One example of the KozyJozy variant.

KozyJozy targets Windows OS and the method of distribution is currently unknown. It encrypts files using RSA-2048. Files encrypted by KozyJozy are appended with a random extension displaying the following pattern: .31392E30362E32303136_(0-20)_LSBJ1. Additional extensions include ZHM1 and KTR1. KozyJozy deletes Shadow Volume Copies using the command Delete Shadows /All /Quiet but does not overwrite the space so victims may be able to recover files using data recovery software.


  • Trend Micro provides more information about KozyJozy here.

  • The NJCCIC is not aware of any decryption tools available for KozyJozy.