Cossy Ransomware encrypts user's data with a robust encryption algorithm called RSA-2048 and shows a warning message written in Russian. Consequently, it is most likely the malicious application should be spread among users who understand the mentioned language. However, we are not sure if there could be a lot of victims of this malware, as there are reasons to believe the threat might have been developed as a prank, or it is still under the development stage. If you continue reading our report, we will explain to you our reasoning as well as tell you more about Cossy Ransomware’s working manner and other relevant details about it. At the end of the article, we will add deletion instructions to help users who want to deal with the malware manually. Of course, if the task seems too challenging it would be best to leave it to a reliable security tool of your choice.
The malware could be downloaded from malicious file-sharing web pages, as a lot of ransomware applications and other threats are distributed this way. Moreover, Cossy Ransomware could also enter the system through Spam emails or the files attached to them. Some users open files without inspecting them first, which is a huge mistake as attackers know it. In fact, some hackers send malicious files with fake messages or think of other ways how to convince the user to open the launcher. Therefore, we would recommend not to allow your curiosity to let your guard down. Each attachment or file downloaded from an untrustworthy source should be scanned with a reliable security tool first. Opening a malicious file could instantly infect the system, and in case it is a ransomware application, it may start encrypting your data right away.
It is exactly how Cossy Ransomware should work as the threat does not need to create any data to settle in. Meaning, it runs right from the directory where it was launched, for examples, Downloads, Desktop, etc. Our specialists say the malware targets only personal files like photos or archives, and it does not encrypt data belonging to the operating system or other software. After the process is completed, the victim should notice all of his private files ought to be marked with .Защищено RSA-2048. For instance, a text document named list.docx would turn into list.docx.Защищено RSA-2048. What’s more, each directory containing data with encrypted files should have a ransom note called Как все эту шалашкину контору расшифровать.txt and an identification file for hackers titled Крайне важная инфа.RSA-2048 файл.
If you open the ransom note, you should see text in Russian. Translated to English, it says all of the user’s files were locked with a strong encryption system called RSA-2048. Also, it explains the victim can get decryption tools the cybercriminals claim to have if he pays a ransom of 50 rubles or around 1 US dollar. It is said the user can get instructions on how to transfer the money after sending the Cossy Ransomware’s created identification document to the given email address. No doubt, such a small ransom shows something might be not right here.
Ransomware applications are usually created solely for money extortion, and to get as much money as possible, hackers often ask for more significant sums. Thus, the fact Cossy Ransomware’s developers ask for less than one US dollar does make it look suspicious. It is possible the attackers might be trying to convince their victims to cooperate and then ask for more substantial sums later on. The other possibility is the malware is a prank, in which case it is probably not being distributed among a lot of users. Either way, if you encounter this threat, we advise removing it right away with the deletion instructions provided below or a reliable antimalware tool.
|#||File Name||File Size (Bytes)||File Hash|
|1||Как все эту шалашкину контору расшифровать.txt||1499 bytes||MD5: 48904feeb84083fbab528362581a3811|
|2||Cossy.exe||215040 bytes||MD5: 573bb80879be1f303603451e85fd6675|
|3||Крайне важная инфа.RSA-2048 файл||3428 bytes||MD5: 393fc7eb14ccb59cbd8b1d098505bd53|
|#||Process Name||Process Filename||Main module size|