Launched in April 2014, Koler.a, or “Koler,” is a Trojan and a “police” ransomware that targets both mobile phones and PCs. It has already infected around 200,000 Androids; three-quarters of those whom are located in the U.S. Thousands of other victims are from other countries around the world like Australia, Saudi Arabia, and Germany. It shares its roots with Reveton Worm, and it is similar in nature to Urausy Police Ransomware.
Interestingly, Koler started out by targeting people who searched for porn. This ransomware was present on adult-themed apps (such as BaDoink) and at least 48 different porn websites, and strategically so. The cyber criminals behind Koler specifically preyed on its victims’ guilt from visiting a porn website—and because of this, the operators behind Koler discovered that their victims were more likely to hand over the fine.
Koler specifically infects its victims’ devices in one of three ways: downloading itself onto a mobile device disguised as animal porn or a video player app, redirecting the victim to one of its infected websites, or redirecting the victim to a website that contains the Angler Exploit Kit. In the first case, victims are required to pay a ransom from $100-$300 via MoneyPak to unlock their phones. In the second case, Koler scans its victims’ devices to determine where they are from. Then, this ransomware generates a customized lock screen based on the country or region where victims are located. Often, these lock screens pretend to be from the region’s local police authority. For example, a victim located in the U.S. may see a lock screen from the FBI Department of Defense and the U.S.A. Cyber Crime Center. As these lock screens are timed to appear after the victim has visited a pornographic website, they may give victims the impression of being legitimate, seeing how the lock screens tell victims that they have been viewing illegal pornography. These “lock screens” may also accuse victims of violating copyright law by illegally accessing music, movies, and illegal software.
It’s difficult to say how many people in total unwittingly installed Koler ransomware after it was downloaded to their devices, due to the fact that Android requires permission to install any type of software. But one thing is for sure—the cyber criminals behind Reveton Worm are the same who are behind Koler ransomware. Android users who are at a higher risk for downloading this ransomware onto their devices are those who allow unknown sources to install apps to their devices.