Remove COSW Ransomware Virus (DECRYPT .cosw FILES)

COSW ransomware attack: a malware that locks personal files with encryption

COSW ransomware is a harmful computer virus designed to encrypt each file on the computer, thus making it inaccessible to the user. This piece of malware is recognized as a new variant of STOP/DJVU ransomware family. During the attack, it targets pictures, videos, documents, archives, and other data formats, encrypts them and appends .cosw extension to each filename. Additionally, the virus delivers a message from its operators, which it saves into _readme.txt notes dropped throughout the system.

See the following example to understand how this virus renames files: 1.jpg, 2.txt and 3.png will appear as 1.jpg.cosw, 2.txt.cosw and 3.png.cosw after getting locked. No program will be capable of opening these files. The cybercriminals know that the victim needs access to important files stored on a computer, therefore they introduce their ‘solution’ to the problem in the ransom notes dropped in multiple data folders.

remove COSW ransomware virus and learn how to decrypt or repair files with .cosw extension (free guide)remove COSW ransomware virus and learn how to decrypt or repair files with .cosw extension (free guide)

Message in the _readme.txt note, explained

The contents of _readme.txt ransom note are pretty straightforward. The cybercriminals explain that they have used encryption to make data on the computer inaccessible, and that there is no chance to recover it unless the victim purchases COSW file decryption tool from them. In other words, the perpetrators demand the victim to pay a ransom to them. Once they get the payment, they may provide decryption tool and unique key required to unlock files, says the note.

The note also states that the price of the decryption solution costs $980, but if the victim makes effort to contact the criminals within 72 hours after getting attacked, they may lower the price to $490. The note contains two email addresses – support@freshmail.top and datarestorehelp@airmail.cc, and the only way to contact the criminals is by writing an email to them.

The note also suggests proving that the criminals can actually decrypt victim’s files. The victim is asked to send one encrypted file to the criminals and also include the Personal ID in the message. The crooks promise to reply shortly and send a decrypted file variant to the victim.

Unfortunately, there is no way to trace the criminals and arrest them, as they are using a variety of techniques to obfuscate their identity and location. To remain anonymous, they even ask to pay the ransom using cryptocurrency.

Cybersecurity experts as well as well-known organizations such as FBI or NCSC warn victims that paying a ransom is not a good solution. First of all, it doesn’t guarantee data decryption, but instead encourages the criminals to continue what they’re doing. The crooks might even start blackmailing the victim for more money after the initial amount is paid. Furthermore, such criminals have a tendency to target victims who have paid the ransom repeatedly, as they identify such users as ‘easy targets.’

Beware of malware that accompanies this ransomware

Unfortunately, cybercriminals behind this malware seem to be greedy. Data encryption and victim’s extortion isn’t enough for them, as the ransomware carries additional malware alongside it. Analysis showed that most STOP/DJVU variants deliver Vidar, AZORult, or RedLine stealers to infected computers.

These are known as high-severity information stealers capable of extracting sensitive data from compromised computers and sending it to criminals’ servers. In addition, these threats have capabilities to evade detection systems and can be used to carry out various tasks on the computer by remote attacker. For instance, the attacker can view, delete files on victim’s computer, or download additional malware to it.

If your computer has been compromised by these described harmful programs, we suggest that you act immediately. In order to remove COSW ransomware virus and information stealers that infected your computer system, use the guidelines presented below this article. Use a trustworthy antivirus solution to detect all harmful files that expose your computer to additional threats and eliminate them automatically. For example, you can use trustworthy antivirus like INTEGO Antivirus for this task. In addition, try to download RESTORO and see what it can do to virus-damaged Windows OS files.

