Threat Database Ransomware 'Cocoslim98@gmail.com' Ransomware

'Cocoslim98@gmail.com' Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 7
First Seen: October 20, 2016
Last Seen: August 17, 2022
OS(es) Affected: Windows

The 'Cocoslim98@gmail.com' Ransomware is a credible threat to Windows Server systems that do not support proper port configuration, lack security updates and employ weak login credentials. Av vendors may detect strands of the 'Cocoslim98@gmail.com' Ransomware under the name Rotor Ransomware as well. The 'Cocoslim98@gmail.com' Ransomware may be introduced to servers via manual hacking, brute force attacks on Web access panels, and corrupted plug-ins for platforms like Magento and WordPress. The 'Cocoslim98@gmail.com' Ransomware is very similar to the JapanLocker Ransomware and both threats emerged in late October 2016. The 'Cocoslim98@gmail.com' Ransomware can run on the latest versions of the Windows Server and supports 64-bit system architectures.

The 'Cocoslim98@Gmail.com' Ransomware is Unlike Most Cryptomalware and Locks Backups as Well

Evidence shows that the 'Cocoslim98@gmail.com' Ransomware is unlike many Encryption Trojans such as the Globe Ransomware. The 'Cocoslim98@gmail.com' Ransomware is programmed to encrypt backups stored on local drives as well. That practice is not seen in most cryptomalware and users may suffer extensive data corruption when the 'Cocoslim98@gmail.com' Ransomware attacks their PCs. At the time of writing this, the 'Cocoslim98@gmail.com' Ransomware does not encode data on shared drives, but that may change soon. Security analysts report that 'Cocoslim98@gmail.com' Ransomware uses the AES-256 cipher to lock data on the computer and follows the model !____cocoslim98@gmail.com____.tar. For example, 'sales_plans_October_2016.xlsx' will be transcoded by the 'Cocoslim98@gmail.com' Ransomware to 'sales_plans_October_2016!____cocoslim98@gmail.com____.tar.

Advanced computer users may be familiar with the TAR data container, which is the end product of a software technique used to combine multiple files into a single archive file. TAR archive files are very common on Linux, and they are used on the Windows platform as well. Malware researchers note that the 'Cocoslim98@gmail.com' Ransomware behaves like the RarVault Ransomware which uses an RAR data container to store the victim's data and demand ransom to release the password for the vault. Users that were infected with the Encryption Trojan at hand wrote to cocoslim98@gmail.com and were provided with the following reply:

'Good day

Your files were encrypted/locked
As evidence can decrypt file 1 to 3 1-30MB
The price of the transcripts of all the files on the server: 7 Bitcoin
Recommend to solve the problem quickly and not to delay
Also give advice on how to protect Your server against threats from the network
(Files sql mdf backup decryption strictly after payment)!'

Paying the Ransom Required by the 'Cocoslim98@Gmail.com' Ransomware is a Gamble

7 Bitcoin is a hefty price for decryption software, and most server administrators may not be willing to pay nearly 4400 USD. Security experts remind that paying the ransom is a gamble and should be avoided. The 'Cocoslim98@Gmail.com' Ransomware might encrypt backups for databases and backup images of the drive, but you could use clean backups from removable media and unmapped storage containers. A good policy is to keep secondary backups on unmapped drives that are used to secure your data in case severe damages are inflicted on your primary backups. Server administrators are advised to use reputable anti-malware utility to clean the infected machines and consider applying the 'Scorched Earth' policy, as well as a precautionary measure. Initial threat analysis allowed AV vendors to recognize the 'Cocoslim98@gmail.com' Ransomware and use the following tags to label related files:

  • Gen:Trojan.Heur.FU.fmW@aqKulsn
  • Ransom:Win32/Cryproto.B
  • TR/Ransom.Cryproto.nikee
  • Trojan.Win32.Cosmu.dkit
  • Trojan.Win32.Generic!BT
  • W32/Filecoder.NHM!tr
  • a variant of Win32/Filecoder.NHM
  • ansom_Cryproto.R047C0DIH16

SpyHunter Detects & Remove 'Cocoslim98@gmail.com' Ransomware

File System Details

'Cocoslim98@gmail.com' Ransomware may create the following file(s):
# File Name MD5 Detections
1. name.exe 7451118588498f31d1ef9e6094b18194 2

Trending

Most Viewed

Loading...