family show that the RaaS is maintaining its traditional payload with file-locking attacks being the foundation. Concerningly, its victims might not have a static label for identifying it by sight. The Kolz Ransomware, like some other Trojans of its kind, uses random and highly-unhelpful names for ducking under users' notice.

The Kolz Ransomware installer pretends that it's a temporary file, much like the cookies that are ubiquitous to Web browsers, with names like 'A4D6' and 'C5CB.' Such a hiding method is appropriate for some drive-by-download attacks. Possible installation exploits also might include an attacker's compromising a server's login credentials and deploying the Trojan manually. The file-locker Trojan is compatible with various versions of Windows, and its initialization process includes contacting different domains well-known as part of the STOP Ransomware family's C&C infrastructure.

The Kolz Ransomware attacks focus on disrupting access to media files, such as the user's documents, databases, pictures, music, etc. It encrypts these files using AES with an RSA key (which it may download, or default to an offline equivalent), which stops them from opening until the user decrypts them. This family uses a standard text ransom note with communal e-mail addresses for negotiating the ransom currently, which may or may not give the victim an unlocking service. A temporary 'discount' is a notable aspect of STOP Ransomware's instructions as psychological leverage.

Predictable Parts of a Supposedly Random Trojan

Even the Kolz Ransomware's name, part of the extension that it adds to files, is part of a random sequence of characters, little different from its relatives, the KASP Ransomware, the NPPH Ransomware, the Oonn Ransomware, or the ancient Djvu Ransomware. This arbitrary and meaningless branding scheme stands in stark relief compared to the Trojan's payload, which is static almost entirely. Windows users have multiple ways of protecting themselves from the Kolz Ransomware 'random' attacks effectively, such as:

  • Using strong passwords as a preventative against brute-force attacks
  • Scanning e-mail attachments and leaving any macros inactive
  • Turning off Java, JavaScript and Flash while Web-browsing
  • Storing backups on other devices that the Kolz Ransomware can't wipe

Some file-locking Trojans are compatible with freeware tools for unlocking media, such as many Xorist Ransomware variants. Unfortunately, most Ransomware-as-a-Services are sufficiently secure that this recovery possibility is a pipe dream for most victims. Malware experts recommend investing in durable and updated backups, instead.

Attested anti-malware services also should delete most members of the STOP Ransomware on sight and remove the Kolz Ransomware in its many iterations.

Some users might endanger their files from downloading illicit content or opening strange e-mail attachments in the coming weeks. Regardless, most of the work in stopping a Trojan's profits like the Kolz Ransomware comes taking the right precautions before an attack. Depriving Trojans of the hostages they need for negotiations-by-force always is best.

Loading...