.Coot file extension means that the files have been affected by STOP DJVU Ransomware. Other signs of ransomware infection: files do not open with associated programs (eg. doc files in Word), files have a blank icon and an unknown file named ‘_readme.txt’ in the folders where there are affected files. Renaming files, deleting .coot extension will not help to unlock files, since these files were encrypted during ransomware attack.
Coot is a new version of ransomware, which belongs to STOP DJVU family. Like previous variants, it was created to encrypt files on the victim’s computer. To encrypt files, the ransomware uses a very strong encryption system and keys that are unique for each infection. In the process of encryption, it tries to encrypt as many files as possible. It can encrypt files located on local and network drives, as well as connected cloud storage. Coot skips and does not encrypt files that have the following extension: .ini, .bat, .sys, .dll, .lnk. In addition, files with the name ‘_readme.txt’ are also not encrypted. That is, files of almost all types can be encrypted, among them the following:
.sum, .bay, .upk, .re4, .xdl, .mdf, .dxg, .zabw, .hvpl, .pptm, .wbk, .vfs0, .qdf, .wb2, .x3f, .yml, .gdb, .tor, .wbd, .rgss3a, .t13, .fsh, .xlsx, .wdb, .z, .xbdoc, .wps, .icxs, .pdd, .eps, .hkdb, .kdc, .wire, .ybk, .pdf, .nrw, .3fr, .ntl, .bar, .ncf, .xmind, .xyp, .csv, .css, .dmp, .lvl, .wav, .webdoc, .der, .mddata, .wm, .ff, .epk, .xml, .syncdb, .fos, .xls, .wcf, .y, .mef, .xpm, .xyw, .kf, .apk, .rar, .wps, .docx, .rtf, .xf, .wmf, .zdb, .wpa, .rim, .cfr, .xdb, .asset, .wpt, .vtf, .arw, .mdbackup, .wmv, .psk, .wmv, .menu, .srw, .vcf, .p7c, .mcmeta, .docm, .mlx, .dbf, .gho, .xy3, .wotreplay, .erf, .py, .wbm, .hplg, .wpd, .cr2, .dazip, .sid, .wgz, .desc, .bik, .wn, .avi, .wpe, .t12, .pem, .wsh, .zip, .m3u, .accdb, .wbmp, .raf, .png, .sis, .ptx, .sie, .wmd, .mov, .pkpass, .bc6, .mp4, .blob, .zi, .dng, .xlsm, .litemod, .xbplate, .arch00, .wpw, .rw2, .wot, .pfx, .ltx, .wpg, .forge, .xlk, .wpd, .odp, .p12, .pptx, .tax, .db0, .xll, wallet, .ztmp, .cer, .js, .dcr, .hkx, .m2, .ysp, .odm, .odt, .map, .iwd, .x3f, .ppt, .das, .bkf, .wpb, .wp5, .xxx, .dwg, .esm, .ai, .cdr, .rwl, .txt, .xld, .rb, .qic, .zif, .crw, .xlsm, .sav, .cas, .sidn, .xwp, .big, .dba, .raw, .x, .wsc, .7z, .3ds, .yal, .wp4, .pef, .zw, .p7b, .pak, .iwi, .lrf, .1st, .xls, .mdb, .mrwref, .m4a, .xx, .fpk, .sql, .r3d, .zip, .vpk, .flv, .2bp, .lbf
Each file, after it has been encrypted, is renamed. So the file named ‘docment.doc’, becomes ‘docment.doc.coot’. In each directory where the ransomware encrypted the files, a new file is dropped with the name ‘_readme.txt’, which contains a message from Coot authors. This file is a ransom demand message in which attackers report what happened to the user’s files.
The entire ransom note can be divided into three parts. The first says that all victim files are encrypted. In the second part, attackers report that the only way to decrypt files is to buy a decryptor and a unique key. In the third part, the contact details of the attackers and the victim’s personal id (this id determines the key used to encrypt the files). To confirm that encrypted files can be decrypted, Coot creators offer to send them a small file, which they decrypt for free. $980 – the size of the ransom set by attackers. It can be reduced to $490 if paid within 72 hours. Of course, there is no guarantee that after receiving the ransom, the attackers will provide a decryption key.
