Koolova Ransomware decrypts files if victims read 2 posts

Koolova Ransomware decrypts files if victims read 2 posts about Ransomware

Pierluigi Paganini January 05, 2017

The Koolova ransomware will decrypt the encrypted files for free it the victim read two blog posts about how to avoid ransomware infection.

Ransomware authors are very creative, in the last here we assisted a rapid evolution of the cyber extortion practice. Ransomware has become one of the fastest growing threats, new malware implements sophisticated features to avoid detection.

Recently security experts from MalwareHunterTeam spotted a singular strain of ransomware dubbed Popcorn Time that implemented an interesting mechanism to improve its efficiency.This ransomware comes with a singular feature, it allows victims to either pay up or they can opt to infect two others using a referral link. Then is the two other potential victims pay the ransom the original target receives a free key to unlock his encrypted files.

Now a new strain of ransomware dubbed Koolova appeared in the wild with a very singular feature. The Koolova ransomware will decrypt the encrypted files for free it the victim read two articles about how to avoid ransomware infection.

Once the Koolova ransomware infected a machine, it encrypts the files and then displays a warning screen where the text instructs the victim to open and read two awareness posts before they can get the ransomware decryption key.

Then Koolova starts a countdown that if gets to zero, the ransomware will definitively delete the files.

The two blog posts that the Koolova ransomware wants victims to read are:Google Security Blog called

“Stay safe while browsing” from Google Security Blog.
“Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom” from BleepingComputer.

The threat was spotted by the security researcher Michael Gillespie, the malicious code appears to be a work in progress.

#Koolova #Ransomware based on #HiddenTear decrypts your files if you read @BleepinComputer & @Google articles on #Jigsaw and online security pic.twitter.com/50TYiVRNhx

— Michael Gillespie (@demonslay335) 18 dicembre 2016

“Koolova will encrypt a victim’s files and then display a screen similar to the Jigsaw Ransomware where the text is slowly shown on the screen. This text will tell the victim that they must read two articles before they can get a decryption key, It then tells you that if you are too lazy to read two articles before the countdown gets to zero, like Jigsaw, it will delete the encrypted files. This is not an idle threat as actually does delete the files.” reported BleepingComputer.com.

Once the victim reads both articles, he can rescue the encrypted files by clicking on the Decrypt My Files (the malware shows the string “Decripta i Miei File” which is Italian Language). The button “Decripta i Miei File” becomes available, when the user click on it the Koolova ransowmare will contact C&C server to get the decryption key.

Clearly, the author of this malware hasn’t developed it profit but just to spread awareness.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Koolova ransomware, malware)

Pierluigi Paganini August 04, 2025

Hacking group D4rk4rmy claimed the hack of Monte-Carlo Société des Bains de Mer

Pierluigi Paganini August 04, 2025