How to Remove Cobra Locker Ransomware

Computer with Ransomware
Reading time: 5 Minutes

During the pandemic, ransomware attacks spiked by 148% compared to the February 2020 baseline. Security experts have noticed the increasing frequency of COVID-19 related attacks, but instances including other ransomware variants also skyrocketed. This could be attributed to the sudden rise in possible targets, with 70% of the workforce forced to work from home, where internet security is much more relaxed compared to the office setting.

One of the ransomware attacks that wreaked havoc during the global lockdown is the Cobra Locker ransomware. The files are locked using AES and RSA algorithms and given the .cobra file extension. This threat is usually spread via downloads from malicious websites, clicking on spam emails, or direct injection by other malware. The attackers usually demand payment for the files to be unlocked, otherwise the users won’t be able to access them.

What is Cobra Locker Ransomware?

Cobra Locker ransomware, also known as Cobra_Locker, was first discovered by Twitter user @dnwls0719 last June 2020. This is a new ransomware strain that has been developed to exploit those who have been affected by the pandemic. This cryptovirus works by encrypting the users’ data and demanding the victims to pay up for the decryption service. Cobra Locker ransomware usually targets videos, pictures, documents, archives, databases, and other types of data on your computer. All these files will be locked and encrypted, making them inaccessible to the user until the ransom is paid.

It is very obvious when your computer is infected with the Cobra Locker ransomware because you’ll get a pop-up message with a glaring red background, that reads:


Oops! Your have been encrypted!

If you want decrypt your files you must have decryption code

All your important files were encrypted on this PC.

All files with .Cobra extension are encrypted.

Encryption was produced using unique private key generated for this computer.

To decrypt your files, you need to obtain private key.

To retrieve the private key you need to contact us by email send us an email and wait for further


E-mail address to contact us:

If you want decrypt your files you must have decryption code

Cobra Locker ransomware detections:

  • DrWeb: Trojan.Encoder.31957 and Trojan.Encoder.32077
  • ALYac: Trojan.Ransom.Filecoder
  • Avira (no cloud): TR / Ransom.avuwe
  • BitDefender: Gen: Heur.Ransom.RTH.1, Trojan .GenericKD.43441079
  • ESET-NOD32: Variant of the MSIL / Filecoder.YQ or Variant of the MSIL / Filecoder.AAX
  • Malwarebytes: Ransom.FileCryptor or Ransom.CobraLocker
  • Rising: Ransom.Encoder 8.FFD4
  • Symantec: ML.Attribute.HighConfidence
  • Tencent: Msil.Trojan.Encoder.Wtod
  • TrendMicro: TROJ_GEN.R002H09FE20

A month later, a new ransomware came out using the .IT extension to encrypt the files. This was detected in early July, and it uses the same email address mentioned in the Cobra Locker ransomware notification. The attacker also uses a picture of Pennywise from the movie IT as a background, for added scare factor. The pop-up message usually reads:

You have fallen victim to IT ransomware!

All your important files have been encrypted! And your screen is locked!

let me introduce you to the rules

  1. to unlock screen you must enter special key
  2. to decrypt files you must contact with us:

IT Detections:

  • DrWeb: Trojan.Encoder.32077
  • BitDefender: Trojan.GenericKD.43441079
  • ESET -NOD32: Variant of MSIL / Filecoder.AAX
  • Malwarebytes: Ransom.CobraLocker
  • Symantec: ML.Attribute.HighConfidence

Looking at the two emails, the attacker does not mention how you’re going to pay the ransom or how much you need to pay, you need to email them directly using the email address given to know more how your files can be decrypted.

However, don’t get your hopes up. Even if you pay the ransom, there is no guarantee that the attacker will still care to decrypt your files. It is possible that you’ll be ignored once the payment has been made.

What Can Cobra Locker Ransomware Do?

Cobra Locker and IT ransomware come from the same group of attackers and we can safely assume that they work the same way.

Cobra Locker ransomware encrypts the user’s files using AES + RSA algorithms, adding a .Cobra extension to every file. IT ransomware, on the other hand, adds the .IT extension to the files. Both ransomware works by scanning your system and automatically encrypting MS Office documents, OpenOffice files, PDF, text files, databases, images, music, videos, archives, and others. According to the ransomware note, you won’t be able to access these files unless you pay the fee demanded by the attacker.

