The .Cosacos virus

 Cosacos is the Ransomware cryptovirus infection that is the reason for writing the current post – it is a new and particularly unpleasant piece of malware that uses a highly sophisticated encryption code to lock up the files of the people whose computers it attacks. Such encryptions are really difficult to break even for a professional malware security expert. There are many people out there working day and night to break the encryptions of newer cryptoviruses like Cosacos in order to develop working decryptor tools. However, it takes a lot of time and effort to create a single such tool for only one Ransomware. At the same time, new Ransomware infections like Cosacos or Nelasod get created on a daily basis, which means there’s always a number of cryptoviruses with no corresponding decryptor tools for them. On our site, you can find a list of decryptors for some of the most popular Ransomware threats. We try to update the list with the latest decryptor additions so that our users can find and use them.

Why not simply pay the ransom?

The main problem with the payment is the uncertainty of it. Even if you leave aside the fact that the money sum demanded for the files’ decryption could be quite high and that not everyone may have the opportunity to make such a payment, there is still the risk of sending the sum and not getting anything in exchange for it. The hackers behind threats like Cosacos are not to be trusted – after all, they are the people responsible for your files’ decryption. They could easily decide that sending you the key is not something they are going to do. Furthermore, what’s the guarantee that such a key even exists? Oftentimes, there is none.

An alternative to the .Cosacos file encryption

We cannot promise that if you follow the alternative we are about to present you with, you will bring all of your data back. Still, it is worth to give it a try. The first thing you’d need to do is remove the virus – the guide below and the linked removal tool will help you with that. Then, you can go to the next section of the guide to see some recovery suggestions as well as visit our list of Ransomware decryptors and try some of them.

Cosacos SUMMARY:

[add_third_banner]

Remove Cosacos Ransomware 

1: Preparations

Note: Before you go any further, we advise you to bookmark this page or have it open on a separate device such as your smartphone or another PC. Some of the steps might require you to exit your browser on this PC.

2: Task Manager

Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on you PC.

If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there.

Also, even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.

3: IP related to Cosacos

Go to c:\windows\system32\drivers\etc\hosts. Open the hosts file with notepad.

Find where it says Localhost and take a look below that. 

If you see any IP addresses there (below Localhost) send them to us here, in the comments since they might be coming from the Cosacos.

[add_forth_banner]

4: Disable Startup programs

Re-open the Start Menu and type msconfig.

Click on the first search result. In the next window, go to the Startup tab. If you are on Win 10,  it will send you to the Startup part of the task manager instead, as in the picture:

If you see any sketchy/shady looking entries in the list with an unknown manufacturer or a manufacturer name that looks suspicious as there could be a link between them and Cosacos , disable those programs and select OK.

5: Registry Editor

Press Windows key + R and in the resulting window type regedit.

Now, press Ctrl + F and type the name of the virus.

Delete everything that gets found. If you are not sure about whether to delete something, do not hesitate to ask us in the comments. Keep in mind that if you delete the wrong thing, you might cause all sorts of issues to your PC.

6: Deleting potentially malicious data – Cosacos

Type each of the following locations in the Windows search box and hit enter to open the locations:

%AppData%

%LocalAppData%

%ProgramData%

%WinDir%

%Temp%

Delete everything you see in Temp linked to Cosacos Ransomware. About the other folders, sort their contents by date and delete only the most recent entries. As always, if you are not sure about something, write to us in the comment section.

7: Cosacos Decryption

The previous steps were all aimed at removing the Cosacos Ransomware from your PC. However, in order to regain access to your files, you will also need to decrypt them or restore them. For that, we have a separate article with detailed instructions on what you have to do in order to unlock your data. Here is a link to that guide.

The post Remove Cosacos Virus Ransomware (+.Cosacos File Recovery) appeared first on Malware Complaints.

 Nvetud is a recent and very unpleasant example of a Ransomware cryptovirus – it was recently reported by users who have suddenly realized that none of their personal files stored in their computers’ hard drives can be opened. Of course, the hackers behind Nvetud or Cosacos readily offer a “solution” – pay them some money and you will get all of your files back. This is, after all, the main purpose of the Ransomware threats, and also the reason why these pieces of malware are named that way.The sole goal of the hackers behind Ransomware is to acquire money from their victims through blackmailing. However, many users may not be able or willing to pay, and may be more interested in finding alternative solutions to such an issue. Also, if you are one of the people who may be considering making the payment, we advise you to stay with us until the end of this post to learn why this isn’t really a very good idea.

The ransom demanded by the .Nvetud virus

It is usually not advisable to opt for this – even if you have the money available and are ready to send them in order to restore your data, you shouldn’t go ahead and do that without trying anything that doesn’t involve sponsoring some Internet criminals. The main problem with the ransom payment is the uncertainty surrounding the decryption key that the hackers promised. Does such a key even exist, and will it really be sent to you is something you simply can’t be sure about. The only sure thing is that if you send your money, that money would be gone for good and even if you don’t get your data back after the payment, you cannot hope for a refund.

Alternative ways to handle the .Nvetud file encryption

First, you will need to remove the malware from your computer, and the guide you will find on this page will help you do that. In case you need extra assistance with the removal, we recommend the anti-malware tool that is linked in the guide.

 After Nvetud is gone, you can go to the second part of the guide and take a look at the potential recovery methods posted there – they may not always work and be fully effective but trying them out is still preferable to risking your money by sending it to the hackers who are blackmailing you.

Nvetud SUMMARY:

[add_third_banner]

Remove Nvetud Ransomware 

1: Preparations

Note: Before you go any further, we advise you to bookmark this page or have it open on a separate device such as your smartphone or another PC. Some of the steps might require you to exit your browser on this PC.

2: Task Manager

Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on you PC.

If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there.

Also, even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.

3: IP related to Nvetud

Go to c:\windows\system32\drivers\etc\hosts. Open the hosts file with notepad.

Find where it says Localhost and take a look below that. 

If you see any IP addresses there (below Localhost) send them to us here, in the comments since they might be coming from the Nvetud.

[add_forth_banner]

4: Disable Startup programs

Re-open the Start Menu and type msconfig.

Click on the first search result. In the next window, go to the Startup tab. If you are on Win 10,  it will send you to the Startup part of the task manager instead, as in the picture:

If you see any sketchy/shady looking entries in the list with an unknown manufacturer or a manufacturer name that looks suspicious as there could be a link between them and Nvetud , disable those programs and select OK.

5: Registry Editor

Press Windows key + R and in the resulting window type regedit.

Now, press Ctrl + F and type the name of the virus.

Delete everything that gets found. If you are not sure about whether to delete something, do not hesitate to ask us in the comments. Keep in mind that if you delete the wrong thing, you might cause all sorts of issues to your PC.

6: Deleting potentially malicious data – Nvetud

Type each of the following locations in the Windows search box and hit enter to open the locations:

%AppData%

%LocalAppData%

%ProgramData%

%WinDir%

%Temp%

Delete everything you see in Temp linked to Nvetud Ransomware. About the other folders, sort their contents by date and delete only the most recent entries. As always, if you are not sure about something, write to us in the comment section.

7: Nvetud Decryption

The previous steps were all aimed at removing the Nvetud Ransomware from your PC. However, in order to regain access to your files, you will also need to decrypt them or restore them. For that, we have a separate article with detailed instructions on what you have to do in order to unlock your data. Here is a link to that guide.

The post Remove Nvetud Virus Ransomware (+ .Nvetud File Recovery) appeared first on Malware Complaints.