|Type||Ransomware, Crypto virus, File locker, Filecoder, Crypto malware|
|Encrypted files extension||.coot|
|Detection Names||TrojanRansom.Win32.Stop, TrojanTR/Crypt, RansomWin32.STOP, W32/Kryptik|
|Symptoms||Your documents, photos and music fail to open. Odd, new or .coot file extensions. Files named like ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file.|
|Distribution methods||Malicious links in emails, Torrents, Drive-by downloads from a compromised web-page, Adware, Social media posts, Remote desktop protocol (RDP) hacking.|
|Removal||To remove Coot ransomware use the removal guide|
|Decryption||use the COOT STOP DJVU decryptor|
As we reported above, Coot ransomware is only one of many variants of STOP DJVU. The most recent of which are Nols and Werd. Like other variants of STOP ransomware, you can try to use a free decryptor to decrypt files. Unfortunately, this decryptor does not always work, we will talk about this in detail below. There are several other ways that can allow you to recover your files. All this, as well as how to remove the ransomware from the computer in the next part of the article.
How to remove Coot ransomware, Decrypt and Restore .coot files
- How to remove Coot ransomware
- How to decrypt .coot files
- How to restore .coot files
- How to protect your PC from Coot ransomware
How to remove Coot ransomware
Before decrypting or recovering .coot files, you need to find all the files and directories related to the ransomware and remove Coot completely from the computer. We recommend checking the computer with some anti-malware tools, each of which uses a different anti-virus engine. Only in this way, you can be sure that the ransomware is removed. Below are a few tools that you can use. Each of them has a powerful scanner that can identify and remove ransomware.
Use Zemana Anti-malware to Coot ransomware
Zemana Anti-malware is an anti-malware utility designed to detect and remove various types of malware. This program can easily remove ransomware, trojans, worms, adware, browser hijacker and other malicious software.
- First, please go to the link below, then click the ‘Download’ button in order to download the latest version of Zemana AntiMalware.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- When the downloading process is finished, please close all applications and open windows on your machine. Next, start a file named Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana AntiMalware (ZAM) onto your PC. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Anti Malware (ZAM) will launch and show the main window.
- Further, click the “Scan” button . Zemana tool will start scanning the whole system to find out Coot ransomware and other security threats. This process can take quite a while, so please be patient. While the Zemana Free application is checking, you may see how many objects it has identified as threat.
- Once the scanning is complete, it will display the Scan Results.
- Make sure to check mark the threats which are unsafe and then click the “Next” button. The tool will remove Coot ransomware and move all its files to the Quarantine. After the clean-up is complete, you may be prompted to restart the computer.
- Close the Zemana Anti-Malware and continue with the next step.
How to remove Coot with HitmanPro
Another anti-malware tool that can help you remove Coot is HitmanPro. It will help you completely clean your computer from ransomware. HitmanPro is able to delete ransomware, trojans, adware software, worms, and other malware from your personal computer for free. Additional advantages of this utility is that it is small in size and does not require installation on a computer. You just need to download and run it.
Please go to the link below to download HitmanPro. Save it on your Desktop.
Category: Security tools
Update: June 28, 2018
After downloading is complete, open the file location and double-click the HitmanPro icon. It will run the HitmanPro tool. If the User Account Control dialog box will ask you want to run the program, click Yes button to continue.
Next, press “Next” to perform a system scan with this tool for Coot ransomware. While the Hitman Pro program is scanning, you can see how many objects it has identified as threat.
When Hitman Pro completes the scan, Hitman Pro will prepare a list of files and folders related to Coot ransomware.
When you are ready, click “Next” button. It will show a dialog box, click the “Activate free license” button. The Hitman Pro will begin to remove the found malicious software. When disinfection is complete, the tool may ask you to reboot your computer.
Remove Coot ransomware virus with Kaspersky virus removal tool
If HitmanPro or Zemana anti malware cannot detect and remove Coot, then we recommends to run Kaspersky virus removal tool (KVRT). KVRT is a free removal tool for ransomware, trojans, adware, worms and other malware.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the KVRT screen similar to the one below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool program will scan through the whole machine for Coot ransomware virus, other trojans and malicious software. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. While the KVRT is scanning, you may see how many objects it has identified either as being malicious software.
When that process is done, KVRT will create a list of malware and ransomware as shown in the figure below.
Once you’ve selected what you want to remove from the system click on Continue to begin a cleaning process.
How to decrypt .coot files
All files that have the extension ‘.coot’ are files that were encrypted during the ransomware attack. Their contents cannot be unlocked without a decryptor and a key. Fortunately, a free decryptor has been created that can help you decrypt files.
How to use the STOP Djvu decryptor to decrypt .coot files:
- Open the page STOP Djvu decryptor.
