Remove Kozy.Jozy Ransomware and Get Back Encrypted Files - How to, Technology and PC Security Forum |

Remove Kozy.Jozy Ransomware and Get Back Encrypted Files

kozy-jozy-ransomware-sensorstechforumKozy.Jozy is a Ransomware virus which uses a strong RSA encryption to encrypt the files on computers it infects. The Kozy.Jozy virus is believed to be designed for Russan speaking users because its entire ransom message which it changes as a background is written in The Russian language. In addition to this, Kozy.Jozy adds a very long file-extension ending in random symbols, such as LSBJ1, ZHM1 or other similar ones. All users who have been infected with Kozy.Jozy Ransomware, are strongly advised not to contact the e-mail and not to pay any ransom money to the cyber-crooks. Instead, it is advisable to try alternative methods for restoring files and removing the ransomware with an advanced anti-malware software, instructions for which you may find in this article.

Threat Summary

Short DescriptionThe ransomware encrypts files with the RSA-2048 cipherand asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as w.jpg image which is set as a background.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Kozy.Jozy


Malware Removal Tool

User ExperienceJoin our forum to Discuss Kozy.Jozy Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Kozy.Jozy Ransomware – Spread

To infect users successfully Kozy.Jozy Ransomware virus is believed to use different types of spam techniques to spread malicious URLs and malicious files:

  • Referral spam
  • E-mail spam.
  • Social media spam from compromised accounts.

The malicious files may be masked as legitimate installers of programs as well as pretending to be Microsoft Office or Adobe documents. They may also be featured on clean URLs which when opened may cause redirects to the malicious ones which can cause the infection via a drive-by download, malicious JavaScript, Exploit Kit, etc.

Kozy.Jozy Ransomware – More Information

The ransomware, known as Kozy.Jozy creates a malicious executable on the compromised computer in one of the following folders with a custom name:

commonly used file names and folders

After this, Kozy.Jozy begins scanning for user files to encode. It is reported by malware researchers on Bleeping Computer security forums to scan for files of the following types:

→ .cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .pdf, .ppt, .xls, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .bmp, .png, .cdr, .psd, .jpeg, .docx, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .odb, .odg.

As a bonus, Kozy.Jozy eradicates the shadow copies of the infected computer by executing a .bat command line in administrative mode:

→ vssadmin.exe delete shadows /all /quiet

The encrypted files contain encrypted code in segments in their hex code. The segments are split into parts of 245 bits, and the encrypted files have a very long file extension added to them. Its end may differ:

  • .31392E30362E32303136_{numbers from 0 to 20}_LSBJ1
  • .31392E30362E32303136_{numbers from 0 to 20}_ZHM1
  • .31342E30362E32303136_{numbers from 0 to 20}_KTR1

Source: Affected Users

The ransomware also drops a file, named w.jpg on the %Desktop% of the user’s computer. The file contains the ransom instructions, written in Russian:

С использованием очень стойкого алгоритма RSA-2048. Попьiтки восстановить файльi самостоятельно приведут лишь к их безвозвратной порче. Если же они вам нужнъi то отправьте один из пострадавших файлов на ящик
English Translation:
with the usage of the very strong algorithm RSA-2048. Anny attempt to restore the files by yourself will lead to their inevitable loss. If you want them then send one of the encrypted files on the e-mail”

Despite that the files may be encrypted, and the cyber-criminals may require a ransom payoff in BitCoins plus they threaten file loss if you try and decrypt them yourself, we advise you NOT to pay the ransom.

Remove Kozy.Jozy Ransomware and Restore the Files

To fully erase this ransomware without damaging the files, we advise you first to copy them to a safe device. Then, it is recommended to follow the removal instructions below. In case you are experiencing difficulties in locating the files and registry objects made by Kozy.Jozy, experts, suggest using an advanced anti-malware program which should ensure maximum effectiveness in removal.

To try and restore your files, we have prepared methods in step “3. Restore files encrypted by Kozy.Jozy” below. They are not 100% effective, but if you are lucky, you may restore at least a small portion of your data.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share