Koti Ransomware

The Koti Ransomware is a file-locker Trojan that can block digital media, such as documents, with encryption. Most infections include additional side effects, such as hijacking the user's Web browser by way of the Hosts file. Users can protect themselves with standard anti-malware resources for removing the Koti Ransomware, and backups for recovering anything they've lost.

Trojans Blocking Files and Websites, All for Money

The mercenary onslaught of the STOP Ransomware family against random users' files is continuing well into 2020, making it one of the most active Ransomware-as-a-Services for the year. While the Koti Ransomware is a never-before-seen version notably, samples available to malware researchers suggest no massive revamp to its internal functionality or obfuscation techniques. Similarly to the Kodc Ransomware, the Lokf Ransomware, the Nbes Ransomware, the Rote Ransomware, or the Sqpc Ransomware, the Koti Ransomware is making encryption its means of holding files captive for Bitcoins.

Typical techniques of circulating this family of file-locker Trojans include torrents with software or media piracy themes, phishing e-mail tactics, and hacking servers with vulnerabilities like weak passwords or outdated software. The 32-bit Koti Ransomware has a quickly-downloadable executable size of under a megabyte, like most Trojans of this classification. The Koti Ransomware establishes system persistence before loading a range of well-known attacks after making its way into a Windows environment.

The Koti Ransomware blocks the user's navigating to security-related websites by changing the Hosts file mappings and encrypts media like documents or pictures (with either an offline or C&C-connected encryption sequence), which stops them from opening, too. It also deletes default backups with a system command and gives the victim a Bitcoin ransom note for data recovery in a text file. Since the static or offline encryption is the less secure version, a quickly-reacting user who disables their network connectivity immediately may have slightly better chances of getting a working decryptor for free.

Taking the Bottom Line Out of the STOP Ransomware Ransomware-as-a-Service

The chance of a free or even ransom-bought decryptor for total file recovery, or an unaffected Restore Point, is slim. As such, malware researchers recommend having secured, non-locally-stored backups for a way of recovering against the Ransomware-as-a-Service industry particularly easy, which includes the Koti Ransomware's family and others. While the Hosts file changes and other attacks may be recoverable relatively easily, the traditional encryption routine for the STOP Ransomware is secure for the indefinite future.

Along with the value of a comprehensive and protected backup, users have many options at hand for dodging the Koti Ransomware's possible infection exploits. Server admins can use strong passwords and patch their software regularly, and heavy-downloading users can scan new files before opening and avoid illicit content. All PC users can benefit from common-sense forms of protection like turning on visible extensions for filenames and turning off JavaScript and macros in the applicable programs.

As expected, dedicated and up-to-date anti-malware programs will detect this new variant and delete the Koti Ransomware, or quarantine it for sample submissions, in nearly all circumstances immediately.

Samples of the Koti Ransomware are pretending that they're temporary files, but the issues they instigate are long-lasting ones. Users that consider their data worth paying for should also ponder how much they might save with a backup and a layer of sensible anti-malware protection.