Ransomware authors are very creative, in the last here we assisted a rapid evolution of the cyber extortion practice. Ransomware has become one of the fastest growing threats, new malware implements sophisticated features to avoid detection.
Recently security experts from MalwareHunterTeam spotted a singular strain of ransomware dubbed Popcorn Time that implemented an interesting mechanism to improve its efficiency.This ransomware comes with a singular feature, it allows victims to either pay up or they can opt to infect two others using a referral link. Then is the two other potential victims pay the ransom the original target receives a free key to unlock his encrypted files.
Once the Koolova ransomware infected a machine, it encrypts the files and then displays a warning screen where the text instructs the victim to open and read two awareness posts before they can get the ransomware decryption key.
Then Koolova starts a countdown that if gets to zero, the ransomware will definitively delete the files.
The two blog posts that the Koolova ransomware wants victims to read are:Google Security Blog called
The threat was spotted by the security researcher Michael Gillespie, the malicious code appears to be a work in progress.
— Michael Gillespie (@demonslay335) 18 dicembre 2016
“Koolova will encrypt a victim’s files and then display a screen similar to the Jigsaw Ransomware where the text is slowly shown on the screen. This text will tell the victim that they must read two articles before they can get a decryption key, It then tells you that if you are too lazy to read two articles before the countdown gets to zero, like Jigsaw, it will delete the encrypted files. This is not an idle threat as actually does delete the files.” reported BleepingComputer.com.
Once the victim reads both articles, he can rescue the encrypted files by clicking on the Decrypt My Files (the malware shows the string “Decripta i Miei File” which is Italian Language). The button “Decripta i Miei File” becomes available, when the user click on it the Koolova ransowmare will contact C&C server to get the decryption key.
Clearly, the author of this malware hasn’t developed it profit but just to spread awareness.
(Security Affairs – Koolova ransomware, malware)