Kokoklock Ransomware - How to remove

Kokoklock, a recently discovered ransomware virus, is also called Koko or Mailto at the moment but is unrelated to KoKo Locker, different ransomware. Kokoklock renames your files to include the “mailto[[email protected]]” string in their names, but more than that, it can cost you your files, your time, and even money. The virus can be removed but whether the data is recoverable depends on each victim’s circumstances.

Once Kokoklock is on your PC, it runs through your files and encrypts them quickly and efficiently, causing a great deal of harm in a short time. Only Windows system files are spared — they’re needed for the computer to still work and for the victim to see all the damage done by the malware and to read the message that the extortionists left. The message includes instructions to pay some money to get the files unlocked. This type of extortion scheme is not uncommon nowadays and it’s very lucrative for cyber criminals — they won’t stop spreading ransomware any time soon. Some of the newer file-locking infections include Peta, Moka, MGS ransomware.

Symptoms of a Kokoklock attack

You might notice a slowdown of your computer as Kokoklock is editing the files but it shouldn’t take it long to go through all of them. You might think that hundreds of gigabytes would take a while to encrypt but most ransomware doesn’t encrypt every bit. Rather, files are encrypted only enough to be broken by corrupting the beginning, the middle, and the end of the big files.

The filenames that Kokoklock sets follow a template: [original name].[original extension].mailto[[email protected]].[random], with [random] being a string of six numbers that are unique to the victim.

After the encryption is done, Kokoklock drops readme files in each folder that holds the affected files. The names of these readme files are prefixed with the same random six symbols that the encrypted files have in their names. [random]-readme.txt is the template of the ransom note names.


What happen ?

Your files are encrypted, and currently unavailable.
You can check it: all files on your computer has expansion [random].
By the way, everything is possible to recover, but you need to follow our instructions.
Otherwise, you cant return your data.

What guarantees?

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us.
Its not in our interests.
To check the ability of returning files, you should write to us by email.
There you can decrypt one file for free. That is our guarantee.

How to contact with us ?

Email us:
[email protected]
[email protected]
Be sure to include your personal code in the letter:

The contents are very similar to the note Nemty ransomware but it’s probably unrelated. Ransomware creators copy each other’s ransom notes all the time.

How to deal with Kokoklock ransomware

The creators of Kokoklock include in the ransom message that they want to keep up a good reputation and will restore the files of anyone who pays the ransom. Some distributors of ransomware do not care at all and simply collect their money and proceed to ignore the victims. That’s one of a few reasons why victims of ransomware are discouraged from paying the ransom; not only is it very expensive (usually), the likelihood of the files never getting fixed is just too high.

Instead, it’s better to consider alternative options for getting your files back. You might have saved some of them in the cloud or sent them to someone using email. There could also be some physical media that didn’t get encrypted. Once you’ve removed Kokoklock, it will be safe to connect it and check.

Kokoklock Pabpabta, ransom note text

In the future, try to prepare for ransomware and other malware. One important thing is to update your security programs. Kokoklock is recognized by many anti-malware programs but newer versions won’t be. It takes a while for new infections to be found, analyzed, and added to anti-malware databases which means that outdated programs are at a great disadvantage.

How to remove Kokoklock

A competent antivirus program such as Spyhunter can detect Kokoklock and quarantine it, stopping it from causing any more damage. It’s actually possible that the virus deleted itself — but don’t trust it to not have left some nasty surprise behind, like a backdoor or something else that could cause problems later.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,


How to recover Kokoklock Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Kokoklock Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Kokoklock Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Kokoklock Ransomware. You can check other tools here.  

Step 3. Restore Kokoklock Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Kokoklock Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Kokoklock Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *