Computer security specialists discovered a new variant of ransomware that named ‘Coharos virus‘. It appends the .coharos file extension to encrypted file names. This post will provide you with all the things you need to know about ransomware, how to delete Coharos crypto virus from your system and how to restore (decrypt) encrypted personal files for free.
Files encrypted by Coharos virus
The Coharos locks up personal files using a strong encryption algorithm with long key, that makes it impossible to decrypt the encrypted data by the user on his own without obtaining a private key, which is the only way to unlock affected personal files. It can be obtained only in the case of payment of the required amount through Bitcoins, which is very large. Coharos encrypts almost of videos, images, web application-related files, database, documents, music and archives, including common as:
.3fr, .wmf, .zabw, .hvpl, .pkpass, .zip, .sb, .svg, .mdbackup, .wb2, .zdb, .xlk, .wpd, .wps, .mcmeta, .xy3, .zif, .wp, .p12, .y, .psd, .bkp, .rw2, .raf, .bik, .xld, .xx, .docm, .p7b, .m3u, .icxs, .wm, .wmd, .d3dbsp, .lbf, .arch00, .webdoc, .t12, .iwi, .erf, .p7c, .docx, .map, .z, .qdf, .wpg, .flv, .srf, .csv, .wsh, .xls, .x3d, .pst, .kf, .xyw, .png, .xlsx, .menu, .desc, .yal, .vtf, .xdb, .dazip, .m4a, .bkf, .pfx, .xlsb, .wmv, .ltx, .blob, .ibank, .ws, .mdf, .1st, .ptx, .cdr, .wpw, .7z, .xmmap, .pdd, .pptx, .wbmp, .crt, .jpe, .dmp, .wp5, .gho, .sidd, .itl, .fpk, .pptm, .vdf, .rgss3a, .wdp, .wpd, .webp, .wma, .dcr, .wbz, .wp4, .mdb, .zw, .wbk, .pef, .r3d, .rar, .tax, .orf, .snx, .xbplate, .sis, .dng, .xdl, .zip, .ncf, .xlsm, .t13, .wbd, .wps, .jpeg, .xls, .qic, .rtf, .mov, .tor, .ntl, .ods, .wbc, .mddata, .bar, .raw, .asset, .psk, .epk, .wma, .srw, .upk, .wpl, .3ds, .sql, .odp, .pdf, .dba, .wpa, .wn, .bsa, .itdb, .wdb, .wpt, .xf, .xmind, .litemod, .sidn, .wsc, .zdc, .x3f, .ysp, .cr2, .2bp, .doc, .mp4, .rofl, .rim, .arw, .itm, .lrf, .css, .sid, .sr2, .sum, .db0, .sie, .gdb, .layout, .x, .m2, .wotreplay, .0, .cer, .bc7, .odc, .fsh, .mpqge, .wpb, .1, .vfs0, .bc6, .w3x, .xpm, .syncdb, .vcf, .mrwref, .iwd, .dwg, .wbm, .indd, .apk, .xyp, .zi, .accdb, .slm, .ff, .wcf, .eps, .re4, .jpg, .fos, .x3f, .xml, .pak, .wp7, .xlgc, .der, .mef, .wot, .nrw, .dbf, .wsd, .xxx, .xll, .wire, .xbdoc, .lvl, .odb, .odm, .kdb, .ppt, .avi, .hkx, .das, .xlsx, .js, .rwl, .ybk, .py, .3dm, .dxg, .wpe, .vpk, .wgz, .yml, .wmv, .wmo, .mlx, .wri, wallet, .xar, .wav
With the encryption work is complete, all encrypted documents, photos and music will now have the new .coharos extension appended to them. Coharos crypto malware drops a file named ‘_readme.txt’. This file contains a ransom instructions that is written in the English language. The ransom note directs users to make payment through Bitcoins in exchange for the special code key needed to unlock photos, documents and music.
Coharos ransom note
Threat Summary
| Name | Coharos |
| Type | Crypto virus, File locker, Filecoder, Ransomware, Crypto malware |
| Encrypted files extension | .coharos |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $490/$980 in Bitcoins |
| Symptoms | Unable to open personal files. Files are encrypted with a .coharos file extension. Files named such as ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file. |
| Distribution ways | Spam or phishing emails that are created to get people to open an attachment or click on a link. Drive-by downloading (when a user unknowingly visits an infected web-site and then malicious software is installed without the user’s knowledge). Social media posts (they can be used to force users to download malicious software with a built-in ransomware downloader or click a malicious link). USB sticks containing malicious software. |
| Removal | To remove Coharos ransomware use the removal guide |
| Decryption | To decrypt Coharos ransomware use the steps |
We recommend you to remove Coharos virus without a wait, until the presence of the crypto malware has not led to even worse consequences. You need to follow the guidance below that will help you to completely remove Coharos virus from your computer as well as recover (decrypt) encrypted documents, photos and music, using only few free tools.
Quick links
- How to remove Coharos ransomware virus
- How to decrypt .coharos files
- Coharos decryption tool
- How to restore .coharos files
- How to protect your computer from Coharos ransomware virus?
How to remove Coharos ransomware virus
Before you open the process of recovering files which has been encrypted, make sure Coharos ransomware is not running. Firstly, you need to uninstall this crypto malware permanently. Luckily, there are several malicious software removal tools that will effectively detect and remove Coharos ransomware virus and other crypto virus malicious software from your system.
How to remove Coharos virus with Zemana AntiMalware
Zemana Anti-Malware (ZAM) is a malicious software scanner that is very useful for detecting and uninstalling Coharos ransomware. The steps below will explain how to download, install, and use Zemana Anti Malware (ZAM) to scan your PC and remove crypto virus, worms, malware, trojans, spyware, adware for free.
