A new variant of ransomware virus has been discovered by experienced security professionals. It appends the .codnat1 file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails, malicious software or manually installing the ransomware. Read below a brief summary of information related to this ransomware, how to remove .codnat1 ransomware and how to restore or decrypt encrypted files for free.
Files encrypted by “.codnat1 ransomware”
Immediately after the launch, the Codnat1 ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.mlx, .upk, .rwl, .re4, .pkpass, .zip, .zi, .p7c, .vdf, .xlsm, .m3u, .tor, .wpw, .wp5, .syncdb, .ws, .xls, .hkdb, .xlsx, .wma, .xar, .r3d, .rtf, .wb2, .dwg, .kdc, .odb, .mrwref, .odp, .x3f, .ibank, .docm, .wps, .pfx, .wmv, .xxx, .rb, .svg, .sidd, .pst, .t12, .big, .vpp_pc, .wpd, .itm, .wpl, .wpa, .pptm, .cr2, .wbc, .sql, .wbk, .cdr, .0, .arw, .1, .dcr, .apk, .qic, .z3d, .x3d, .gdb, .bar, .p7b, .xld, .accdb, .icxs, .itdb, .vpk, .srw, .wire, .wbd, .dba, .pdf, .dmp, .ztmp, .x3f, .wbmp, .sid, .ods, .css, .litemod, .7z, .kdb, .dng, .ysp, .x, .layout, .bik, .odm, .bc6, .xbplate, .desc, .wotreplay, .lrf, .3dm, .zabw, .rgss3a, .wmf, .wp4, .orf, .xml, .ntl, .wsh, .xyw, .2bp, .der, .psk, .vtf, .rar, .xpm, .dxg, .xbdoc, .tax, .zdb, .webp, .ai, .3fr, .wdp, .webdoc, .xlk, .mp4, .wm, .dazip, .mcmeta, .hvpl, .xy3, .wn, .wot, .png, .wgz, .wp6, .snx, .wcf, .sav, .slm, .xls, .iwi, .wri, .wbz, .wmo, .cer, .forge, .wp7, .mpqge, .erf, .psd, .py, .hkx, .nrw, .avi, .ppt, .sr2, .jpe, .wav, .p12, .csv, .txt, .fpk, .xmind, .ff, .zdc, .mddata, .gho, .xmmap, .flv, .docx, .das, .wps, .wp, .wpt, .mdf, .wma, .m2, .yal, .xdl, .wsd, .xlsm, .odc, .xyp, .jpg, .z, .xwp, .wpe, .wpd, .arch00, .xlsx, .bkp, .lbf, .asset, .dbf, .xlgc, .vcf, .xx, .ltx, .xf, .t13, .wsc, .mdb, .hplg, .wdb, .rofl, .lvl, .bc7, .mov, .vfs0, .pak, .iwd, .ybk, .esm, .eps, .yml, .pem, .xll, .qdf, .rw2, .mdbackup, .sum, .doc, .wpg, .cfr, .indd, .rim, .kf, .wmv, .db0, .sis, .epk, .m4a, .sie, .wbm, .3ds, .pdd, wallet
Once a file is encrypted, its extension modified to .codnat1. Next, the ransomware drops a file named ‘_readme.txt’. This file contain a instructions on how to decrypt all encrypted documents, photos and music. An example of the ransomnote is:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-oEUEuysYiZ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | .Codnat1 ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .codnat1 |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, mosteros@firemail.cc |
| Ransom amount | $490, $980 in Bitcoins |
| Symptoms |
|
| Removal | To remove .Codnat1 ransomware use the removal guide |
| Decryption | To decrypt .Codnat1 ransomware use the steps |
Therefore it is very important to follow the few simple steps below without a wait. The guide will help you to remove .Codnat1 ransomware. What is more, the step-by-step guide below will help you restore (decrypt) encrypted files for free.
Quick links
- How to remove .Codnat1 ransomware
- How to decrypt .codnat1 files
- Use STOPDecrypter to decrypt .codnat1 files
- How to restore .codnat1 files
- How to protect your computer from .Codnat1 ransomware?
- Finish words
How to remove .Codnat1 ransomware
Even if you have the up-to-date classic antivirus installed, and you have checked your computer for ransomwares and removed anything found, you need to do the instructions below. The .Codnat1 ransomware virus removal is not simple as installing another antivirus. Classic antivirus applications are not developed to run together and will conflict with each other, or possibly crash Windows. Instead we suggest complete the steps below an use Zemana Anti-malware, Malwarebytes or Kaspersky Virus Removal Tool, which are free applications dedicated to detect and get rid of malicious software like .Codnat1 ransomware. Run these utilities to ensure the ransomware virus is removed.
