Severity scale:  
  (91/100)

Remove C0hen Locker ransomware (Removal Guide) - Recovery Instructions Included

removal by Ugnius Kiguolis - - | Type: Ransomware

C0hen Locker ransomware is malware that encrypts data with AES and demands ransom of 0.15 BTC for their redemption

C0hen Locker ransomwareC0hen Locker ransomware is a file locking virus that does not belong to any previously-known ransomware family

C0hen Locker ransomware is a new data locking malware that was spotted in the wild at the start of December 2019. Upon infiltration,the virus performs the necessary preparations inside the Windows PC and then scans it for files to encrypt – it targets the most common formats, such as .pdf, .doc, .jpg, .avi, etc. The encryption process is performed with a symmetric algorithm AES, and all the locked data is marked with .c0hen extension, making it inaccessible to its owners. Unfortunately, C0hen Locker ransomware will perform the exact same procedure on all the networked drives if any are found during the infection process.

As soon as the C0hen Locker virus finishes encrypting files, it opens a custom program window titled c0hen@admin, which essentially serves as a ransom note. The cybercriminals ask victims to transfer 0.15 BTC to the provided Bitcoin wallet or contact a Discord user c0hen#7722 for negotiation. The ransomware is currently not decryptable, although the affected users could try using the unlock key 12309482354ab2308597u235fnq30045f, which was provided by a security researcher on Twitter.[1]

Name C0hen Locker ransomware
Type Cryptomalware, file locking virus
Main executable The samples found in the wild were named c0hen locker.exe, although it is also known that the malware can use a random name for its main executable 
Encryption method  AES
File extension  As as soon as the virus infects the system, it encrypts all pictures, music, videos, MS Office documents and other most commonly used files by appending .c0hen marker to each of them
Ransom note  Instead of providing a text-based ransom note, C0hen Locker authors use a screen locker which is titled c0hen@admin
Contact Users are not provided an email address as it is common, but instead are offered to use a chat application Discord to contact user c0hen#7722
Ransom size Victims are asked to pay 0.15 BTC for the C0hen Locker ransomware decryptor
File decryption You can apply an unlock key 12309482354ab2308597u235fnq30045f. If not successful, you should use alternative data recovery methods provided below
Malware removal Use reputable anti-malware software that can recognize the infection
System recovery To remediate Windows OS after malware infection and fix damage done to it, we recommend using Reimage Reimage Cleaner Intego

Security researchers have not yet found any connections between C0hen Locker ransomware and other families, so it seems like it is a new strain developed by unknown threat actors. However, seeing how ransomware has been extremely successful in the past few years, there are numerous criminals that want to succeed in this money-extortion business.

Before entering the machine, the C0hen Locker virus checks the system for the installed keyboard languages. It is possible that it might leave without infecting the system if the language is set to one of those that are excluded by ransomware authors – this behavior is typical and is often applied to ex-Soviet bloc countries.

After passing the initial check, C0hen Locker virus drops its main executable into the %TEMP% folder and performs a variety of changes to the system, including:[2]

  • Removes Shadow Volume Copies with the command “vssadmin.exe delete shadows /all /quiet”
  • Disables the Task Manager
  • Installs system startup scripts (this might complicate C0hen Locker ransomware removal)
  • Modifies the value of the HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN registry
  • Drops over 500 files on the system, etc.

C0hen Locker ransomware then proceeds with the file encryption process, which also affects all the data on the connected networks. Finally, it drops a lock screen that states the following:

WARNING: If you turn your PC off you will not get your files back!!!

c0hen locker has infected your PC

Whats happening?

Your computer has been infected. You must do as instructed to get your files back.

Donate 0.15 BTC to this wallet

Or:

Download discord and add c0hen#7722 for decryption key
discord.com/download

All devices on your network have been infected. All of your computers files have been encrypted with ransomware.

Because C0hen Locker ransomware heavily modifies the host machine, files being corrupted permanently after shutting down the PC is possible. Therefore, before doing anything, experts suggest you back up all the data on the network and then remove C0hen Locker ransomware with powerful security software (you might have to access Safe Mode for that).

C0hen Locker ransomware virusC0hen Locker ransomware is a type of malware that holds all files hostage and demands 0.15 BTC for the decryption tool

To recover the normal function of the PC and fix virus damage, we suggest using Reimage Reimage Cleaner Intego after C0hen Locker ransomware is eliminated.

You can avoid ransomware infections in most cases

Infecting your machine with ransomware can be either easy or not – it all depends on the applied security measures and the overall awareness. In most cases, those that get infected act carelessly online despite the risks or are simply unaware of how ransomware and other malware can infect computers.

As a general rule, ransomware is spread via the internet and often includes some type of social engineering. One of the most popular tactics used by cybercriminals is phishing emails. In some cases, crooks might send out thousands of emails using a botnet[3] or other automated tools, while other times, emails are targeted, and the recipient's name is already known by crooks (often acquired via previous phishing attempts or bought from the underground forums).

A spam email message can be crafted in various ways, but it often includes an attachment infused with malicious macros or a hyperlink that downloads the payload from a remote server. Thus, it is important not to open all the emails that come your way, even those that look legitimate (the “From” address can be forged by a technique called spoofing).[4]

Other methods often used by cybercriminals include:

  • Exploits
  • Software cracks
  • Fake updates
  • Unprotected RDP connections

To mitigate these techniques, you should ensure the comprehensive security software protects your system, all the accounts use secure passwords that are not repeated, and no suspicious files are downloaded from shady sites like torrents.

Backup your files and then remove C0hen Locker virus

In some cases, ransomware might self-delete after the file encryption process is complete. However, other malware might stay on the system in order to keep locking the incoming files. For that reason, C0hen Locker ransomware removal should be performed to attempt file recovery without paying threat actors the ransom. Nevertheless, you should also be aware that the action might render your files damaged – just as the system restart. Thus, make sure you back up all the files encrypted by the C0hen Locker virus.

C0hen Locker ransomware locked filesVictims can recognized the encrypted files by an extension added to them - .c0hen

After that, you should access Safe Mode with Networking and scan the machine with reputable anti-malware software to completely remove C0hen Locker ransomware and all its components from the system. After that, you could try recovering your data by using methods provided in the recovery section below. If none are successful, there is a chance that security researchers will find bugs within the malicious software and release a free C0hen Locker ransomware decryptor in the future.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove C0hen Locker virus, follow these steps:

Remove C0hen Locker using Safe Mode with Networking

Access Safe Mode with Networking as described below if you are struggling to remove C0hen Locker ransomware in normal mode:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove C0hen Locker

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete C0hen Locker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove C0hen Locker using System Restore

System Restore can also be used as an alternative method to get rid of malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of C0hen Locker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that C0hen Locker removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove C0hen Locker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by C0hen Locker, you can use several methods to restore them:

Use Data Recovery Pro

Data recovery software might sometimes work and retrieve working copies of files from the local hard drive. However, the process is not always successful, especially if the machine was used profoundly after the infection occurred.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by C0hen Locker ransomware;
  • Restore them.

Make use of Windows Previous Versions Feature

This method will only work if you had System Restore enabled before the ransomware attack occurred. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might be the savior

If C0hen Locker failed to delete Shadow Volume Copies, use ShadowExplorer – it should be able to retrieve most of your data.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use a provided unlock key

You can try entering the unlock key 12309482354ab2308597u235fnq30045f to recover your files.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from C0hen Locker and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

References

Your opinion regarding C0hen Locker ransomware