New Ransomware Alert: Kozy.Jozy, and Another That Targets Zimbra Servers

kozyjozy-zimbra-ransomwareA new ransomware dubbed Kozy.Jozy was discovered that adds new file extensions its list of files to encrypt. The new ransomware variant also sets the victim’s background to a ransom note in Russian.

According to the report, when Kozy.Jozy is executed, a random extension name is selected from an array to append to the files, with the pattern .31392E30362E32303136_(0-20)_LSBJ1: for example, “.31392E30362E32303136_14_LSBJ1”. The ransom note is written in Russian saying that the files have been encrypted with a strong RSA-2048 cipher, providing the victim with the cybercriminal's email address, as well as directions for making a payment in Bitcoin for the decrypt key required to unlock the affected files.

Kozy.Jozy encrypts all data that has the following file extensions: .cd, .idf,.mdf, .odt, .ods, .odb, .bmp, .png, .max, .dbf, .epf, . 1cd, .md, .pdf, .ppt, .doc, .arj, .tar, .7z, .rar, .xls, .zip, .tif, .jpg, .cdr, .psd, .jpeg, .docx, .xlsx, .pptx, .accdb, .mdb, .rtf. The ransomware stealthily runs the encryption in the background without the victim’s knowledge and deletes the Volume Shadow Copies to remove possible backups. 

It is also worth noting that victims have also reported similar symbol combinations, making it seemingly possible for cybercriminals to sell its code as a kit in the dark web forums. Unfortunately, there is currently no way to decrypt the data due to the use of asymmetric encryption, an encryption method where the key used to encrypt the file is not the same as the one used to decrypt the file, making it nearly impossible to crack. It is recommended to try data recovery tools, as the malware does not securely delete files.

Meanwhile, another ransomware written in Python is targeting the Zimbra Mail Store and encrypting all the files located within it. Based on the reports, it drops a ransom note in “/root/how.text” that demands 3 bitcoins to recover the files. “This ransomware is most likely installed via the developer hacking into the Zimbra server and executing the Python script. Once the script is executed it will generate a RSA key and a[sic] AES key that is unique to the victim’s computer. The AES key is then encrypted with the RSA key and both keys are emailed from to, Lawrence Abrams, founder of Bleeping Computer explains.

Immediately after the keys are generated, the script creates a ransom note that contains instructions for payment. The ransomware then proceeds to encrypt all of the files located in the “/opt/zimbra/storefolder” using AES encryption. The folder stores Zimbra emails and mailboxes, which will no longer be accessible once encrypted. The encrypted files are then appended with a “.crypto” extension. Like the Kozy.Jozy ransomware, there is currently no known way to decrypt the files without paying for the decrypt key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.