A new variant of ransomware virus has been discovered by IT security researchers. It appends the .cosakos file extension to encrypted files. This ransomware targets computers running Windows by spam emails, malware or manually installing the ransomware. Read below a brief summary of information related to this ransomware and how to restore or decrypt .cosakos files for free.
Files encrypted by Cosakos virus
Getting to the user’s machine, the Cosakos file virus starts searching for files in all folders and recursively, and after their detection, encrypts each of them using complex digital algorithm that completely blocks them and leads to their dysfunction. This ransomware virus is capable of blocking various files like archives, photos, drawings, web application-related files, documents, database and video materials, as well as its destructive effects can be subjected to backups. Cosakos virus encrypts almost of files, including common as:
.ods, .xf, .odm, .crw, .ppt, .wire, .wps, .syncdb, .wgz, .wcf, .ltx, .itdb, .yml, .xll, .orf, .wotreplay, .xlsx, .rw2, .jpeg, .icxs, .odp, .xar, .wm, .wp, .gho, .vtf, .docm, .wri, .xbdoc, .itl, .png, .srf, .wpl, .wp4, .zdb, .flv, .pdd, .mef, .t13, .y, .ysp, .dxg, .rofl, .tor, .snx, .odt, .xyw, .ff, .xy3, .apk, .big, .x3f, .rtf, .wmo, .hkx, .xyp, .rb, .wpd, .mdf, .cfr, .crt, .p12, .lrf, .fos, .qic, .srw, .p7c, .wpa, .ws, .das, .t12, .upk, .ntl, .xmmap, .forge, .docx, .raw, .xbplate, .w3x, .rim, .tax, .wma, .xls, .zip, .webdoc, .mlx, .vcf, .py, .cdr, .bkp, .wpw, .pptm, .dwg, .wsd, .indd, .wdp, .xlsm, .xwp, .db0, .mpqge, .wbm, .pkpass, .jpe, .xlsx, .wpg, .iwi, .wp6, .xlgc, .mdbackup, .sr2, .ztmp, .3dm, .wav, .wma, .odb, .nrw, .litemod, .vpk, .1, .m2, .hvpl, .0, .asset, .bc6, .itm, .sid, .jpg, .dmp, .2bp, .d3dbsp, .erf, .x3f, .wbc, .sql, .psk, .mov, .bay, .pdf, .wps, .rgss3a, .psd, .wdb, .layout, .dazip, .z, .css, .wbd, .xlsb, .wsh, .xld, .avi, .ai, .rar, .bar, .zip, .fpk, .xmind, .kf, .raf, .hkdb, .x, .cr2, .zabw, .cer, .3ds, .eps, .p7b, .svg, .bc7, .sidd, .xml, .pef, .kdc, .gdb, .wmv, .sis, .epk, .3fr, .sie, .vfs0, .pem, .pptx, .dbf, .bkf, .kdb, .xlsm, .xlk, .ptx, .lvl, .menu, .der, .rwl, .arw, .xdl
All affected files become useless and get the .cosakos extension and each directory containing the affected files contains a ransom message informing the user about the presence of ransomware virus in the personal computer and its destructive impact on the target files. The attackers inform each victim that he has the ability to restore encrypted files only paying a ransom. After transferring the specified amount to cybercriminals, the user will receive an unique code key from them, which will allow to decrypt files affected by the Cosakos virus. If the money for the purchase of a key for decrypting files will be transferred to the online criminals within 72 hours, they are ready to give the victim a discount of 50%.
“Cosakos file virus” ransomnote
Threat Summary
| Name | Cosakos file virus |
| Type | Crypto malware, Crypto virus, File locker, Ransomware, Filecoder |
| Encrypted files extension | .cosakos |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Encrypted personal files. Your documents, photos and music now have odd extensions that end with .cosakos. Your file directories contain a ‘ransom note’ file that is usually a .txt file. New files in your file folders, with name variants of: ‘_readme.txt’, or ‘_readme’. |
| Distribution ways | Email attachments. Drive-by downloading (when a user unknowingly visits an infected web site and then malware is installed without the user’s knowledge). Social media posts (they can be used to trick users to download malicious software with a built-in ransomware downloader or click a misleading link). Remote desktop protocol (RDP) hacking. |
| Removal | To remove Cosakos file virus use the removal guide |
| Decryption | Cosakos ransomware decryption steps |
The step-by-step instructions which is shown below for those who are searching for a solution to completely remove Cosakos file virus from the computer, and for those who want to learn as much as possible about how recover (decrypt) personal files. We hope you will find answers to all your questions in this article.
Quick links
- How to remove Cosakos file virus
- How to decrypt .cosakos files
- Cosakos decryption tool
- How to restore .cosakos files
- How to protect your machine from Cosakos virus
How to remove Cosakos file virus
Manual removal does not always help to completely remove Cosakos virus, as it is not easy to identify and remove components of crypto virus and all malicious files from hard disk. Therefore, it is recommended that you run malicious software removal utility to completely uninstall Cosakos file virus off your system. Several free malware removal utilities are currently available that can be used against the ransomware virus. The optimum solution would be to run Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
Run Zemana Free to remove Cosakos virus
Zemana is a free tool that performs a scan of your computer and displays if there are existing trojans, worms, spyware, ransomware, adware and other malicious software residing on your PC. If malicious software is found, Zemana Anti Malware (ZAM) can automatically remove it. Zemana does not conflict with other anti-malware and antivirus applications installed on your PC system.
