C0hen Locker Ransomware

C0hen Locker Ransomware is a threat that needs to be on your radar if it has not infected your Windows operating system yet. When we tested this malware, it was not fully functional yet, and our researchers believed that it could have been used for testing purposes only or that it was still in development. Of course, things might have changed by the time you are reading this report, and you might now need to remove C0hen Locker Ransomware from your operating system. If that is the case, we suggest that you read this report to learn more about the options you have. We hope that you will be able to choose the right method to delete the infection by the time you are done reading. If you have not yet encountered this malware, it is crucial that you secure your operating system, and we have included tips in this article that we are sure will help you with that. As always, the comments section below is open to the public, and you can ask questions or start discussions as you please.

Since C0hen Locker Ransomware was not yet spreading when we analyzed it, we can only guess how this malware could access vulnerable systems. Most likely, of course, it would exploit spam emails, bundled downloaders, and RDP vulnerabilities. This is how most ransomware infections spread, including Dever Ransomware, TurkStatik Ransomware, Afrodita Ransomware, and many others. The main condition is that the threat is successfully concealed because if victims realize that malware has slithered in, they might be able to delete it before files are encrypted. C0hen Locker Ransomware is set to encrypt personal files in Desktop, Documents, Downloads, Favorites, Music, Pictures, Recent, and Videos folders that are located in the %USERPROFILE% directory. If you do not keep any personal files in these folders, you might avoid damaging encryption. Unfortunately, the files with the “.c0hen” extension appended to their names – these are the encrypted files – cannot be recovered. That is not what the attackers want you to think.

The devious C0hen Locker Ransomware launches a window entitled “c0hen@admin” as soon as files are encrypted. The message starts with a warning stating that the encrypted files will be unrecoverable if you turn off your computer. Further on, the message suggests “donating” 0.15 Bitcoin – which is around $1,300 or €1,200 – and sending it to the attackers’ wallet (18Fh68NJrMZCiTqq1VoWaQsSb8pxDjEw6N). When we checked the wallet, it was empty, but this might be due to the fact that the threat was not yet spreading. The ransom note also suggested contacting the attackers via Discord to obtain a decryption key that, supposedly, could be used to decrypt all corrupted files. Would the attackers provide you with a decryptor if you paid the ransom? Most likely, they would not, and that is why we do not recommend engaging with them at all. In the best-case scenario, you do not need to do that because you have backups that could replace the corrupted files. If that is your situation, you should not waste any more time to delete C0hen Locker Ransomware, but even if backups do not exist, malware removal must be on your mind.

C0hen Locker Ransomware disables the Task Manager via the Windows Registry, and so you might be unable to find a malicious process running. If you could locate it, perhaps you could locate the launcher of the threat also. The manual removal guide below explains how to revive the Task Manager and, hopefully, delete C0hen Locker Ransomware itself. If this is not a good option for you, we suggest employing legitimate anti-malware software. This software would quickly identify the threat and erase all of its components automatically. Beyond that, it would secure your system, which is crucial because unsecured systems are the first ones to be affected by ransomware and other types of malware. Hopefully, all encrypted files can be replaced using backups after that. When it comes to backups, do not rely on internal backups. It is always best to store copies of files outside the computer, and we recommend using cloud storage systems or external drives. And always remember that if YOU do not take care of your files and your system’s security, no one else will.

C0hen Locker Ransomware Removal

N.B. Do not exit the window launched by the ransomware before following these steps.

1. Tap Win+R keys to access the Run dialog box.
2. Type regedit into the box and click OK to access Registry Editor.
3. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.
4. Right-click the value named DisableTaskMgr and select Modify.
5. Enter 0 instead of 1 and then click OK.
6. Tap Ctrl+Alt+Delete to open a menu and select Task Manager.
7. Move to the Processes tab and locate the malicious process used by the ransomware.
8. Right-click the malicious process and choose Open file location.
9. Go back to Task Manager, select the malicious process, and click End task.
10. Go to the malicious .exe file, right-click it, and choose Delete.
11. Go back to Registry Editor and move to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
12. Right-click the value named c0hen locker and choose Delete.
13. Exit Registry Editor and Explorer and then Empty Recycle Bin.
14. Install a malware scanner that will examine your operating system and uncover any leftovers.