GETCRYPT@COCK.LI ransomware is a malicious software that invisibly penetrates the computer and encrypts personal files which stored on PC system disks. While encrypting, it renames all encrypted documents, photos and music so that they have a new file extension.
Files encrypted by “GETCRYPT.COCK@LI ransomware”
GETCRYPT@COCK.LI ransomware will hijack a whole computer and its data and demand a ransom in order to unlock (decrypt) them. The authors of ransomware have a strong financial motive to infect as many systems as possible. The ransomware will encrypt all files that are not located in the following folders:
- %AppData%
- $Recycle.Bin
- ProgramData
- Users\All Users
- Program Files
- Local Settings
- Windows
- Boot
- System Volume Information
- Recovery
When encrypting a file it will add a new file extension to each encrypted file name to identify that the file has been encrypted. For example, a file called sample.doc would be encrypted and renamed to sample.doc.NDSA.
When the encryption procedure is complete, the malicious software leaves a ransomnote called ‘# DECRYPT MY FILES #.txt’ with instructions on how to purchase a private key to decrypt all personal files. You can see an one of the variants of the ransom instructions below:
Attention! Your computer has been attacked by virus-encoder! All your files are now encrypted using cryptographycalli strong aslgorithm. Without the original key recovery is impossible. TO GET YOUR DECODER AND THE ORIGINAL KEY TO DECRYPT YOUR FILES YOU NEED TO EMAIL US AT: GETCRYPT@COCK.LI It is in your interest to respond as soon as possible to ensure the restoration of your files. P.S only in case you do not recive a response from the first email address within 48 hours,
Threat Summary
| Name | GETCRYPT@COCK.LI ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | random 4 character extension |
| Ransom note | # DECRYPT MY FILES #.txt |
| Contact | getcrypt@cock.li |
| Ransom amount | $300-$1000 in Bitcoins |
| Symptoms |
|
| Removal | To remove GETCRYPT@COCK.LI ransomware use the removal guide |
| Decryption | To decrypt GETCRYPT@COCK.LI ransomware use the steps |
In the tutorial below, I have outlined few methods that you can use to remove GETCRYPT@COCK.LI ransomware from your computer and restore (decrypt) encrypted files from a shadow volume copies or using file recover apps.
Quick links
- How to remove GETCRYPT@COCK.LI ransomware
- How to decrypt GETCRYPT@COCK.LI ransomware
- Use GetCrypt Decryptor to decrypt encrypted files
- How to restore encrypted files
- How to protect your PC system from GETCRYPT@COCK.LI ransomware virus?
- Finish words
How to remove GETCRYPT@COCK.LI ransomware
Using a malicious software removal tool to find and remove ransomware virus hiding on your machine is probably the easiest method to remove the GETCRYPT@COCK.LI ransomware virus. We recommends the Zemana program for MS Windows computers. MalwareBytes Free and KVRT are other antimalware utilities for Microsoft Windows that offers a free malware removal.
Use Zemana Anti-malware to remove GETCRYPT@COCK.LI ransomware virus
We suggest you to use the Zemana Anti-malware which are completely clean your computer of this ransomware virus. Moreover, the tool will allow you to remove trojans, malicious software, worms and adware software that your system may be infected too.
Installing the Zemana Anti-Malware (ZAM) is simple. First you’ll need to download Zemana Free by clicking on the link below.
164113 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the downloading process is finished, close all software and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as displayed below.
When the install starts, you will see the “Setup wizard” that will help you install Zemana Anti Malware on your PC.
Once install is complete, you will see window as shown below.
Now press the “Scan” button . Zemana Free utility will start scanning the whole computer to find out the GETCRYPT@COCK.LI ransomware and other security threats. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour. While the tool is checking, you can see how many objects and files has already scanned.
Once Zemana AntiMalware (ZAM) has completed scanning your PC, the results are displayed in the scan report. Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana will remove GETCRYPT@COCK.LI ransomware virus related files, folders and registry keys.
Use MalwareBytes AntiMalware (MBAM) to remove GETCRYPT@COCK.LI ransomware
If you are having issues with the GETCRYPT@COCK.LI ransomware removal, then download MalwareBytes Anti Malware. It is free for home use, and scans for and deletes various malicious software that attacks your machine or degrades computer performance. MalwareBytes Anti-Malware (MBAM) can remove adware, worms as well as malware including ransomware and trojans.
