Koler Ransomware

Koler Ransomware is a new ransomware-type computer infection for Android phones and other Android-powered devices that locks the phone entirely and denies users to access the content stored on them. Then, it demands the victims pay a ransom to unlock the device by paying a ransom using a Money Pak Voucher and then following further instructions. You should not attempt to pay the ransom because you cannot be sure that the cyber criminals will unlock it. You should remove this ransomware instead if that is possible. In this short description, we will discuss how this ransomware works, how it is distributed and how you may be able to get rid of it.

Koler Ransomware was first spotted in the United States. The new version of this ransomware known as Worm.Koler is capable of self-replication via text messages. The messages are sent to all of the contacts of an infected phone. The messages contain a bit.ly URL set to improve the infection rate because this ransomware used to be distributed via adult websites in the past. Note that Koler Ransomware used to be promoted as a PornHub application. This new ransomware is said to be an Android adaptation of the now infamous Reveton Ransomware.

The attack begins with the victim receiving a text message from a person from their contacts list. The text reads:

“Someone made a profile named -Luca Pelliciari- and he uploaded some of your photos! is that you? http://bit.ly/{random characters}”

What is interesting about this text is that it was used before in a Facebook scam distributed though Facebook Messenger, and it seems that the developers of this ransomware thought it would be a good idea to use it. The text does a good job at intriguing potential victims and tricking them to open the malicious link.

Koler Ransomware’s creators have combined techniques used in an SMS worm called Selfmite with an Android ransomware attack. SMS worms spread the ransomware by spamming the victim’s contacts with a text message that contains a download link to an “.apk” file. The trick used here is to make the potential victim believe that the text message was sent from a known person present in the contacts list. One interesting peculiarity about Koler is that it sends the fake text message only once compared to most SMS worms that send messages several times.

If the potential victim clicks the link, he/she is redirected to a DropBox page that offers him/her to download an app called PhotoViewer. If they install this app, the app blocks the phone’s screen with a fake FBI page that says that the device was blocked because the victim viewed child pornography and other illegal content. As a result, the device becomes locked completely, and the user is not able to close the screen or uninstall the malicious app. The ransomware demands that you pay the ransom using a Money Pak Voucher.

It is estimated that more than 70 % of all infections, to date, have occurred in the US, but there have also been many cases of Android-powered phone users being affected in countries such as Iran, Saudi Arabia, UAE, China, Ireland, India, and so on. Therefore, this ransomware can infect your Android device no matter where you are. Combating this ransomware is difficult, but you might be able to delete it after rebooting your device in Safe Mode.

In closing, Koler Ransomware is sophisticated Android ransomware attack that can lock its screen and prevent victims from using the phone altogether. To unlock it, you can try booting your device in Safe Mode, but you have to consult the manual of your device on you to do that. Then, you have to remove the PhotoViewer app using the standard Android app removal tool.