Remove Corona-lock ransomware (Virus Removal Guide) - Bonus: Decryption Steps

removal by Olivia Morelli - - | Type: Ransomware

Corona-lock virus Removal Guide

What is Corona-lock ransomware?

Corona-lock is yet another ransomware campaign using the disease as a lure

Corona-lock ransomwareCorona-lock ransomware virus locks non-system files with an intention to extort money out of its victims

Corona-lock ransomware is a cryptovirus that misuses the COVID-19 pandemic to trick people into opening malicious ransomware payload and lock personal people's files. It has been found spreading via spam emails[1] called “Corona virus cure for China, Italy.” The email contains a CORONA TREATMENT.doc file, which is infected with the malicious ransomware payload.

Upon the infiltration, the Corona-lock virus roots into the OS by changing Windows Registry entries and injecting malicious executables among boot up files. After that, the system is forced to restart leading to a complete lock of personal files. All non-system data gets encrypted by the .corona-lock! file extension. Usually, victims cannot fully understand what happened until the README_LOCK.txt note gets placed on the desktop and other folders.

The Corona-lock ransomware is also known as the CovidWorldCry virus. Both variants are not decryptable. At least not yet. The criminals behind this threat programmed this threat to run a combination of ChaCha and AES encryption algorithm, which is a tough nut to crack for cybersecurity experts.

Name of the virus Corona-lock
Also known as CovidWorldCry ransomware, CoronaLock ransomware, Corona-Lock virus, BigLock ransomware
Ransom note README_LOCK.txt or !!!READ_ME!!!.TXT
Encryption model ChaCha + AES
Contacts Criminals provide the email
Payload Usually, people are represented with malicious spam emails that contain CORONA TREATMENT.doc file with a hidden 2020-05-22_17-36-19.exe payload
File marker The ransomware locks files using a strong encryption model and appends .corona-lock file extension. However, people can also be attacked by other Corona-lock ransomware variants exhibiting .biglock file marker
Goals The ransomware is a crypt-extortionists, meaning that it's sole purpose is to earn the money. For that, it locks files and demands a ransom payment
Distribution The virus has been found spreading via Coronavirus-related spam email messages in particular. However, experts warn that the payload can also be launched via Rig exploit kit, rogue software installers, and cracks
Removal If ransomware infected the machine, the only way to delete it is to restart the machine into Safe Mode with Networking (a guide below explains how to to that) and then run a full system scan with a professional AV engine.
Data recovery There's no official Corona-lock decryptor. However, it's advisable to backup encrypted files and send the samples to cybersecurity experts for analysis. Besides, you can try decrypting the data using alternative methods, such as Volume Shadow Copies
Windows recovery Upon ransomware elimination, recover the system using ReimageIntego repair tool

The Corona-lock virus is ransomware without a family. It's a stand-alone threat, which only can be attributed to the COVID-19 campaign viruses[2] alongside Cov19, Coronavirus ransomware, Dharma, Maze, REvil, CovidLock, and many others. Although it's one of the ransomware-type viruses that take advantage of the Rig exploit kits, the most victims are caught on the hook by reliable-looking spam emails that contain the CORONA TREATMENT.doc file.

This CORONA TREATMENT.doc spam attachment disguises the malicious 2020-05-22_17-36-19.exe file, which is a unique Corona-lock ransomware payload. Once launched, the creates the following entries:

  • %APPDATA%\key.file
  • %HOMEPATH%\desktop\readme_lock.txt
  • D:\install.log.corona-lock
  • :\000814251_video_01.avi.corona-lock
  • :\delete.avi.corona-lock
  • :\join.avi.corona-lock
  • :\archer.avi.corona-lock
  • :\dashborder_96.bmp.corona-lock
  • :\dial.bmp.corona-lock
  • :\dialmap.bmp.corona-lock

Moreover, the Corona-lock virus creates malicious processes under names %WINDIR%\syswow64\vssadmin.exe, \conhost.exe, \dllhost.exe, \vssvc.exe, and %WINDIR%\syswow64\wbem\wmic.exe, which lock AV engines and increase ransomware persistence.

According to the VirusTotal analysis[3], the Corona-lock file virus executable can be detected and quarantined by 61 security tools out of 71. The most common detections are the following:

  • Ransom:Win32/Coronalock.DEA!MTB (Windows Defender)
  • Win32:Malware-gen (AVG)
  • Trojan.GenericKDZ.67331 (BitDefender)
  • Trojan.TR/AD.RansomHeur.eku (F-Secure)
  • Trojan.Win32.DelShad.dfc (Kaspersky)
  • Win32:Malware-gen (Avast)
  • A Variant Of Win32/Kryptik.HDOJ (ESET-NOD32), etc.

Corona-lock detectionThe corona-lock virus can currently be detected by most of the AV security tools

All activities initiated by Corona-lock ransomware are extremely malicious. It roots into the OS, compromises %AppData%, %Temp%, and entries in other directories, eliminates Shadow Volume copies, terminates core processes, and starts alternative ones, etc. All performance leads to one goal – complete restriction from personal files.

Once the files are encoded by .corona-lock file extension, the ransomware generates a note README_LOCK.txt or !!!READ_ME!!!.TXT, which contains a unique ID number, which is bound to a personal file decryption key stored by criminals. to get the key, victims have to write an email to and pay the criminals a ransom payment.


WE STRONGLY RECOMMEND you NOT to use any Decryption Tools.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.

To get RSA private key you have to contact us via email to:
—————————->> <<
and send us your id: >> 2374052812 <<

HOW to understand that we are NOT scammers?
You can ask SUPPORT for the TEST-decryption for ONE file!


