C0hen Locker ransomware (Removal Guide) - Recovery Instructions Included
C0hen Locker virus Removal Guide
What is C0hen Locker ransomware?
C0hen Locker ransomware is malware that encrypts data with AES and demands ransom of 0.15 BTC for their redemption
C0hen Locker ransomware is a file locking virus that does not belong to any previously-known ransomware family
C0hen Locker ransomware is a new data locking malware that was spotted in the wild at the start of December 2019. Upon infiltration,the virus performs the necessary preparations inside the Windows PC and then scans it for files to encrypt – it targets the most common formats, such as .pdf, .doc, .jpg, .avi, etc. The encryption process is performed with a symmetric algorithm AES, and all the locked data is marked with .c0hen extension, making it inaccessible to its owners. Unfortunately, C0hen Locker ransomware will perform the exact same procedure on all the networked drives if any are found during the infection process.
As soon as the C0hen Locker virus finishes encrypting files, it opens a custom program window titled c0hen@admin, which essentially serves as a ransom note. The cybercriminals ask victims to transfer 0.15 BTC to the provided Bitcoin wallet or contact a Discord user c0hen#7722 for negotiation. The ransomware is currently not decryptable, although the affected users could try using the unlock key 12309482354ab2308597u235fnq30045f, which was provided by a security researcher on Twitter.[1]
Name | C0hen Locker ransomware |
Type | Cryptomalware, file locking virus |
Main executable | The samples found in the wild were named c0hen locker.exe, although it is also known that the malware can use a random name for its main executable |
Encryption method | AES |
File extension | As as soon as the virus infects the system, it encrypts all pictures, music, videos, MS Office documents and other most commonly used files by appending .c0hen marker to each of them |
Ransom note | Instead of providing a text-based ransom note, C0hen Locker authors use a screen locker which is titled c0hen@admin |
Contact | Users are not provided an email address as it is common, but instead are offered to use a chat application Discord to contact user c0hen#7722 |
Ransom size | Victims are asked to pay 0.15 BTC for the C0hen Locker ransomware decryptor |
File decryption | You can apply an unlock key 12309482354ab2308597u235fnq30045f. If not successful, you should use alternative data recovery methods provided below |
Malware removal | Use reputable anti-malware software that can recognize the infection |
System recovery | To remediate Windows OS after malware infection and fix damage done to it, we recommend using FortectIntego |
Security researchers have not yet found any connections between C0hen Locker ransomware and other families, so it seems like it is a new strain developed by unknown threat actors. However, seeing how ransomware has been extremely successful in the past few years, there are numerous criminals that want to succeed in this money-extortion business.
Before entering the machine, the C0hen Locker virus checks the system for the installed keyboard languages. It is possible that it might leave without infecting the system if the language is set to one of those that are excluded by ransomware authors – this behavior is typical and is often applied to ex-Soviet bloc countries.
After passing the initial check, C0hen Locker virus drops its main executable into the %TEMP% folder and performs a variety of changes to the system, including:[2]
- Removes Shadow Volume Copies with the command “vssadmin.exe delete shadows /all /quiet”
- Disables the Task Manager
- Installs system startup scripts (this might complicate C0hen Locker ransomware removal)
- Modifies the value of the HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN registry
- Drops over 500 files on the system, etc.
C0hen Locker ransomware then proceeds with the file encryption process, which also affects all the data on the connected networks. Finally, it drops a lock screen that states the following:
WARNING: If you turn your PC off you will not get your files back!!!
c0hen locker has infected your PC
Whats happening?
Your computer has been infected. You must do as instructed to get your files back.
Donate 0.15 BTC to this wallet
Or:
Download discord and add c0hen#7722 for decryption key
discord.com/downloadAll devices on your network have been infected. All of your computers files have been encrypted with ransomware.
Because C0hen Locker ransomware heavily modifies the host machine, files being corrupted permanently after shutting down the PC is possible. Therefore, before doing anything, experts suggest you back up all the data on the network and then remove C0hen Locker ransomware with powerful security software (you might have to access Safe Mode for that).
C0hen Locker ransomware is a type of malware that holds all files hostage and demands 0.15 BTC for the decryption tool
To recover the normal function of the PC and fix virus damage, we suggest using FortectIntego after C0hen Locker ransomware is eliminated.
You can avoid ransomware infections in most cases
Infecting your machine with ransomware can be either easy or not – it all depends on the applied security measures and the overall awareness. In most cases, those that get infected act carelessly online despite the risks or are simply unaware of how ransomware and other malware can infect computers.
As a general rule, ransomware is spread via the internet and often includes some type of social engineering. One of the most popular tactics used by cybercriminals is phishing emails. In some cases, crooks might send out thousands of emails using a botnet[3] or other automated tools, while other times, emails are targeted, and the recipient's name is already known by crooks (often acquired via previous phishing attempts or bought from the underground forums).
A spam email message can be crafted in various ways, but it often includes an attachment infused with malicious macros or a hyperlink that downloads the payload from a remote server. Thus, it is important not to open all the emails that come your way, even those that look legitimate (the “From” address can be forged by a technique called spoofing).[4]
Other methods often used by cybercriminals include:
- Exploits
- Software cracks
- Fake updates
- Unprotected RDP connections
To mitigate these techniques, you should ensure the comprehensive security software protects your system, all the accounts use secure passwords that are not repeated, and no suspicious files are downloaded from shady sites like torrents.
Backup your files and then remove C0hen Locker virus
In some cases, ransomware might self-delete after the file encryption process is complete. However, other malware might stay on the system in order to keep locking the incoming files. For that reason, C0hen Locker ransomware removal should be performed to attempt file recovery without paying threat actors the ransom. Nevertheless, you should also be aware that the action might render your files damaged – just as the system restart. Thus, make sure you back up all the files encrypted by the C0hen Locker virus.
Victims can recognized the encrypted files by an extension added to them - .c0hen
After that, you should access Safe Mode with Networking and scan the machine with reputable anti-malware software to completely remove C0hen Locker ransomware and all its components from the system. After that, you could try recovering your data by using methods provided in the recovery section below. If none are successful, there is a chance that security researchers will find bugs within the malicious software and release a free C0hen Locker ransomware decryptor in the future.
Getting rid of C0hen Locker virus. Follow these steps
Manual removal using Safe Mode
Access Safe Mode with Networking as described below if you are struggling to remove C0hen Locker ransomware in normal mode:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove C0hen Locker using System Restore
System Restore can also be used as an alternative method to get rid of malware:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of C0hen Locker. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove C0hen Locker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by C0hen Locker, you can use several methods to restore them:
Use Data Recovery Pro
Data recovery software might sometimes work and retrieve working copies of files from the local hard drive. However, the process is not always successful, especially if the machine was used profoundly after the infection occurred.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by C0hen Locker ransomware;
- Restore them.
Make use of Windows Previous Versions Feature
This method will only work if you had System Restore enabled before the ransomware attack occurred.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer might be the savior
If C0hen Locker failed to delete Shadow Volume Copies, use ShadowExplorer – it should be able to retrieve most of your data.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Use a provided unlock key
You can try entering the unlock key 12309482354ab2308597u235fnq30045f to recover your files.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from C0hen Locker and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
- ^ Jack. c0hen Locker #ransomware. Twitter. Social network.
- ^ Incident Response. Hybrid Analysis. Sample analysis report.
- ^ What is a botnet?. Norton. Security blog.
- ^ Email spoofing. Wikipedia. The free encyclopedia.