This week, IT security researchers has received reports of yet another ransomware named ‘Codnat ransomware‘. This ransomware spreads via spam emails and malware files and appends the .codnat file extension to encrypted files. Read below a brief summary of information related to this ransomware and how to restore or decrypt .codnat files for free.
Files encrypted by .codnat ransomware
Immediately after the launch, the .Codnat ransomware ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.zdc, .xdb, .wdp, .upk, .das, .wpw, .mddata, .xy3, .docx, .xls, .blob, .wav, .rw2, .bik, .rar, .mp4, .ncf, .apk, .mlx, .jpeg, .ff, .bkp, .pfx, .m3u, .lrf, .wpd, .vdf, .y, .asset, .mdb, .xlk, .xxx, .zabw, .t13, .xpm, .ibank, .wdb, .doc, .dwg, .odt, .db0, .xlsb, .p7c, .wbk, .qic, .erf, .d3dbsp, .ysp, .map, .xml, .x3d, .py, .dxg, .odb, .avi, .zip, .wp4, .xar, .p12, .wmd, .wn, .wp, .slm, .wbz, .wcf, .wire, .m4a, .vpp_pc, .wps, .crt, .wm, .wpd, .rtf, .rwl, .ws, .xlsx, .xlsx, .itl, .wpt, .zif, .srw, .3ds, .yml, .pak, .webp, .indd, .gho, .mpqge, .ppt, .wsh, .zw, .raw, .eps, .zdb, .rb, .wot, .wpl, .xlgc, .xdl, .odc, .yal, .itm, .xwp, .xx, .css, .rofl, .ltx, .xll, .svg, .bay, .desc, .wpb, .wb2, .mcmeta, .ztmp, .bar, .ods, .pkpass, .docm, .srf, .dng, .fpk, .pef, .ptx, .tor, .big, .itdb, .t12, .xf, .odp, .z3d, .wma, .wpg, .r3d, .wmf, .arw, .fsh, .epk, .dmp, .kf, .sr2, .wbm, .raf, .vcf, .2bp, .sidn, .xyw, .psk, .7z, .mef, .qdf, .wgz, .arch00, .snx, .1, .wri, .1st, wallet, .cer, .p7b, .pptx, .xld, .odm, .3dm, .wsd, .wpe, .hvpl, .0, .hplg, .csv, .gdb, .esm, .x, .fos, .mdbackup, .sum, .wmv, .jpe, .wmv, .iwi, .xlsm, .wmo, .xls, .vpk, .wp7, .sav, .rim, .re4, .vfs0, .xyp, .tax, .bc6, .pdd, .wbmp, .x3f, .wbc, .pst, .layout, .cas, .pem, .sb, .zi, .mrwref, .orf, .sql, .kdc, .dcr, .dba, .xlsm, .ai, .lbf, .cfr, .x3f, .bc7, .wp6, .kdb, .dbf, .pdf, .cdr, .hkdb, .sidd, .psd, .lvl, .xmind, .dazip, .sie, .w3x, .sid, .xbdoc, .litemod, .js, .wotreplay, .ybk, .syncdb, .zip, .wpa, .der, .webdoc, .wp5, .rgss3a, .wps, .flv, .menu, .mdf, .3fr, .wbd, .bkf, .forge, .m2, .hkx, .xmmap, .pptm, .wsc, .z, .accdb, .wma, .iwd, .cr2, .txt, .jpg, .sis, .vtf, .icxs, .crw, .png, .xbplate
When the ransomware virus encrypts a file, it will append the .codnat extension to each encrypted file. This means that a document file named ‘example.doc‘, when encrypted, becomes ‘example.doc.codnat‘.
Once the ransomware finished enciphering of all photos, documents and music, it will create a file called “_readme.txt” with ransomnote on how to decrypt all files. An example of the ransom demanding message is:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6COaKAec5A Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | .Codnat ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .codnat |
| Ransom note | _readme.txt |
| Contact | mosteros@firemail.cc, gorentos@bitmessage.ch, @datarestore (telegram) |
| Ransom amount | $980, $490 in Bitcoins |
| Symptoms |
|
| Removal | To remove .Codnat ransomware use the removal guide |
| Decryption | To decrypt .Codnat ransomware use the steps |
Use the step-by-step guidance below to delete ransomware and try to restore (decrypt) encrypted documents, photos and music for free.
Quick links
- How to remove .Codnat ransomware
- How to decrypt .codnat files
- Use STOPDecrypter to decrypt .codnat files
- How to restore .codnat files
- How to protect your personal computer from .Codnat ransomware?
- To sum up
How to remove .Codnat ransomware
The .Codnat ransomware virus can hide its components which are difficult for you to find out and delete completely. This can lead to the fact that after some time, the ransomware again infect your system and encrypt your documents, photos and music. Moreover, I want to note that it is not always safe to get rid of ransomware manually, if you don’t have much experience in setting up and configuring the Microsoft Windows operating system. The best solution to detect and get rid of .Codnat ransomware is to use free malicious software removal software that are listed below.