Use Zemana Anti-malware to remove .Codnat1 ransomware
We suggest you to use the Zemana Anti-malware which are completely clean your PC of ransomware virus. Moreover, the tool will allow you to remove trojans, malware, worms and adware software that your computer can be infected too.
- Installing the Zemana is simple. First you will need to download Zemana on your Microsoft Windows Desktop from the link below.
Zemana AntiMalware
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web-browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- Once the downloading process is done, please close all apps and open windows on your machine. Next, start a file called Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana Anti-Malware onto your system. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Anti Malware will launch and display the main window.
- Further, click the “Scan” button to perform a system scan for the .Codnat1 ransomware and other kinds of potential threats. When a malicious software, adware software or potentially unwanted software are detected, the number of the security threats will change accordingly.
- When the scan is complete, the results are displayed in the scan report.
- You may delete threats (move to Quarantine) by simply press the “Next” button. The tool will delete .Codnat1 ransomware virus related files, folders and registry keys. After that process is done, you may be prompted to reboot the system.
- Close the Zemana AntiMalware and continue with the next step.
How to remove Codnat1 ransomware with MalwareBytes Free
Remove Codnat1 ransomware manually is difficult and often the ransomware is not completely removed. Therefore, we recommend you to run the MalwareBytes Free which are fully clean your PC system. Moreover, this free program will allow you to remove malicious software, trojans, worms and adware software that your PC system may be infected too.
Installing the MalwareBytes Anti-Malware is simple. First you’ll need to download MalwareBytes Anti Malware by clicking on the link below.
326384 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the download is done, run it and follow the prompts. Once installed, the MalwareBytes Anti Malware (MBAM) will try to update itself and when this process is complete, press the “Scan Now” button . MalwareBytes Anti Malware (MBAM) program will scan through the whole computer for the Codnat1 ransomware virus and other security threats. This task can take some time, so please be patient. While the MalwareBytes program is scanning, you can see how many objects it has identified as threat. When you are ready, click “Quarantine Selected” button.
The MalwareBytes is a free program that you can use to remvoe all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal utility, we recommend you to read and follow the step-by-step guidance or the video guide below.
Remove .Codnat1 ransomware virus from system with KVRT
The KVRT utility is free and easy to use. It may scan and remove crypto viruses like the .Codnat1 ransomware, malicious software, trojans and adware from your computer and thereby revert back system settings. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the personal computer.
Download Kaspersky virus removal tool (KVRT) on your personal computer by clicking on the link below.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the .Codnat1 ransomware and other malicious software. This procedure may take quite a while, so please be patient. While the Kaspersky virus removal tool application is scanning, you can see how many objects it has identified as threat.
Once that process is finished, you will be displayed the list of all found items on your machine as displayed in the figure below.
All found items will be marked. You can remove them all by simply press on Continue to begin a cleaning task.
How to decrypt .codnat1 files
The .Codnat1 ransomware ransomware offers to make a payment in Bitcoins to get a key to decrypt photos, documents and music. Important to know, currently not possible to decrypt .codnat1 files without the private key and decrypt program.
There is absolutely no guarantee that after pay a ransom to the authors of the .Codnat1 ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
Files encrypted by “.codnat1 ransomware”
With some variants of Codnat1 ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .codnat1 files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.codnat1).
Please check the twitter post for more info.
How to restore .codnat1 files
In some cases, you can recover files encrypted by .Codnat1 ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Run ShadowExplorer to recover .codnat1 files
In order to restore .codnat1 documents, photos and music encrypted by the .Codnat1 ransomware virus from Shadow Volume Copies you can run a utility called ShadowExplorer. We advise to use this solution as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
Visit the following page to download the latest version of ShadowExplorer for Windows. Save it on your MS Windows desktop.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is finished, extract the downloaded file to a directory on your PC. This will create the necessary files as shown on the screen below.
Launch the ShadowExplorerPortable program. Now select the date (2) that you wish to recover from and the drive (1) you want to recover files (folders) from like below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as shown below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Run PhotoRec to recover .codnat1 files
Before a file is encrypted, the .Codnat1 ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore applications like PhotoRec.
Download PhotoRec by clicking on the following link.
Once downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the following example.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as displayed on the screen below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music like below.
Click File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, press Browse button to select where recovered documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed on the screen below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Codnat1 ransomware?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your personal computer from .Codnat1 ransomware
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the following page to download the latest version of HitmanPro.Alert for MS Windows. Save it on your Windows desktop.
When the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the utility is started, you’ll be displayed a window where you can choose a level of protection, as shown in the figure below.
Now press the Install button to activate the protection.
Finish words
Now your system should be free of the .Codnat1 ransomware virus. Uninstall KVRT and MalwareBytes Anti-Malware (MBAM). We suggest that you keep Zemana Free (to periodically scan your PC for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to delete .Codnat1 ransomware virus from your system, then ask for help here.