This ransomware can cause quite a headache, especially if the victim does not have a backup copy of the encrypted files. So what do you do when your computer is infected by the Cobra Locker ransomware?

Cobra Locker Ransomware Removal Instructions

The first thing you need to do when you get infected by either the Cobra Locker or IT ransomware is to remove the threat first from your computer to prevent it from encrypting more files. After that, you can try recovering your files.

Here’s how to remove Cobra Locker ransomware and IT ransomware from your computer:

Step 1: Boot Into Safe Mode With Networking.

  1. Click Windows > Power icon, then choose Restart while pressing the Shift key.
  2. Select Troubleshoot > Advanced Option.
  3. Click on Startup Settings > Restart to reboot your computer.
  4. When Windows boots up, press F5 or number 5 on the keyboard to boot into Safe Mode With Networking.

Step 2: Remove the Ransomware.

The next step requires a security software that is able to detect and remove the ransomware from your computer. If you don’t have the right Anti-Malware, make sure to download it first before proceeding with this step. Once you have installed the antivirus, scan your computer and delete all the infected files. Here are the files related to the ransomware:

  • Ransomware.exe or IT.exe
  • CobraLocker.dll
  • _readme.txt
  • readme.txt

Step 3: Recover Your Files.

The last step is to try and recover your files. There is no decryptor yet designed for this ransomware, so let’s try any of the options here:

Use a generic decryptor.

There are several decryption software available today, designed by security experts, such as Michael Gillespie, Kaspersky, Emsisoft, and others. You can try any of them to see which works.

Use a system restore point.

Your other option is to roll your system back to a restore point before the infection happened. This can be tricky, especially if you don’t know at which point your system got infected. To be safe, choose a restore point that is way before the ransomware was discovered (June 2020).

Use a third-party recovery software.

If you decryptors don’t work and you do not have a system restore point you can use, your last option is to use recovery programs, such as Recuva, EaseUS Data Recover, or Stellar. You can check other recovery programs you can use here.


Ransomware can be difficult to deal with, particularly if you don’t have a backup of your files. The most important thing is to delete the ransomware from your device first before trying any of the recovery methods mentioned above. Make sure you copy all the encrypted files first before trying to unlock them to avoid data loss. If all else fails, you can simply choose to wait for a Cobra Locker-dedicated decryptor to be released.

Download Outbyte AntivirusOutbyteIf you’re running into errors and your system is suspiciously slow, your computer needs some maintenance work. Download Outbyte PC Repair for Windows or Outbyte Antivirus for Windows to resolve common computer performance issues.Fix computer troubles by downloading the compatible tool for your device.See more information about Outbyte and uninstall instructions. Please review EULA and Privacy Policy.
Give us some love and rate our post!
[Total: 0 Average: 0]
Spread the love
Notify of
Inline Feedbacks
View all comments
Featured Stories
How to Update UEFI BIOS in Windows: A Step-By-Step Guide

Reading time: 2 MinutesUpdating your BIOS can be beneficial but isn’t always required. This delicate…

Spread the love
Mouse Cursor Disappears on Windows 10: 13 Solutions

Reading time: 4 MinutesWhen your mouse disappears on Windows 10, it can significantly disrupt your…

Spread the love
Snipping Tool Not Working on Windows 11: Solutions

Reading time: 7 MinutesAfter the Windows 11 update, a range of challenges and issues have…

Spread the love
Windows 11 Mouse Click Not Working: Causes and Fixes

Reading time: 5 MinutesThe issue of the left mouse click not working is not exclusive…

Spread the love
Windows 11’s Wi-Fi Adapter Disappeared: Quick Fixes

Reading time: 3 MinutesWindows 11, the latest iteration of Microsoft’s widely used operating system, has…

Spread the love
How to Fix OneDrive error 0x80071129

Reading time: 8 MinutesOneDrive is a helpful feature in Windows; you can easily access your…

Spread the love
PC Repair
How to Fix Error Code 0xA00F429F on Windows 10/11

Reading time: 8 MinutesWindows 10 and 11 come with pre-installed UWP apps that are essential…

Spread the love
Error Copying File or Folder: The Requested Value Cannot Be Determined

Reading time: 8 MinutesIf you encounter the Windows 10/11 error message “The requested value cannot…

Spread the love
What to Do When a Deleted User Still Appears on the Windows 10/11 Login Screen?

Reading time: 8 MinutesWindows 10/11 allows you to create multiple user accounts – useful for…

Spread the love