What is the KoRyA Ransomware?

ransomware

KoRyA is a type of ransomware that belongs to the Xorist family. It was discovered by malware researchers while examining samples submitted to online threat databases. KoRyA encrypts data and adds the ".KoRyA" extension to filenames, changes the desktop wallpaper, creates a text file titled "HOW TO DECRYPT FILES.txt", and displays an error message.

The ransom note in the wallpaper, text file, and error message all state that victims must pay 0.06 BTC (Bitcoin cryptocurrency) to the provided wallet address and then email korya@tuta.io for decryption tools. Victims have two days to make payment before their decryption keys are deleted.

When KoRyA is active on a system, it will modify filenames by adding the ".KoRyA" extension at the end of each one; for example, "1.jpg" would become "1.jpg.KoRyA", "2.png" would become "2.png.KoRyA", and so forth. Furthermore, it will change the desktop wallpaper with a ransom note demanding payment of 0.06 BTC in order to receive decryption tools from korya@tuta .io.

The full ransom note displayed by KoRyA reads as follows:

ATTENTION!

All your files have been encrypted

And their decryption will cost you 0.06 bitcoin.

To start the decryption process follow the steps below

Step 1) Make sure you send 0.06 bitcoin to this wallet:

bc1q73lm30rgv6h9wy42y88t0r8prjh9l9pzpvvm9c

Step 2) Contact me at this email address: korya@tuta.io

With this Subject: -

After the payment has been confirmed,

you will receive the decryptor and the keys for decryption!

Other information:

If you don't own bitcoin, you can buy it here very easily

www.coinmama.com

www.bitpanda.com

www.localbitcoins.com

www.paxful.com

You can find a larger list here:

hxxps://bitcoin.org/en/exchanges

If the payment is not made in 2 days, I will consider that you do not want to decrypt your files,

and therefore the keys generated for your PC will be permanently.deleted.

Paying ransomware actors is not a good idea for several reasons. Firstly, there is no guarantee that the attackers will actually provide the decryption tools after payment. Even if they do, there is no guarantee that the tools will work as promised. Furthermore, paying the ransom only encourages the attackers to continue their malicious activities and target more victims in the future.

Additionally, it sends a message to other cybercriminals that ransomware attacks are profitable and can be used as an effective way to make money. Finally, paying a ransom could also be illegal depending on where you live or where the attackers are located. For these reasons, it is best to avoid paying ransomware actors and instead focus on preventing such attacks from occurring in the first place by taking appropriate security measures.

By Zaib
January 10, 2023
Ransomware
English
January 10, 2023
Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Ransomware

Kriptor Ransomware Asks for Bitcoin Ransom

Yet another strain of file-encrypting malware was spotted in the wild. The newest strain is called the Kriptor ransomware. The Kriptor ransomware will encrypt almost every file on a system, leaving files essential to... Read more

July 25, 2022
Ransomware

Remove Decryption#1222 Ransomware

Decryption#1222 Ransomware is a dangerous threat whose creators is extorting the victims for money. Just like other ransomware applications, this one also works by encrypting the victim's files, therefore preventing... Read more

April 29, 2022
Ransomware

Sakura Ransomware Aggressively Demands Payment in Bitcoin

A new ransomware variant belonging to the Chaos ransomware family was recently discovered by security researchers. The new strain is called the Sakura ransomware. Sakura works like other Chaos ransomware clones and... Read more

July 28, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.