If you are currently seeing such a message, we strongly recommend you to backup the encrypted files to alternative storage (hard drive, USB flash drive, cloud storage, etc.) and then restart the machine into Safe Mode with Networking. The safe mode disables malicious processes and allows launching the security software. To remove Corona-lock ransomware virus from the system thoroughly, we recommend using Malwarebytes, SpyHunter 5Combo Cleaner, or similar security software.

Upon successful Corona-lock removal, it's must to recover the Windows directories that the virus might have compromised. Distorted Windows Registries, disabled processes, and written/deleted files, modified attributes, and other performances can trigger Windows malfunctions and crashes. For this purpose, you can take advantage of the ReimageIntego tool.

.corona-lock file recovery options

Do not get confused by false claims on some unreliable sources that the removal of Coronal-lock ransomware using an anti-virus tool will recover personal files. Ransomware removal means that the AV engine quarantines the malicious ransomware processes and files.

The data that is encrypted using the ChaCha + AES encryption algorithm and exhibits the .corona-lock file extension will not be encrypted upon virus removal. Data encryption requires a specific decryption software that reverts the changes initiated by the cipher.

Corona-lock ransomware virusCorona-lock virus appends .corona-lock file extension to encrypted files

Criminals behind the Corona-lock virus offer their victims to buy the decryptor for a considerable amount of money and we are sure that a part of victims agree with the payment as they crave for unlocking important data. However, we do not recommend supporting criminals in any way.

Instead of that, experts from[4] advisable to remove Corona-lock ransomware and then decrypt files using alternative methods. First of all, you can contact ransomware researchers and provide them with ransomware examples for testing. It's very likely that sooner or later they can develop a free decryptor.

While the Corona-lock decryptor is under development, you can try decrypting the files using third-party data recovery programs, System Restore, or Shadow Volume copies. You can find a comprehensive guide at the end of this article.

.biglock file extension is related to Corona-lock ransomware

Corona-lock ransomware is also known as the CovidWorldCry virus. Both variants are equally dangerous. However, depending on the variant that infiltrated the machine, the diverse extension can be appended to personal files.

In many cases, people find their files encrypted by the .biglock file extension virus. Files that contain such a suffix cannot be opened, moved, deleted, or renamed. Unfortunately, automatically renamed personal files means only one thing – ransomware attack.

Beware that criminals seek to gain as much money as possible. Corona-lock virus managers may demand you to pay a redemption that varies from $480 to $1500 depending on the amount of encrypted data.

As we have already pointed out, this ransomware cannot be decrypted for free. Thus, you can either pay the criminals or get rid of Corona-lock virus from your machine and try data recovery methods provided by our security experts.

Coronavirus-themed email spam keeps flooding inboxes

During the worldwide Coronavirus pandemic, criminals launched thousands of disease-related spam campaigns, malware, and viruses. Unfortunately, millions of people were caught on the hook of intriguing news, disease prevention methods, charities, and other rogue email messages that were used by scammers to infect PCs with ransomware.

It's very important to raise people's consciousness, so we keep repeating that official and reliable organizations are sharing the information on the official website or other reliable sources. They are not sending emails with questionable attachments to random PC users unless they are registered or made their e-mails public.

However, the malspam campaign is not the only way to spread malware and ransomware viruses. Criminals can quite easily exploit software vulnerabilities, known as flaws. Hackers take advantage of the exploit kits to gain access to people's machines. This particular ransomware is known for exploiting Rig exploit kit, which allows hackers to inject the malicious payload to the targeted machines remotely. Therefore, it's crucial to update outdated software and patch reported vulnerabilities without a delay.

Corona-lock spamCorona-lock virus managers are exploiting spam emails and Rig exploit kits to infiltrate machines

Therefore, people should be extremely careful with suspicious email attachments, avoid downloading pirated software, cracking software, visiting x-rated websites, or clicking on doubtful ads. Instead of that, take advantage of a reputable anti-virus suite, which features real-time protection and other additional security measures.

Corona-lock removal guide: learn how to eliminate the entire ransomware package thoroughly

Usually, people attempt to remove Corona-lock ransomware and similar cyber-infections by simply launching the AV tool in a regular Windows mode. Unfortunately, such an attempt is usually unsuccessful because ransomware runs malicious processes that block security software.

If you are currently solving such a situation, you should perform Corona-lock removal while the machine is restarted into Safe Mode with Networking. You can find a full guide explaining how to do that down below.

Besides, it's very important to select a professional security software to elimination to Corona-lock virus. Ransomware, in general, is an intricate piece of software, which may remain in the disguise of Windows system files and re-attack the machine upon elimination if a single malicious entry is left intact. Our recommended programs are SpyHunter 5Combo Cleaner and Malwarebytes, but if you have another preferable security tool, you are free to use it, except make sure it's fully up-to-date.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Corona-lock virus. Follow these steps

Manual removal using Safe Mode

Rebooting into Safe Mode with Networking is needed to perform full Corona-lock virus removal.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Corona-lock using System Restore

System Restore feature can help with the infection and eliminate the threat by recovering the machine in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Corona-lock. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that Corona-lock removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Corona-lock from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Corona-lock, you can use several methods to restore them:

Data Recovery Pro can help to retrieve files locked by .corona-lock file virus

This piece of software has been developed to help people restore files after a Windows crash. However, in many cases, it helped ransomware victims to get their files back without paying the ransom. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Corona-lock ransomware;
  • Restore them.

Try Windows Previous Versions

If you've been using the Windows Previous Version feature, you may try to recover files by retrieving their versions prior to ransomware attack. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Restore the files using Shadow Volume Copies

When it is known that Corona-lock ransomware hasn't affected Shadow Volume Copies, you can use ShadowExplorer to recover files

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

At the moment, the Corona-lock decryption tool is not available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Corona-lock and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions