What is KUZA Ransomware?
KUZA Ransomware represents a perilous variant of the Proton ransomware, a malicious program designed to encrypt files on a victim's system and demand payment for their release. Upon infecting a device, KUZA encrypts files and appends their filenames with the attackers' email address along with a ".Ripa" extension, effectively rendering them inaccessible. For instance, a file originally labeled "1.jpg" would now appear as "1.jpg.[amir206amiri2065sa@gmail.com].Ripa". Additionally, KUZA alters the desktop wallpaper and drops a ransom note named "#Read-for-recovery.txt", providing instructions for the victim.
The ransom note delivered by KUZA informs the victim that their files have undergone encryption using advanced cryptographic algorithms, AES and ECC. Interestingly, unlike many ransomware strains, KUZA does not explicitly threaten to leak sensitive data if ransom demands are not met. Instead, it instructs the victim to pay a ransom for decryption software and promises the deletion of stolen files. The note allows the victim to test decryption by sending a single locked file to the cybercriminals. However, it warns against delaying payment, which could result in an increased ransom amount, and advises against modifying or deleting encrypted files or seeking aid from third parties.
The KUZA Ransomware note reads like the following:
~~~ KUZA ~~~
>>> What happened?
We encrypted and stolen all of your files.
We use AES and ECC algorithms.
Nobody can recover your files without our decryption service.
>>> How to recover?
We are not a politically motivated group and we want nothing more than money.
If you pay, we will provide you with decryption software and destroy the stolen data.
>>> What guarantees?
You can send us an unimportant file less than 1 MG, We decrypt it as guarantee.
If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.
>>> How to contact us?
Our email address: amir206amiri2065sa@gmail.com
In case of no answer within 24 hours, contact to this email: amir206amiri2065sa@tutamail.com
Write your personal ID in the subject of the email.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>> Your personal ID: - <<<<<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> Warnings!
- Do not go to recovery companies, they are just middlemen who will make money off you and cheat you.
They secretly negotiate with us, buy decryption software and will sell it to you many times more expensive or they will simply scam you.
- Do not hesitate for a long time. The faster you pay, the lower the price.
- Do not delete or modify encrypted files, it will lead to problems with decryption of files.
Experience researching ransomware infections suggests that decryption without the attackers' involvement is typically unfeasible. Even if victims comply with the ransom demands, there is no guarantee that they will receive the necessary keys or software for decryption. Consequently, it is strongly recommended not to accede to cybercriminals' demands, as it perpetuates their illegal activities and does not ensure file recovery. Removing KUZA ransomware from the system can prevent further data encryption, but it will not restore already affected files. The only reliable solution is to recover files from a backup, emphasizing the importance of maintaining backups in multiple secure locations.
Ransomware, including KUZA, primarily spreads through phishing and social engineering tactics, such as malicious attachments or links in spam emails, deceptive downloads, malvertising, and fake updates. Additionally, some ransomware variants can self-proliferate through local networks and removable storage devices. To safeguard against ransomware infections, it is crucial to download software from official sources, remain vigilant while browsing, exercise caution with email attachments and links, and maintain updated antivirus software for regular system scans and threat removal.