- First, click the link below, then click the ‘Download’ button in order to download the latest version of Zemana Free.
Zemana AntiMalware
164033 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web browser will open the “Save as” prompt. Please save it onto your Windows desktop.
- Once the download is done, please close all applications and open windows on your machine. Next, run a file named Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana Free onto your system. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana AntiMalware (ZAM) will open and display the main window.
- Further, press the “Scan” button to search for Coharos crypto virus and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your machine and the speed of your PC system. When a threat is detected, the count of the security threats will change accordingly.
- Once the checking is finished, it will display the Scan Results.
- You may remove threats (move to Quarantine) by simply click the “Next” button. The tool will remove Coharos crypto virus related folders,files and registry keys and move threats to the program’s quarantine. After disinfection is finished, you may be prompted to restart the PC system.
- Close the Zemana Anti Malware and continue with the next step.
Use MalwareBytes Anti Malware (MBAM) to delete ransomware
We suggest using the MalwareBytes Anti-Malware (MBAM) which are completely clean your machine of the crypto malware. This free utility is an advanced malware removal program developed by (c) Malwarebytes lab. This program uses the world’s most popular anti malware technology. It’s able to help you delete ransomware, PUPs, malicious software, adware, toolbars, and other security threats from your computer for free.
- Visit the following page to download MalwareBytes Anti Malware (MBAM). Save it on your Desktop.
Malwarebytes Anti-malware
326387 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your internet browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- After downloading is done, please close all software and open windows on your personal computer. Double-click on the icon that’s named mb3-setup.
- This will launch the “Setup wizard” of MalwareBytes Anti Malware onto your PC. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Free will launch and show the main window.
- Further, click the “Scan Now” button to start scanning your computer for the Coharos ransomware virus, other malware, worms and trojans. This procedure may take quite a while, so please be patient. While the MalwareBytes Anti Malware (MBAM) program is checking, you can see count of objects it has identified as threat.
- As the scanning ends, MalwareBytes Free will display you the results.
- When you’re ready, click the “Quarantine Selected” button. When disinfection is done, you may be prompted to reboot the machine.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Scan and free your computer of crypto malware with KVRT
KVRT is a free portable program that scans your system for malicious software, trojans and ransomware like the Coharos virus and allows delete them easily. Moreover, it will also allow you delete any harmful internet browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your PC system by clicking on the link below.
129057 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the KVRT icon. Once initialization process is complete, you will see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan with this tool for the Coharos ransomware virus and other malware. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your PC. While the Kaspersky virus removal tool application is scanning, you can see how many objects it has identified as threat.
Once the scan is finished, it will display the Scan Results as shown on the screen below.
Make sure all threats have ‘checkmark’ and click on Continue to begin a cleaning process.
How to decrypt .coharos files
You can damage photos, documents and music encrypted with Coharos ransomware, or make them useless forever if you try to find the private key on your own, which is almost impossible in view of its cryptographic complexity. It is very important to know and understand the level of importance of constantly backing up important files to various media, like an Flash Drive, so that in case of damage to your system by ransomware you can always extract a copy of encrypted files.
Never pay the ransom! However, the user who will pay the ransom payment to attackers cannot be completely sure of obtaining a private key, because he is dealing with unscrupulous and dishonest people who are ready to commit any immoral actions, including hiding after receiving the ransom payment from the user, and not providing a decryption utility (key) to unlock encrypted personal files.
Files encrypted by Coharos virus
Of course, it can not be considered that the only correct way out of the situation when your system is infected by Coharos crypto malware, will be the payment of ransom, as this only leads to the prosperity of illegal actions of cyber criminals. The smart thing to do is to try to restore the encrypted files from the backup or wait for the release of the Coharos decryption utility to decrypt them. You can also try to decrypt documents, photos and music using free programs listed below.
Coharos decryption tool
With some variants of Coharos virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Coharos decryption tool named STOPDecrypter. It can decrypt .Coharos files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Coharos decryption tool
STOPDecrypter is a program that can be used for Coharos files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Coharos files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Coharos files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .coharos files
In some cases, you can recover files encrypted by Coharos ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Recover .coharos files with ShadowExplorer
In order to recover .coharos documents, photos and music encrypted by the Coharos crypto virus from Shadow Volume Copies you can run a utility called ShadowExplorer. We advise to use this method as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
Please go to the link below to download the latest version of ShadowExplorer for MS Windows. Save it to your Desktop.
438670 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the screen below.
Run the ShadowExplorer utility and then choose the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the Coharos ransomware like below.
Now navigate to the file or folder that you want to restore. When ready right-click on it and click ‘Export’ button as on the image below.
Restore .coharos files with PhotoRec
Before a file is encrypted, the Coharos ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover applications such as PhotoRec.
Download PhotoRec from the following link.
When the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as shown on the image below.
Choose a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as shown in the following example.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, click Browse button to choose where restored files should be written, then press Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents like below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Coharos ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your personal computer from Coharos crypto virus
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Please go to the following link to download the latest version of HitmanPro.Alert for Windows. Save it directly to your MS Windows Desktop.
After downloading is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is opened, you will be shown a window where you can select a level of protection, as shown on the screen below.
Now click the Install button to activate the protection.
Finish words
Now your machine should be free of the Coharos crypto malware. Delete MalwareBytes Anti Malware (MBAM) and Kaspersky virus removal tool. We recommend that you keep Zemana Free (to periodically scan your computer for new malicious software). Moreover, to prevent crypto malware, please stay clear of unknown and third party programs, make sure that your antivirus program, turn on the option to block or find ransomware.
If you need more help with Coharos ransomware related issues, go to here.
