Ransomware Roundup – Koolova, KillDisk and more


Perhaps the oddest thing to pop up recently is the Koolova ransomware (which refers to itself as Nice Jigsaw): it encrypts files and threatens to delete them, but supplies a decryption key once the victim has read two articles: Google’s  Stay safe while browsing  and Bleeping Computer’s Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.

Lawrence Abrams: Koolova Ransomware Decrypts for Free if you Read Two Articles about Ransomware. Commentary by Graham Cluley for Tripwire: Ransomware Offers Free Decryption if you Learn About Cybersecurity.

I have to agree with Abrams that there’s something creepy (to say the least) about this. But not only because it cites one of his own articles. Even though the ‘ransom’ isn’t monetary, there are less offensive ways in which someone could make that ‘educational’ point without compromising someone else’s data and without the barely-concealed gloating because of the power they have over the victim but choose not to exercise. And I find it hard to believe that the people behind this are always going to be so ‘nice’. Are they priming the pump for a different kind of attack?


For ESET, Robert Lipovsky and Peter Kálnai have more information on KillDisk’s recent foray into ransomware: KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt.

They summarize:

The recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage and cyber-sabotage operations. Considering the high ransom of around USD 250,000 – resulting in a low probability that victims would pay up, in addition to the fact that the attackers have not implemented an efficient way of decrypting the files, this seems more like a nail in the coffin, rather than a true ransomware campaign.


Meanwhile, the Petya-derived GoldenEye has been targeting German-speaking HR departments as a way into the lucrative corporate ransomware market. According to Checkpoint:

The first attachment is a PDF containing a cover letter which has no malicious content and its primary purpose is to lull the victim into a false sense of security. The second attachment is an Excel file with malicious macros unbeknown to the receiver.

Not a novel approach, but it’s worked well for other types of malware (including Cerber), and I see no reason why it shouldn’t be effective this time, even though (as David Bisson points out):

While those in HR should expect to receive emails from all kinds of people, they shouldn’t give anyone who sends a Microsoft Office document with macros enabled the time of day. In fact, organizations should make sure that every computer in every department disables Office macros by default.


Cert.PL offers analysis of the newly-polished tur^H^H^H CryptFile2, now known as CryptoMix: Technical analysis of CryptoMix/CryptFile2 ransomware

Among its ‘interesting’ features:

  • The ‘insane’ ransom amount (currently 5 bitcoin)
  • There’s a suggestion in the analysis that paying is likely to generate further ransom demands, but not the decryption keys
  • The crooks claim that the ransom will be contributed to a children’s charity, and that the victim will get free PC support. Yeah, right.

In fact, none of this information is particularly new, but the technical analysis is interesting.


A fast-evolving threat appeared on Christmas Eve 2016, but researchers quickly provided free decryptors.

Decryptors are available from Checkpoint and from MalwareHunterTeam’s Michael Gillespie.

Unnamed PHP Ransomware(-ish)

Checkpoint also has a decryptor for the unnamed PHP ransomware also described in its article. In fact, ransomware might be the wrong word in this case, since at present it displays no ransom ‘note’ and has no known channel for paying a ransom.

David Harley

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.