Remove .Codnat ransomware virus with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can detect security threats such the .Codnat ransomware virus, adware and other malicious software that most ‘classic’ antivirus applications fail to pick up on. Moreover, if you have any .Codnat ransomware removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Please go to the following link to download the latest version of Zemana for Windows. Save it on your Desktop.
164987 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is finished, close all programs and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as on the image below.
When the installation begins, you will see the “Setup wizard” which will help you setup Zemana on your personal computer.
Once install is done, you will see window as shown in the figure below.
Now click the “Scan” button to perform a system scan for the .Codnat ransomware virus and other security threats. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. While the Zemana AntiMalware (ZAM) tool is scanning, you can see number of objects it has identified as being infected by malware.
When the scan is finished, the results are displayed in the scan report. You may remove items (move to Quarantine) by simply click “Next” button.
The Zemana Free will delete .Codnat ransomware virus related files, folders and registry keys and move threats to the program’s quarantine.
Run MalwareBytes AntiMalware to remove Codnat ransomware
You can get rid of .Codnat ransomware automatically with a help of MalwareBytes Anti Malware (MBAM). We suggest this free malware removal tool because it can easily remove ransomware virus, adware, malware and other undesired software with all their components such as files, folders and registry entries.
Installing the MalwareBytes is simple. First you will need to download MalwareBytes on your MS Windows Desktop from the link below.
327226 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the download is complete, close all software and windows on your personal computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown in the following example.
When the setup starts, you’ll see the “Setup wizard” that will help you setup Malwarebytes on your PC system.
Once install is complete, you will see window as displayed in the following example.
Now click the “Scan Now” button to search for Codnat ransomware related files, folders and registry keys. This process can take quite a while, so please be patient. While the MalwareBytes Anti Malware program is checking, you may see how many objects it has identified as threat.
After finished, MalwareBytes AntiMalware will show a scan report. Next, you need to press “Quarantine Selected” button.
The Malwarebytes will now begin to remove Codnat ransomware and other security threats. Once finished, you may be prompted to restart your computer.
The following video explains steps on how to delete hijacker infection, adware software and other malware with MalwareBytes Free.
Scan and clean your PC of ransomware virus with KVRT
KVRT is a free portable program that scans your computer for adware software, trojans and ransomware such as the .Codnat ransomware and allows remove them easily. Moreover, it’ll also allow you remove any malicious browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it on your Desktop.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the KVRT icon. Once initialization process is finished, you’ll see the KVRT screen as shown on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the .Codnat ransomware virus and other malicious software. This process can take some time, so please be patient. While the KVRT utility is checking, you can see how many objects it has identified as being infected by malware.
When that process is complete, the results are displayed in the scan report as displayed below.
Make sure all threats have ‘checkmark’ and click on Continue to begin a cleaning process.
How to decrypt .codnat files
The .Codnat ransomware uses a strong encryption method. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the .Codnat ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.
If your files have been encrypted by the .Codnat ransomware virus, We suggests: do not to pay the ransom. If this malware make money for its developers, then your payment will only increase attacks against you. Of course, decryption without the private key is not possible, but that does not mean that the .Codnat ransomware virus must seriously disrupt your live.
Files encrypted by .codnat ransomware
With some variants of Codnat ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .codnat files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.codnat).
Please check the twitter post for more info.
How to restore .codnat files
In some cases, you can recover files encrypted by .Codnat ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Use ShadowExplorer to recover .codnat files
The Microsoft Windows has a feature called ‘Shadow Volume Copies’ that can help you to recover .codnat files encrypted by the .Codnat ransomware virus. The way described below is only to recover encrypted documents, photos and music to previous versions from the Shadow Volume Copies using a free tool called the ShadowExplorer.
Download ShadowExplorer by clicking on the following link.
439627 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is finished, extract the downloaded file to a folder on your PC. This will create the necessary files as shown in the figure below.
Run the ShadowExplorerPortable application. Now select the date (2) that you wish to recover from and the drive (1) you wish to recover files (folders) from like below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and press the Export button as displayed on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Restore .codnat files with PhotoRec
Before a file is encrypted, the .Codnat ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file recover applications such as PhotoRec.
Download PhotoRec on your PC from the link below.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the following example.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as shown below.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted personal files like below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, press Browse button to select where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed in the following example.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your personal computer from .Codnat ransomware?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your computer from .Codnat ransomware
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro.Alert is simple. First you’ll need to download HitmanPro Alert by clicking on the following link.
After the download is finished, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the tool is started, you will be displayed a window where you can choose a level of protection, as on the image below.
Now click the Install button to activate the protection.
To sum up
Now your PC should be free of the .Codnat ransomware. Delete MalwareBytes Free and KVRT. We suggest that you keep Zemana Free (to periodically scan your system for new malware). Make sure that you have all the Critical Updates recommended for Windows OS. Without regular updates you WILL NOT be protected when new ransomware, harmful programs and adware are released.
If you are still having problems while trying to remove .Codnat ransomware from your machine, then ask for help here.
