What is Corona-lock file extension
.Corona-lock file extension is a file extension that is used by a malware belonging to the category of Ransomware to mark files that have been encrypted. CovidWorldCry (corona-lock) ransomware is a malicious program that encrypts user files and demands a ransom for a key-decryptor pair that is necessary to decrypt the affected files. Ransomware uses a strong encryption system and a long key, which virtually eliminates the possibility of decrypting files without a key. Files encrypted with .corona-lock extension become useless, their contents cannot be read without the key that the criminals have.
Files encrypted with .corona-lock extension
What is CovidWorldCry (corona-lock) ransomware
CovidWorldCry (corona-lock) ransomware is a new malware that belongs to the category of ransomware. It appends the ‘.corona-lock’ extension to each file that it encrypts using a complex encryption mechanism. As other ransomware, it can use the same distribution methods (spam emails, adware, cracks, key generators and so on). Upon execution, the Corona-lock ransomware collects information about the computer and then proceeds to encrypt the files located on it. The following common file types can be encrypted:
.2bp, .xy3, .jpe, .wdp, .zi, .ysp, .wotreplay, wallet, .wbz, .zip, .webp, .rtf, .mp4, .ods, .wn, .3dm, .iwd, .m3u, .z3d, .tax, .xf, .kf, .tor, .wpb, .dxg, .rim, .dwg, .txt, .srf, .apk, .yml, .odm, .png, .wbk, .xpm, .big, .y, .flv, .slm, .arw, .csv, .mpqge, .py, .wbmp, .zabw, .sie, .cdr, .dmp, .t13, .forge, .w3x, .wp5, .xlsx, .xlgc, .bsa, .ptx, .dbf, .xx, .wmo, .pptm, .cfr, .bc7, .xdl, .icxs, .bar, .asset, .mrwref, .wot, .desc, .wpe, .das, .wmf, .crw, .mov, .wmd, .db0, .avi, .zip, .mcmeta, .snx, .vpp_pc, .p7b, .sav, .ws, .wpw, .z, .wpd, .xls, .t12, .wmv, .wb2, .js, .p12, .mddata, .upk, .xyp, .0, .mef, .esm, .sum, .pfx, .xlsm, .gho, .crt, .xxx, .sql, .wri, .xlsm, .erf, .hplg, .p7c, .vtf, .odt, .arch00, .wpd, .fsh, .gdb, .wp7, .pst, .wmv, .wgz, .wire, .lvl, .xmind, .xdb, .psd, .wps, .webdoc, .rw2, .ibank, .rar, .hkdb, .wp4, .menu, .xlsb, .pef, .wpg, .vcf, .nrw, .wps, .m2, .mdb, .wdb, .lrf, .wpt, .pptx, .zw, .kdc, .x3f, .ltx, .hvpl, .1, .itdb, .wsh, .qic, .zif, .dcr, .wp6, .ybk, .yal, .mdbackup, .7z, .sb, .fpk, .r3d, .pkpass, .bkp, .ff, .xar, .wma, .wcf, .odc, .xlsx, .epk, .wma, .map, .jpeg, .kdb, .eps, .bkf, .wbc, .litemod, .rgss3a, .xld, .ppt, .vdf, .itm, .rwl, .cer, .rb, .docm, .fos, .blob, .1st, .m4a, .qdf, .dazip, .xyw, .bc6, .raw, .ncf, .d3dbsp, .wav, .dng, .sr2, .mlx, .wsc, .svg, .bik, .cr2, .xls, .jpg, .mdf, .wsd, .3fr, .dba, .der, .wm, .pem, .x3f, .sid, .3ds, .vfs0, .rofl, .wbd, .accdb, .xml, .indd, .wp, .x3d, .xlk, .x, .odb, .orf, .pdd, .psk, .wbm, .wpa, .zdb, .cas, .wpl, .vpk, .srw, .pak, .odp, .pdf, .itl
All documents, photos, archives located on local disks, system disks and connected network drives will be encrypted. The Corona-lock ransomware encrypts the contents of all disks file by file. Each file that has been encrypted is marked, the ransomware appends the ‘.corona-lock’ extension to its name. For example, if a file had the name ‘document.doc’, then after this file is encrypted by this ransomware, it will have a name similar to the following ‘document.doc.corona-lock’. Removing the extension or renaming the file will not help access the contents of the file. The associated program will not be able to read its contents.
