Koti Ransomware

The STOP Ransomware is the most dynamic ransomware family of 2019, and it would appear that cyber crooks have continued to release copies of it throughout 2020 as well. One of the newest variants of the STOP Ransomware is the Koti Ransomware.

Propagation and Encryption

There are various tricks and techniques that cyber crooks, like the shady individuals behind the Koti Ransomware, use when propagating ransomware threats. Some of the most used ones include:

• Torrent trackers – Pirated media and software are likely to make you vulnerable to various threats and online tactics, so it is advisable to avoid them.
• Malvertising campaigns – Corrupted advertisements are a popular infection vector, so be wary when you come across advertisements on dodgy websites.
• Fake software updates/downloads – Cybercriminals often trick users into installing malware on their systems by promising them an update for an application they already have or a download for new software.
• Spam email operations – Emails that contain either a corrupted link or a bogus attachment that carries the payload of the threat.

If the Koti Ransomware compromises your computer, it will start by scanning your data. The Koti Ransomware is designed to go after a variety of filetypes, including documents, videos, audio files, images, spreadsheets, databases, presentations, archives, etc. The Koti Ransomware will encrypt all the data matching its criteria securely, which is most likely almost all your files. The files locked by the Koti Ransomware will have their names changed. This file-locking Trojan appends a ‘.koti’ extension at the end of filenames. This means that a file, which you had named ‘platinum-lock.mp3’, will be renamed to ‘platinum-lock.mp3.koti.’

The Ransom Note

The Koti Ransomware will drop a ransom note on the user’s system. The note contains the message of its creators. The file containing the ransom message is called ‘_readme.txt.’ In the ransom message, the creators of the Koti Ransomware outline several key points:

• The ransom fee is set at $980.
• There is a 50% discount offered to users who contact the attackers in a 72 hour, which brings the ransom fee down to $490.
• The victim can send one file, which would be decrypted free of charge.
• The contact details are ‘helpmanager@mail.ch’ and ‘restoremanager@firemail.cc.’

It is advisable to avoid cooperating with cyber crooks as they are not the most trustworthy of individuals. There is a huge chance you will not receive the decryption key you need even if you pay the ransom fee the authors of the Koti Ransomware demand. This is why you should consider installing a reputable anti-spyware solution that will help you eradicate the Koti Ransomware from your system.