Visit the page linked below to download the latest version of MalwareBytes Free for Windows. Save it on your Desktop.
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is finished, run it and follow the prompts. Once installed, the MalwareBytes Anti-Malware will try to update itself and when this task is finished, press the “Scan Now” button . MalwareBytes application will scan through the whole PC system for the GETCRYPT@COCK.LI ransomware, other malicious software, worms and trojans. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour. When a threat is found, the count of the security threats will change accordingly. Wait until the the checking is finished. Review the report and then press “Quarantine Selected” button.
The MalwareBytes is a free application that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal utility, we suggest you to read and follow the tutorial or the video guide below.
Remove GETCRYPT@COCK.LI ransomware with KVRT
The KVRT utility is free and easy to use. It can scan and remove ransomware, malicious software, trojans and adware. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the PC system.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it to your Desktop so that you can access the file easily.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the KVRT icon. Once initialization procedure is done, you’ll see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to perform a system scan for the GETCRYPT@COCK.LI ransomware virus . A system scan can take anywhere from 5 to 30 minutes, depending on your PC system. While the KVRT is checking, you can see how many objects it has identified either as being malware.
When the checking is complete, KVRT will display a scan report as shown on the screen below.
Review the scan results and then click on Continue to begin a cleaning procedure.
How to decrypt encrypted files
The GETCRYPT@COCK.LI ransomware offers victim to contact it’s authors in order to decrypt all personal files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your documents, photos and music. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
Files encrypted by “GETCRYPT.COCK@LI ransomware”
With current variants of the GETCRYPT@COCK.LI ransomware, it is possible to decrypt or restore encrypted files using free tools such as GetCrypt Decryptor, ShadowExplorer and PhotoRec.
Use GetCrypt Decryptor to decrypt encrypted files
EMSISOFT company released a free decryption tool named GetCrypt Decryptor.
GetCrypt Decryptor
- GetCrypt Decryptor can be downloaded from here. Save it directly to your MS Windows Desktop.
- At the download page, click on the Download button. Your internet browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- When the download is complete, please close all applications and open windows on your machine. Next, launch a file called “decrypt_GetCrypt.exe”.
- Select an encrypted file and its unencrypted version.
- Further, press the Start button.
- GetCrypt Decryptor will start brute forcing to find out your decryption key.
- When finished, click OK button. Add all of the locations you want to decrypt to the list and press Decrypt button.
How to restore encrypted files
In some cases, you can recover files encrypted by GETCRYPT@COCK.LI ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Use shadow copies to recover encrypted files
In order to restore encrypted files encrypted by the GETCRYPT@COCK.LI ransomware virus from Shadow Volume Copies you can run a utility called ShadowExplorer. We suggest to use this method as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
ShadowExplorer can be downloaded from the following link. Save it on your Windows desktop or in any other place.
438820 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is finished, extract the saved file to a folder on your system. This will create the necessary files as shown below.
Start the ShadowExplorerPortable application. Now select the date (2) that you want to restore from and the drive (1) you want to recover files (folders) from like below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button as shown in the following example.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to recover encrypted files
Before a file is encrypted, the GETCRYPT@COCK.LI ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore applications like PhotoRec.
Download PhotoRec from the following link.
Once the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as displayed in the figure below.
Select a drive to recover as shown in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as displayed on the screen below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where recovered documents, photos and music should be written, then press Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as displayed on the image below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC system from GETCRYPT@COCK.LI ransomware virus?
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your computer from GETCRYPT@COCK.LI ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro Alert can be downloaded from the following link. Save it on your Microsoft Windows desktop.
After the downloading process is finished, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. When the tool is started, you will be displayed a window where you can choose a level of protection, as displayed below.
Now click the Install button to activate the protection.
Finish words
Now your PC system should be clean of the GETCRYPT@COCK.LI ransomware virus. Remove MalwareBytes and Kaspersky virus removal tool. We suggest that you keep Zemana AntiMalware (to periodically scan your PC for new malware). Moreover, to prevent ransomware, please stay clear of unknown and third party programs, make sure that your antivirus program, turn on the option to block or detect ransomware.
If you need more help with GETCRYPT@COCK.LI ransomware virus related issues, go to here.
