Kozy.Jozy Ransomware Removal Guide

Do you know what Kozy.Jozy Ransomware is?

Kozy.Jozy Ransomware is a recently created malware that might be sold as a kit too. Like any other ransomware, the malicious program encrypts user’s files and adds another extension to them. It was noticed that this extension has a few different versions. This is why computer specialists think that the malware could be sold as a kit, which could be slightly altered by the person who purchases it. Further in the article we will also explain to you, how this infection spreads and how to erase it. If you do not have any copies of your data, this might be a tough decision to make. However, if you are asked to pay a huge ransom, it is better not to lose your money too. Since the ransomware’s creators might not bother to send you the decryption key.

Kozy.Jozy Ransomware should be distributed through malicious executable files that look like Microsoft Word documents, e.g. “карточка ООО Скрит.docx.exe.” Its icon should have the appearance of a text document, but the .exe extension at the end says that the file is actually executable. The next time you receive a suspicious email attachment from an unknown source, you should investigate it firstly. For instance, users could check it with a reputable antimalware tool or search for any related information on the Internet. If you are not the first user who infected its computer with particular ransomware, you should find some topics about it on specific web pages.

Once, you download and open the malicious attachment, the malware starts encrypting your data. It can lock file types that have these extensions: .cd .ldf .mdf .max .dbf .epf .1cd .md .pdf .ppt .xls .doc .arj .tar .7z .rar .zip .tif .jpg .bmp .png .cdr .psd .jpeg .docx .xlsx .pptx .accdb .mdb .rtf .odt .ods .odb .odg. Data that was locked should have .31392E30362E32303136_(0-20)_ZHM1, .31342E30362E32303136_(0-20)_KTR1, or similar extension that fits the pattern. When it finishes encrypting user’s data it changes desktop image with the w.jpg file that should be placed on Desktop. Also, the same picture should be opened each time you turn on your computer. It is because Kozy.Jozy Ransomware creates a Registry entry in the Run key.Kozy.Jozy Ransomware Removal GuideKozy.Jozy Ransomware screenshot
Scroll down for full removal instructions

The picture contains a text in the Russian language. If you translate into English, it says “your files are encrypted! Using a very resistant algorithm RSA-2048.” Also, it states that if the user wants to decrypt his data, he has to write the Kozy.Jozy Ransomware creators via email. We have not tried to write them ourselves, but it is most likely that users would receive instructions on how to transfer the ransom. It is important to mention that there are no guarantees you will get the decryption key if you pay the ransom. Therefore, we advise you not to waste your savings for data that might never be decrypted either way. Instead, try to remember if you saved any copies of it on flash drives or other removable media.

Users who do not agree to pay the ransom should delete the malware with no hesitation. In order to eliminate Kozy.Jozy Ransomware user should locate the malicious file that was downloaded to his computer and erase it. Then, you should take care of the Registry entry that was created by the ransomware. Lastly, users should find w.jpg on their Desktop and delete it as well. If you slide below this text, you will see a removal guide that will help to complete these tasks. Another way to erase the infection is to use a legitimate security tool. After its installation, you should launch the tool and do a system scan. Once the process is over, you will not only see a report but also you will be able to eliminate the malware with one mouse click.

Erase Kozy.Jozy Ransomware

  1. Press Windows Key+E.
  2. Check the Desktop, Downloads, or Temporary Files folders and locate the malicious file (e.g. карточка ООО Скрит.docx.exe).
  3. Right-click the malicious file and click Delete.
  4. Press Windows Key+R, type regedit and press Enter.
  5. Go to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  6. Find a value name called wall that has such value data: C:\Users\user\Desktop\w.jpg.
  7. Right-click the value name and press Delete.
  8. Find w.jpg on your Desktop and delete it.

In non-techie terms:

Kozy.Jozy Ransomware is a malicious program that is distributed through infected files via email. These files have a deceiving appearance as they look like harmless text documents. No wonder that users open them without even thinking that it could be malicious. If you have the malware already, there is not much you can do. Paying the ransom might not help you decrypt your files. Thus, it might be better just to remove the ransomware. If you do not want to find yourself in the same situation ever again, you should use an antimalware tool or protect the system in other ways.