.cosanostra Files Ransomware – How to Remove It
THREAT REMOVAL

.cosanostra Files Ransomware – How to Remove It

This blog post has been made with the main goal to help you understand what is the .cosanostra file ransomware and how you can remove this cryptovirus effectively from your computer plus how you can try and restore files, encrypted by it on your PC.

A new variant of GarrantyDecrypt ransomware virus was recently detected to set the .cosanostra file extension to the files of the computers that have been attacked by it. The ransomware then adds the #RECOVERY_FILES#.txt ransom note which aims to ask victims to contact the crooks on the [email protected] address in order to pay for a decryption key. If your computer is infected with the .cosanostra files virus, we suggest that you read this article thoroughly to understand more about the .cosanostra variant of GarrantyDecrypt ransomware and learn ways via which you can attempt to remove this infection.

Threat Summary

Name.cosanostra Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to scramble the files on the computers that are compromised by it and then ask victims to pay for decryption.
SymptomsFiles can not be opened and have the .cosanostra suffix added. A ransom note, called #RECOVERY_FILES#.txt is added.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .cosanostra Files Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .cosanostra Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.cosanostra Files Virus – Distribution

For the .cosanostra file ransomware to be spread onto computers, the virus may be uploaded as a seemingly legitimate program on several websites, among which may be:

  • Cracks.
  • Patches.
  • Installers.
  • Portable executables.

The ransomware may also infect victims by being sent to them via e-mail attachments that only seem to be legitimate at first glance. They usually pretend to be:

  • Documents.
  • Invoices.
  • Receipts.
  • Banking statements.
  • Letters of complain.
  • Some work-related files.

The documents added are usually infected Microsoft Word files, which can compromise your computer via malicous macros after you open them.

GarrantyDecrypt .cosanostra Ransomware – Analysis

Once your computer has already been compromised by

Remove .garrantydecrypt ransomware. Follow the .garrantydecrypt ransomware removal instructions provided at the end of the article.
GarrantyDecrypt ransomware, the virus may immediately start to create multiple different types of files. That may be located in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Once GarrantyDecrypt ransomware is already installed, the virus may begin to perform various malicious tactics. The first one is to drop it’s ransom note file, called #RECOVERY_FILES#.txt and make it so that you can see it everywhere on the compromised computer by modifying it to possibly auto open. The ransom note has the following message to victims:

All your files have been encrypted!

Now you should send us email with your personal tdentifier.

This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on fast you write to us.
After payment we will send you the decryption tool that will decrypt al? your files. Contact us
using this email address
[email protected] com
And tell us your unique ID

The ransomware may also modify the Run and RunOnce sub-keys in Windows Registry editor in order to set malicious files to start automatically on Windows boot:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Furthermore, the .cosanostra files virus may also delete the backed up shadow copies on the compromised machine by performing privilege escalation and then running the following commands on Windows Boot:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.cosanostra Files Virus Encryption Process

To encrypt files, the .cosanostra ransomware may first perform a scan of the infected machine:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

Then, the .cosanostra file ransomware may encrypt all files that are outside the following system directories:

  • %Windows%
  • %System%
  • %AppData%
  • %Temp%

The ransomware may add the .cosanostra file extension and the encrypted files may begin to appear like the following:

Remove .cosanostra Files Virus and Try Restoring Data

If you want to remove the .cosanostra files virus, we strongly recommend that you follow the removal instructions that are posted underneath. They are separated so that you can try to manually remove the .cosanostra files ransomware from your computer and if you fail in doing so, you can do it automatically, prefferably by downloading an advanced anti-malware software, which is the reccomended removal method of doing so. Such software will automatically remove all related files to .cosanostra ransomware and make sure your system does not get infected in the future too.

Furthermore, if you want to try and restore files, encrypted by the .cosanostra file ransomware, we would strongly recommend that you see the recovery methods underneath. They have been created to be of assistance to you so that you can try and restore as many files as possible on your computer, but they are not guarantee to recover all your data.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...