CovidWorldCry (corona-lock) ransom demand message
The CovidWorldCry (corona-lock) ransomware creates a file with the name “README_LOCK.TXT” on the infected computer. This file contains a message from the ransomware authors. The full text of this file is:
YOUR FILES WERE ENCRYPTED
AND MARKED BY EXTENSION .corona-lock—
DON’T WORRY! YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES
WE STRONGLY RECOMMEND you NOT to use any Decryption Tools.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
—
To get RSA private key you have to contact us via email to:
—————————->> support@covidworldcry.com << and send us your id: >> ***** << -- HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file!
Criminals use the “README_LOCK.TXT” file to demand ransom from the Corona-lock ransomware victims. The ransom demand message said that the victim’s files are encrypted. The ransomware authors demand a ransom in exchange for a key and a decryptor. Attackers offer to decrypt single file for free. Of course, decryption of single file cannot guarantee that, after paying the ransom, the victim will be able to recover files affected with the ransomware.
Threat Summary
| Name | CovidWorldCry, Corona-lock ransomware |
| Type | Crypto malware, File locker, Crypto virus, Ransomware, Filecoder |
| Encrypted files extension | .corona-lock |
| Ransom note | README_LOCK.TXT |
| Contact | support@covidworldcry.com |
| Ransom amount | $500-$1500 in Bitcoins |
| Detection Names | TrojanPSW:Win32/DelShad.2939a804, TR/AD.RansomHeur.eku, W32/Trojan.PZWO-9227, Generic.mg.412568f078ec521b, Trojan.Agent.crzx, Trojan.Malware.300983.susgen, Trojan.Win32.DelShad.dfc, Malware.Win32.Gencirc.1178d2f1 |
| Symptoms | When you try to open your file, Windows notifies that you do not have permission to open this file. Odd, new or missing file extensions. Files named such as ‘README_LOCK.TXT’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. Desktop is locked with a message about How to pay to unlock your system. |
| Distribution ways | Phishing email scam that attempts to scare users into acting impulsively. Drive-by downloading (when a user unknowingly visits an infected web-site and then malicious software is installed without the user’s knowledge). Social media posts (they can be used to force users to download malicious software with a built-in ransomware downloader or click a suspicious link). Cybercriminals use suspicious ads to distribute malicious software with no user interaction required. |
| Removal | CovidWorldCry (corona-lock) ransomware removal guide |
| Recovery | Corona-lock File Recovery Guide |
On current date, antivirus companies have not created a method to decrypt files encrypted with .corona-lock extension. Nevertheless, you do not need to despair. There are several ways to find and remove Corona-lock ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove Corona-lock ransomware, Restore .Corona-lock files
If you encounter the malicious actions of Corona-lock ransomware, and your files have been encrypted with ‘.corona-lock’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to say that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove CovidWorldCry (corona-lock) ransomware
- How to decrypt .corona-lock files
- How to restore .corona-lock files
- How to protect your PC system from CovidWorldCry ransomware
How to remove CovidWorldCry (corona-lock) ransomware
There are not many good and free malware removal tools with high detection ratio. The effectiveness of malware removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malware. We suggest to run several programs, not just one. These programs that listed below will allow you remove all components of the Corona-lock crypto virus from your disk and Windows registry.
Remove CovidWorldCry with Zemana Anti Malware
Zemana is a free utility that performs a scan of your system and displays if there are existing ransomware, worms, spyware, trojans, crypto virus and other malicious software residing on your PC system. If malware is found, Zemana can automatically remove it. Zemana Anti Malware doesn’t conflict with other anti-malware and antivirus apps installed on your personal computer.
Installing the Zemana Anti Malware (ZAM) is simple. First you will need to download Zemana Anti Malware from the following link. Save it on your Windows desktop or in any other place.
164985 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the downloading process is complete, close all windows on your machine. Further, launch the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown in the following example, click the “Yes” button.
It will display the “Setup wizard” which will allow you install Zemana Anti-Malware on the system. Follow the prompts and do not make any changes to default settings.
Once installation is done successfully, Zemana Anti-Malware will automatically start and you may see its main window as displayed below.
Next, click the “Scan” button to scan for CovidWorldCry (corona-lock) ransomware virus, other kinds of potential threats like malicious software and trojans. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your computer. When a threat is found, the number of the security threats will change accordingly.
When Zemana is done scanning your computer, Zemana Anti-Malware will display a screen that contains a list of malware that has been found. Next, you need to click “Next” button.
