The latest version of the Koler ransomware, known to target Android-operating devices, spreads through SMS messages. The malicious message contains shortened bit.ly URLs that direct to the infected .APK. Once the user has opened the corrupt file, the screen of the infected device gets locked, a bogus FBI warning is displayed and the victim is being asked to pay $300 in order to unlock the device.
What’s Different in the New Koler Ransomware Version?
Experts from Zscaler point out that a module in the .APK in the new version of the Koler ransomware contains a propagation code that sends one and the same shortened URL to the entire contact list of the compromised device. The SMS states that someone has created a profile under the name Luca Pelliciari, and this person has uploaded pictures of the victim supposedly. The message also has a link to the profile in question, which naturally directs to the malicious .APK. The latter is disguised as an image file that was at first hosted on Dropbox, but the link was then taken offline.
Upon activation, the Koler ransomware collects data about the device, such as device ID and build version, and connects to a predetermined C&C server while locking the screen at the same time.
Analysts report that unlike other pieces of ransomware, this version of Koler does not have a file encryption routine. What this particular malware does, is lock the screen and stay persistent even after a reboot has been performed on the compromised device.
Koler Ransomware – The CryptoWall for Mobile Devices
Ransomware like CryptoWall and Cryptolocker have been attacking computer users all over the world increasingly in the past year. Koler seems to be doing basically the same but on the mobile scene. Researchers describe the infrastructure of the Koler ransomware as quite flexible implying that the infection can be adapted to attack desktop users at some point.