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
Unfortunately at the moment, the decryptor can only decrypt files that were encrypted with an offline key. What is an offline key? The ransomware can encrypt files with two kinds of keys. The first type is an online key; it is used when the virus has a connection to the control server. Such keys are unique for each case of ransomware infection. The second type is an offline key; it is used when the ransomware does not have access to the control server. This key is the same for different cases of infection and can be found by security researchers.
How to determine which key Сoot used to encrypt the files. First of all, you can look at the Personal ID that is given in the ‘_readme.txt’ file (ransom note). Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Сoot stores the Personal IDs used for encryption.
If there is an ID ending in ‘t1’, then you are lucky, your files are encrypted using an offline key, and when researchers find this key, you can decrypt your files. In this case, to decrypt the files, you need to use the STOP Djvu Ransomware Decryptor linked above. If your Personal ID does not end with ‘t1’, then the ransomware used an online key. Even so, there is little chance of recovering encrypted files. This method will be discussed in the next part of the article.
How to restore .coot files
If a free decryptor cannot decrypt files, or files are encrypted with an online key, then not everything is lost. There are two more methods that give you a chance to recover the contents of encrypted files. Below we describe these methods in detail. We want to remind you again, before trying to recover files, be sure to check your computer for malware and ransomware. You must be 100% sure that Coot ransomware has been removed.
Use shadow copies to restore .coot files
In some cases, you have a chance to restore your files which were encrypted by the Coot ransomware. This is possible due to the use of the utility named ShadowExplorer. It is a free program which made to obtain ‘shadow copies’ of files.
Download ShadowExplorer by clicking on the following link. Save it on your Microsoft Windows desktop or in any other place.
Category: Security tools
Update: September 15, 2019
When the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Launch the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Coot ransomware virus as shown on the image below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button as on the image below.
Recover .coot files with PhotoRec
The last way to recover the contents of encrypted files is to use data recovery tools. We advise you to use a program called PhotoRec. It has a simple interface, does not require installation, and is easy to use. This tool has all the necessary capabilities for searching and restoring data.
Download PhotoRec from the following link. Save it directly to your Microsoft Windows Desktop.
Category: Security tools
Update: March 1, 2018
Once downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen as shown on the image below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as displayed on the image below.
Click File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as shown on the image below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC from Coot ransomware
If you or your relatives are a victim of Coot ransomware, then you need to think about protecting the computer from ransomware. Most antiviruses have a protection module against this type of security threats, but this protection is not always effective enough. Therefore, as an additional layer of protection, we recommend using HitmanPro.Alert. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Download HitmanPro Alert on your Windows Desktop from the link below.
Category: Security tools
Update: March 6, 2019
Once the downloading process is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is started, you’ll be shown a window where you can choose a level of protection, as displayed on the image below.
Now click the Install button to activate the protection.
The article is designed to help everyone who is a victim of Coot ransomware. In it, we talked about how to remove ransomware, how to decrypt .coot files or restore their contents using data recovery tools. If you have questions or comments, write to us.
None of the above is effective to Decrypt COOT, plus EMSISOFT has not been updated to decryt latest updates.
Since is not a virus r malware or a trojan, anti-virus software cannot detect it. neither Windows Malicious Software cannot detect either since updates to is data bank are rarely. (very sad windows does not take priority to stay alert on Ransomware protect users)
COOT is a symmetric or symmetric encryption e.g. designed.cdr.coot and is not an .exe file that depends on system32 folder to be executed, it also affects all drives in the network. Reinstalling Windows also has no effect because files are encrypted not infected.
Thus the next best solution is for EMSISOFT or similar software to update its decryption capabilities.
Thank you for the valuable insights… i hope there will be a solution soon… i just lost valuable files … that will drawback my work 5 months. Could be i got it from Hitfilm software update,
hello, my name is febri im from indonesia
thanks for the article you made about coot ransomware, it mean everything to me, yesterday I experienced exactly the same thing as the article above, my file was infected with coot
and unfortunately in the personal id there is no ending “t1 ”
please help me, I really need the file, and what could all this have caused?
If your personal id does not end with ‘t1’, then the files are encrypted with an online key. In this case, the files cannot be decrypted. Try using alternative methods as suggested above.
my name is sam pls hw do i remove d coot ransomware
Just use Coot virus removal instructions above.
My files are encrypted to .coot extension by online key. Can I decrypt them in the future by new decryptors? Or I should not wait (there is nooo way)?
If your files are encrypted with an online key, then the decryptor will not be able to decrypt them, since the key is in the hands of criminals. The only way to decrypt files is to wait for the moment when these keys will be transferred to antivirus companies or laid out in open access. For some well-known ransomware, this is what happened.