The Zemana Anti-Malware will begin to delete CovidWorldCry crypto malware and other security threats. When the cleaning process is done, you may be prompted to restart your PC.
Remove CovidWorldCry (corona-lock) with MalwareBytes
Manual CovidWorldCry (corona-lock) removal requires some computer skills. Some files and registry entries that created by the crypto virus may be not fully removed. We suggest that run the MalwareBytes AntiMalware that are fully clean your computer of crypto malware. Moreover, this free application will help you to remove malicious software, potentially unwanted apps, adware and toolbars that your personal computer may be infected too.
Installing the MalwareBytes Free is simple. First you will need to download MalwareBytes Anti Malware (MBAM) from the link below.
327224 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the download is done, close all windows on your personal computer. Further, run the file named MBSetup. If the “User Account Control” dialog box pops up as shown on the screen below, press the “Yes” button.
It will open the Setup wizard that will allow you install MalwareBytes on the PC. Follow the prompts and don’t make any changes to default settings.
Once install is done successfully, click “Get Started” button. Then MalwareBytes Anti Malware will automatically run and you can see its main window as displayed on the screen below.
Next, press the “Scan” button . MalwareBytes Anti-Malware (MBAM) program will scan through the whole computer for the CovidWorldCry (corona-lock) crypto virus, other kinds of potential threats such as malware and trojans. This procedure can take quite a while, so please be patient. During the scan MalwareBytes Anti-Malware will detect threats present on your PC.
Once the checking is complete, a list of all items detected is created. Review the report and then press “Quarantine” button.
The MalwareBytes AntiMalware (MBAM) will remove CovidWorldCry ransomware related folders,files and registry keys and move the selected threats to the program’s quarantine. After disinfection is complete, you may be prompted to reboot your PC. We advise you look at the following video, which completely explains the process of using the MalwareBytes AntiMalware (MBAM) to delete browser hijackers, adware and other malicious software.
If the problem with CovidWorldCry (corona-lock) is still remained
Kaspersky virus removal tool (KVRT) is a free removal tool that can scan your system for a wide range of security threats such as ransomware, adware software, spyware, potentially unwanted programs, trojans, worms as well as other malware. It will perform a deep scan of the personal computer including hard drives and Microsoft Windows registry. After a malicious software is detected, it will allow you to uninstall all detected threats from your computer with a simple click.
Download Kaspersky virus removal tool (KVRT) from the link below.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button . KVRT utility will begin scanning the whole PC to find out the CovidWorldCry (corona-lock) ransomware and other trojans and malicious software. This task can take quite a while, so please be patient. When a threat is found, the count of the security threats will change accordingly.
As the scanning ends, KVRT will display a screen that contains a list of malware that has been found as displayed in the figure below.
Make sure to check mark the items that are unsafe and then press on Continue to start a cleaning process.
How to decrypt .corona-lock files
Files with the extension ‘.corona-lock’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. Unfortunately, today there is no way to decrypt files encrypted by the CovidWorldCry (corona-lock) ransomware virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Nevertheless, everyone has to remember that paying the developers of the CovidWorldCry (corona-lock) ransomware virus who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the makers of the Corona-lock ransomware) in order to decrypt locked personal files. There still are some ways to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .corona-lock files
If all your files are encrypted with .corona-lock file extension, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Run ShadowExplorer to restore .corona-lock files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by CovidWorldCry (corona-lock) ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer from the following link. Save it to your Desktop.
439623 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the figure below.
Run the ShadowExplorer utility and then select the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the CovidWorldCry crypto virus as displayed in the figure below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button as displayed on the image below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Run PhotoRec to restore .corona-lock files
There is another way to recover the contents of the encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec from the following link. Save it to your Desktop so that you can access the file easily.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll display a screen as shown in the following example.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown on the screen below.
Press File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to select where recovered files should be written, then press Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as displayed on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your PC system from CovidWorldCry (corona-lock) ransomware
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from MS Windows XP to Windows 10.
First, click the following link, then click the ‘Download’ button in order to download the latest version of HitmanPro Alert.
Once the download is finished, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the tool is started, you will be displayed a window where you can select a level of protection, as shown on the image below.
Now press the Install button to activate the protection.
To sum up
This guide was created to help all victims of the CovidWorldCry (corona-lock) ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .corona-lock files; how to recover the encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Corona-lock related issues, go to here.
