How to remove Cool ransomware

How to remove Cool ransomware

Cool ransomware comes from the notorious Djvu/STOP family of file-encrypting malware. It’s a type of malware that essentially takes files hostage and demands money in exchange for a decryptor to recover them. This family has hundreds of ransomware in it, but this particular one can be identified by the .cool extension added to encrypted files. You will not be able to open any of the files with this extension unless you first run them through a decryptor. The cybercrooks operating this ransomware will try to sell the decryptor to you for $980, though it’s not recommended to pay the ransom.



Cool ransomware comes from the same malware family as Rivd, Rugj, Maql, and Zaps. The cyber gang operating Djvu/STOP ransomware has released hundreds of ransomware and continues to release new versions on a regular basis. These ransomware versions are more or less identical in the way they look and operate. However, they all add different extensions to encrypted files, which is how you can differentiate between them. This ransomware adds .cool, hence why it’s called Cool ransomware. As an example, an encrypted image.jpg file would become All personal files, including photos, images, documents, videos, etc., will have this extension and you will be unable to open them.

While your files are being encrypted, the ransomware will show a fake Windows update window, presumably to distract you from what’s happening in the background. Once it’s done with encryption, the ransomware will drop a _readme.txt ransom note in folders that contain encrypted files. The note is pretty generic and mainly focuses on explaining how you can get the decryptor to decrypt the files. Unfortunately, obtaining the decryptor involves paying the ransom. The ransom is $980, though the cybercriminals claim to give a 50% discount to those who make contact within the first 72 hours of infection. Whether that’s true or not, paying the ransom is still not recommended for a couple of reasons. First of all, there is nothing to obligate the cybercriminals to send the decryptor. Countless users have not received a decryptor, despite paying the ransom. They can just take the money and not send anything in return. Another reason for discouraging victims from paying the ransom is that these payments are why ransomware is as big as it is. If users started regularly backing up files, there would be no need to pay the ransom, thus ransomware would be less of an issue.

If you backed up your files prior to your computer getting infected, there shouldn’t be an issue with recovering files, provided you first remove Cool ransomware from the computer. Removing the ransomware fully is an essential step to successfully recover files because if the ransomware is still present when you connect to your backup, those files would become encrypted as well.

Unfortunately, if you do not have a backup, it may not be possible to recover files, at least at this moment. While a free Cool ransomware decryptor is not currently available, it could be released sometime in the future. However, developing a working decryptor is difficult because this ransomware uses online keys to encrypt files, which means that the keys are unique to each victim. Unless malware researchers can obtain those keys, they are unlikely to develop a decryptor. It’s not impossible that the keys will eventually be released, whether by law enforcement or by the cybercriminals themselves if they ever eventually close up shop. It should also be mentioned that you can find a free Djvu/STOP decryptor by Emsisoft but it will not work on ransomware released after 2019 because that’s when online keys started being used. And when looking for decryptors, you need to be very careful about where you download them from because there are a lot of fake decryptors that would lead to another malware infection. NoMoreRansom is a good source for decryptors so we recommend checking it from time to time. You should also back up the encrypted files and store them safely until a decryptor is released.

Ransomware distribution methods

Users with bad browsing habits are often the ones who become infected with ransomware most often. Simple actions like opening unsolicited email attachments, downloading torrents, or clicking on links could lead to a serious infection. Developing better browsing habits can go a long way towards avoiding malware infections.

Commonly, users encounter ransomware after opening malicious files attached to emails. Oftentimes, the malicious attachments are added to emails that, at least to some extent, look like they’re sent by legitimate senders, such as companies whose services users may use. Though often, the emails are low-effort and quite obviously either spam or malware. It’s not uncommon for malicious senders to claim to be from a parcel delivery service, a government agency, a tax agency, etc. However, the emails are often full of grammar and spelling mistakes, which would look unprofessional in any official email. Whether it’s deliberate or not, emails with malicious attachments are always full of mistakes. Another quite obvious sign of a malicious email is you being addressed by generic terms like “User”, “Customer”, and “Member” instead of by your name. If the sender claims that you use their services, they should use your name because that is the common practice. While in most cases malicious emails will be quite generic and obvious, some may be more sophisticated, especially when targeting someone specific. Thus, we recommend always scanning email attachments with anti-virus software or VirusTotal before opening them.

If you pirate via torrents, you’re also at higher risk of picking up a malware infection. Pirating, in general, is not a good idea, using torrents to do is even worse. Torrent sites are often quite badly moderated, which allows malicious actors to upload malicious torrents and disguise them as popular movies, video games, TV series, software, etc.

Cool ransomware removal

Since ransomware is a highly complicated malware infection, it’s not recommended to remove Cool ransomware manually. It’s possible that you could end up doing more damage or the ransomware may not be fully removed. If you try to access your backup when the ransomware is still on the computer, your backed-up files would be encrypted. Use anti-virus software to delete Cool ransomware, and only then access your backup to start recovering files.

Site Disclaimer is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.

The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.

Leave a comment

Your email address will not be published.