Decrypt Coin Locker Encrypted Files for Free

If your files are encrypted by Coin Locker, there is no reason to panic. This article will help you to decrypt Coin Locker encrypted files, without paying the ransom

Coin Locker is trojan-ransomware – that is a malicious piece of software that infiltrates a system, encrypts files and then demands payment in return for the key. It was first noticed in January 2015. There are several ways the trojan like this can get into a computer, though these are all preventable. In most ransomware, the key is kept secure on the hacker’s server after the user’s files have been encrypted. Communication between the malware and command and control (C&C) server facilitates payment and subsequent decryption (though there is no guarantee this will happen on payment, of course). This variant is different as it uses a relatively simple code that has been broken (see link below), though there are other safety considerations that arise as a result of this infection, so it’s important to uninstall Coin Locker.

This ransomware is reported as infecting users through two methods so far, that of hiding in a bundle of freeware and the other using counterfeit e-mail. The Bundling method is using a piece of free software desired by the user to hide with to gain entry when the wanted program is installed quickly, without the contents being checked. Then the malware is installed by default. In the instance of spam e-mails, the user receives a plausible communication from a government or legal department that contains either an attachment or link that the reader is persuaded to open for some beneficial reason (other examples of spam are messages supposedly from a shipping company regarding an undelivered package; these can be very convincing in format and appearance).

A further way to contract Coin Locker that should be remembered is by visiting or being redirected to a dubious or compromised ‘site. On these domains, hackers can use exploitation kits like the BlackHole EK to detect system vulnerabilities and insert a trojan during the time spent there. These deliveries install the ransomware which starts work modifying Windows files and drivers in preparation to encrypt all files on the system except for a few essential ones necessary to facilitate basic running and communication for ransom purposes.

The file encryption uses a letter-substitution code called the Caesar Cypher. It replaces a letter with another a certain distance away in the alphabet. If the shift was three places right, then all A’s would become C’s, B = D and so on. It’s so named because it was used by Caesar to send secret messages. Analyst Nathan Scott recognized this cypher and wrote the decryption program. After the files are locked, the ransom note appears as a .txt file with details on how to pay via the Tor network, though the original server for this infection’s communication was taken down last year. It is not known if any users paid for the key before the server was decommissioned, or if anyone received decryption if they did pay – though as there is a public key now, the important thing if infected is to delete Coin Locker (see below for instructions) and get any damaged files back in order.

How to detect and deal with Coin Locker?

The fact that there is a decryption program available means that the user should be able to retrieve all any files using this method after clearing the malware from the system. Even if there is no functioning C&C server, this malware can still be contracted from infected links &c, with all the attendant trouble it causes, regardless if it is still functioning as a ransomware threat or not. Although there is a solution to encryption, having an infection in the system also causes vulnerability to receiving another. Also, personal data-loss through other malware functions that the software may possess, such as key-logging for example. This is why it is necessary to eradicate Coin Locker.

As with most ransomware, it has capabilities to evade all but the best searches, though there are symptoms a user may spot. As the infection takes root, it will use more and more processing power, so a slowing of the system should be noticeable. This will be accompanied by periodic screen-freezing and possible crash of programs that are running. Unasked for internet connections may occur and extra port traffic noticeable as the ransomware tries to communicate with its C&C. If these peculiarities are noticed, the user should check files for extension changes. All files that seem normal should be backed-up to an external device. Follow the steps below to remove Coin Locker, then download the decryption program to reclaim any encrypted files. If an external back-up of files is available, then these can simply be re-installed to replace encrypted ones after totally getting rid of Coin Locker.

How to decrypt Coin Locker?

To decrypt Coin Locker encrypted files please, follow the instructions below as strictly as possible:

Step 1: Download the free Coin Locker decrypter here:
Step 2: Double-click on Coin_Locker_Decrypter.exe .
decrypt coin locker
Step 3: Click the browse button (“…”) and select a folder containing encrypted files.
Step 4: Click “Decrypt!” button to start the decryption process. Optionally, you can click “Delete encrypted files” once you are sure, that all your files are decrypted.

How to prevent Coin Locker?

Avoiding such extortion-ware is a very logical process. It should be observed and remembered and practiced. Back up is insurance against inattention, as is good security and scanning software. Regularly check for system patches. Keep browsers up to date and any browsing security warnings enabled. Install using advanced options and don’t open unsolicited/unfamiliar links or attachments. For extra safety against in-text surprises, disable ActiveX function on M/S Office apps such as Word, Excel, etc. Install the best firewall possible and set it for restricted port access, and to not permit Tor or I2P communications (if most ransomware is denied communication, it cannot begin encryption). Visit to find instructions on Administrator Privilege and how to restrict .exe files running on certain paths like %APPDATA% and %TEMP% – this will disable most ransomware which has to execute in these places. Disable RDP, remote desktop protocol, if not in use.

Remember: this infection is an amateur and a pain in the processor – there are many more out there that are very ingenious – and very capable of really spoiling your day!

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.