- Installing the Zemana Anti Malware (ZAM) is simple. First you’ll need to download Zemana Free on your MS Windows Desktop from the following link.
Zemana AntiMalware
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your internet browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- Once the download is finished, please close all apps and open windows on your computer. Next, launch a file called Zemana.AntiMalware.Setup.
- This will start the “Setup wizard” of Zemana Anti Malware onto your PC. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana AntiMalware will run and open the main window.
- Further, click the “Scan” button to perform a system scan with this tool for the Cosakos file virus and other security threats. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour. When a threat is detected, the number of the security threats will change accordingly. Wait until the the scanning is finished.
- When the scan is complete, Zemana Anti Malware will show a list of detected items.
- All found items will be marked. You can remove them all by simply press the “Next” button. The tool will uninstall Cosakos virus, other malicious software, worms and trojans and add threats to the Quarantine. When the process is done, you may be prompted to restart the machine.
- Close the Zemana AntiMalware and continue with the next step.
Run MalwareBytes to remove Cosakos file virus
You can remove Cosakos virus automatically through the use of MalwareBytes Anti Malware (MBAM). We suggest this free malicious software removal tool because it can easily delete crypto malware, adware software, malicious software and other unwanted applications with all their components such as files, folders and registry entries.
Please go to the following link to download the latest version of MalwareBytes AntiMalware for Microsoft Windows. Save it to your Desktop so that you can access the file easily.
326384 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the download is done, close all software and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup as shown in the following example.
When the installation begins, you will see the “Setup wizard” which will help you set up Malwarebytes on your system.
Once installation is complete, you will see window as on the image below.
Now press the “Scan Now” button to perform a system scan with this tool for the Cosakos file virus, other kinds of potential threats like malicious software and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your PC system. While the MalwareBytes is scanning, you may see how many objects it has identified either as being malicious software.
Once the scan get finished, MalwareBytes Free will show a list of all items detected by the scan. Next, you need to click “Quarantine Selected” button.
The Malwarebytes will now begin to delete Cosakos file virus and other security threats. When that process is done, you may be prompted to reboot your computer.
The following video explains steps on how to delete browser hijacker, adware and other malware with MalwareBytes.
Remove Cosakos file virus with KVRT
KVRT is a free removal utility that can be downloaded and run to remove crypto malwares, adware, malicious software, potentially unwanted apps, toolbars and other threats from your system. You can use this utility to detect threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop by clicking on the link below.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is finished, double-click on the KVRT icon. Once initialization procedure is finished, you will see the Kaspersky virus removal tool screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to begin checking your machine for the Cosakos virus and other known infections.
When the scanning is done, Kaspersky virus removal tool will display you the results as shown on the screen below.
All detected items will be marked. You can delete them all by simply click on Continue to begin a cleaning task.
How to decrypt .cosakos files
As mentioned earlier, the ransom payment is the only way to decrypt .cosakos files, unfortunately. After the victim transfers the specified amount of money (usually $980 in Bitcoins) to the scammers, they provide a special code key to decrypt the locked data.
Never pay the ransom! However, it should be noted that the transferred amount of money to attackers is not yet a guarantee that the victim will receive a private key to unlock the encrypted personal files. Very often, after receiving the ransom payment, scammers impose new requirements for the transfer of an even larger amount of money. It is impossible to predict unambiguously what will be the actions of fraudsters who designed the Cosakos file virus, but it is safe to say that these actions are immoral and illegal.
Files encrypted by Cosakos virus
The Cosakos virus is not the only one of its kind, for some of them, there are already ways to restore access to blocked photos, documents and music that were made by security professionals. This gives hope that the Cosakos decryption utility can be created for this ransomware virus as well. However, since each case of coding is original, victim should seek help and provide an identifier that will give the opportunity to get the private key and decryption utility.
Cosakos decryption tool
With some variants of Cosakos virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Cosakos decryption tool named STOPDecrypter. It can decrypt .Cosakos files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Cosakos decryption tool
STOPDecrypter is a program that can be used for Cosakos files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Cosakos files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Cosakos files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .cosakos files
In some cases, you can restore files encrypted by Cosakos file virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Restore .cosakos files with ShadowExplorer
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Visit the page linked below to download ShadowExplorer. Save it on your Desktop.
438666 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is done, extract the saved file to a directory on your personal computer. This will create the necessary files as shown in the following example.
Launch the ShadowExplorerPortable program. Now choose the date (2) that you wish to recover from and the drive (1) you wish to restore files (folders) from as shown on the screen below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and press the Export button as displayed on the screen below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to recover .cosakos files
Before a file is encrypted, the Cosakos virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover programs like PhotoRec.
Download PhotoRec on your computer from the following link.
After downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as shown on the screen below.
Choose a drive to recover like the one below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown in the following example.
Click File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is complete, press OK button.
Next, click Browse button to choose where recovered documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as displayed on the image below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your machine from Cosakos virus
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your system from Cosakos file virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your machine from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows OS from Windows XP to Windows 10.
Installing the HitmanPro.Alert is simple. First you will need to download HitmanPro.Alert on your computer by clicking on the link below.
After downloading is complete, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the tool is started, you’ll be displayed a window where you can choose a level of protection, as shown on the screen below.
Now click the Install button to activate the protection.
Finish words
Once you’ve complete the step-by-step instructions above, your machine should be free from Cosakos file virus and other malicious software. Your system will no longer encrypt your documents, photos and music. Unfortunately, if the few simple steps does not help you, then you have caught a new crypto virus, and then the best way – ask for help here.
