KoKo Locker - How to remove

KoKo Locker is a dangerous ransomware infection that attacks users around the world. If you were unlucky enough to get infected with this virus, you have come to the right place. In this article we will provide you with the guidance how you should act in this kind of situation.

First thing you have to do is eliminate the virus from your system because it can infiltrate other infections into it. That can be done by using anti-malware application. Download reliable anti-malware application, such as Spyhunter or Malwarebytes and install it on your computer. Then run a full scan of all files stored on your PC and it will detect and remove the malware automatically. If your computer is already infected with other viruses, it will detect and remove them too. More in-depth instructions on how to deal with this infection can be found below this article – take a look at it.

If you have some questions about removal process or virus itself – feel free to contact us in the comment section below and we will do our best to help you. Learn more about specific features of KoKo Locker by reading the rest of this article.

About KoKo Locker ransomware

To understand how this malware works you have to understand intentions of its developers. Cyber criminals seek to make money by infecting computers, locking files that are stored on them and then asking for the ransom in order to unlock the files.

So once KoKo Locker is inside of your computer, it runs a scan of all files stored on your hard drive – much alike anti-virus applications do when trying to detect the virus, except they are not looking for viruses. They are looking for your documents that can be locked. And it’s just about any file – documents, music, video files or photos. Ransomwares like this support most of most popular file types. Once the scan is complete, KoKo Locker will lock your files, adding ‘.kokolocker’ extension to all of them. From now on, you can’t open or use your files in any other way. Immediately after that, a message like this will appear on your home screen:

‘— KoKoKrypt —
All of your personal data got encrypted by KokoKrypt!
To unlock all your data of this computer, you have to do the following steps:
1. Get a Bitcoin Wallet
2. Get 0.1 BTC on it
3. Put your BTC Address below
4. Wait for decryption process
Payment may be delayed for 24/48 hours, so don’t worry! You have 78h to pay!
After 78h, KoKoKrypt will uninstall itself and leave your files encrypted!
button “Pay using Bitcoin”

As you can see, you are asked to pay a ransom of 0.1 BTC (That is approximately $90 USD at the current rate) in order to retrieve your files. They manipulate by saying that it has to be done within the next 78 hours so users fall into panic and make bad decisions. Making that ransom payment is definitely a bad decision because there is no guarantee that you will retrieve your files even after the payment and you support cyber criminals financially.

If you have already removed KoKo Locker ransomware from your computer, the next thing you should do is restore your files. Unfortunately, at the moment there is no such software developed that would be able to decrypt files encrypted by KoKo Locker ransomware. We will keep you updated on that if something changes. Yet there is a way to retrieve those files by performing a system restore. However, in order to perform this restore you need to have a copy of your hard drive that was made before virus entered your system.

How to recover KoKo Locker encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before KoKo Locker has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of KoKo Locker

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to KoKo Locker. You can check other tools here.  

Step 3. Restore KoKo Locker affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually KoKo Locker tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover KoKo Locker encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal