Koolova: The World’s First ‘Nice’ Ransomware?


Every time I write an article on a new form of ransomware, I’m always surprised. And Koolova, the latest ransomware to hit the scene, does not disappoint.

Last year saw a host of bizarre ransomware variants. There was Popcorn Time, which let you infect two users to get a free decryption key. Jigsaw, which played out like having a Saw-movie villain on your computer. And the Cerber ransomware, which hijacked people’s speakers to talk to them directly.

So you’d think the ransomware makers had run out of tricks. But they forgot to mention something.

Apparently, Jigsaw has a brother. His name is Koolova, and he’s concerned that you might fall under his brother’s influence.

Ransomware Families: Quite Literally a Thing

Crypto-ransomware is usually classified as part of a ‘family’, and brotherly bonds are not unheard of. Just this year, we wrote about the terrible twins ‘Petya‘ and ‘Mischa‘ — two more rule-breakers who sparked a trend of selling Ransomware-as-a-Service (RaaS). And even ruder, they didn’t even properly give you back your data once you paid them.

Jigsaw Koolovas brother
Jigsaw: Koolova’s infamous brother. Imagine what the parents looked like.

Koolova, however, is nothing like his brother Jigsaw. Where Jigsaw holds your files ransom and destroys your data bit by bit, like a deranged serial killer, Koolova holds your data hostage to ‘help’ you.

Koolova: “Hi, I’m Nice Jigsaw…”

The moment you are infected, Koolova gives you a friendly introduction in nonthreatening green text. It even drops some smiley faces in there to make you feel at ease. Like all ransomware, it tells you your personal files are encrypted, but it doesn’t ask for a ransom.

Instead, Koolova asks you to read two documents on how to stay safe from ransomware.

Koolova Screenshot

Yes, that’s right. Koolova doesn’t even direct you to malicious websites. Instead, they’re highly legitimate articles: one is from the Google Security Blog called ‘Stay safe while browsing‘, and the other is BleepingComputer’s ‘Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom‘ article.

The second you read both articles, the Decrypt My Files button becomes available. When you click on it, it connects to the Command and Control Server to retrieve your decryption key. And then it gives you a funny little popup called ‘Nice Jigsaw’ with the decryption key, which is… well… read it for yourself.

Koolova Decryption Key

I’m not usually one to resort to memes, but after reading this? I can’t even.

… But Koolova gets Mean if You Don’t Read the Articles

Koolova doesn’t give you long at all to read the articles. And if you don’t read them, it goes ahead and deletes the files. Don’t let the nice guy act fool you into thinking it doesn’t follow through.

So functionally, Koolova is exactly the same as regular ransomware, except the payment method is just different.

So is Koolova a Villain or a Dark Hero?


Opinions are already divided on whether or not Koolova is a good or a bad thing. Some frustrated SysAdmins who are sick of running counter-phishing training for their users are lauding Koolova’s arrival, whereas other professionals such as BleepingComputer’s creator and owner, Lawerence Abrams, are calling it “creepy” and “strange”.

As usual, the best countermeasure for ANY ransomware—’good’ or bad—is to backup your data! Make sure you’ve stored it securely using a 3-2-1 backup method and with a trusty backup software such as BackupAssist. It’s the only sure way to be untouchable by crypto-ransomware. There’s a free trial of BackupAssist you can download, and if you’re unprotected, I’d recommend it ASAP.

So is Koolova a villain or a dark hero? Black hat or white hat? Tell us what you think!

Share your opinion here in the comments section, tweet @BackupAssist or post to facebook.

Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin



Start your free 30-day trial today