Ransomware Summary

NameCOSW Ransomware Virus
TypeRansomware; Crypto-malware; Virtual Extortion Virus
Encryption typeRSA 2048 + Salsa20
Previous versionsDAZX, TYWD, TYCX, TYOS, TYPO, JYWD, JYPO (find full list here)
Cybercriminal emailssupport@freshmail.top, datarestorehelp@airmail.cc
Additional malware droppedAzorult, RedLine or Vidar
DamageThe ransomware uses encryption to maliciously modify all files on the PC and marks their original names with .cosw extension. Ransom notes called as _readme.txt will be dropped in every computer folder. This piece of malware usually drags VIDAR Stealer alongside it and also eliminates VSS from the system. On top of that, it tends to modify Windows HOSTS file to restrict computer user’s access to cybersecurity-related websites online.
Ransom note_readme.txt
Ransom demand$490-$980 in Bitcoin
DistributionVictims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico.
Known software cracks to contain this malwareCorel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, HP/Epson printer drivers, League of Legends.
Detection namesTrojan:Win32/Azorult.FW!MTB (Microsoft), Gen:Heur.Mint.Zard.52 (B) (Emsisoft), HEUR:Trojan.Win32.Scarsi.gen (Kaspersky), Gen:Heur.Mint.Zard.52 (BitDefender), Trojan.MalPack.GS (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection name variations on VirusTotal
RemovalRemove ransomware and related malware from your PC using trustworthy software like INTEGO Antivirus. To repair virus damage on Windows OS files, download and try RESTORO (secure download link).

Intego Antivirus for Windows

Award-winning antivirus solution for your PC.

Robust security software that provides robust 24/7 real-time protection, Web Shield that stops online threats/malicious downloads, and Prevention engine that wards off Zero-Day threats. Keep your PC safe and protected against ransomware, Trojans, viruses, spyware and other forms of dangerous programs.

75% OFF!

How ransomware-type threats are distributed?

Cybercriminals distribute ransomware in deceptive ways, often trying to bait the victim to download the malicious file in guise of a legitimate file or an email attachment. Most victims of STOP/DJVU ransomware, including those of the latest variants like COSW or GOBA, report getting infected via software cracks or key generators.

These are often promoted via rogue websites claiming to provide all sorts of popular software cracks and stating that users can install premium software versions for free. Users who fall for this bait end up getting their computer systems severely compromised. The only sources to download software safely from are either official websites or trustworthy news/reviews sites and blogs that are partners of the specific software and can provide official and secure download links.

Another way of delivering malicious files to computer users is via email attachments. The perpetrators send mass emails to potential victims and pretend to be someone else, for example, an online retailer, a service provider, even government organization. They usually claim there is an urgent matter that needs to be taken care of immediately. Such emails rush the victim to view attached files or links and reply to the sender as soon as possible.

Unfortunately, clicking on such suspicious attachment or link can lead to computer infection, so we strongly recommend you to be cautious when checking your email. Only trust emails that come from trusted and known senders. If you have doubts about the origins of the email, do not interact with its contents at all.

Remove COSW ransomware virus and protect your computer

If in an unfortunate event you have fallen victim to a ransomware attack, you need to protect your computer as soon as possible. First of all, try to remove COSW ransomware virus and additional malware dropped on your computer. For this task, you may want to read recommendations provided below. Additionally, consider using a trustworthy security solution, such as INTEGO Antivirus.

Once the malware is eradicated from your computer, you can download RESTORO and run a scan with it to see which Windows files can be repaired. You can also use data backups to restore locked data, but make sure the malware is removed from the system first (do not try to connect your backup drive before removing malware). Afterward, we strongly recommend changing all of your passwords used on the infected computer because the information stealers that accompanied the ransomware usually steal them.


Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:


Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.

Use INTEGO Antivirus to remove detected threats from your computer.

Read full review here.


RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

COSW Ransomware Virus Removal Guidelines

Method 1. Enter Safe Mode with Networking

Step 1. Start Windows in Safe Mode with Networking

Before you try to remove COSW Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.

Instructions for Windows XP/Vista/7 users

  1. First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
  2. Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.

Instructions for Windows 8/8.1/10/11 users

  1. Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
  2. This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
  3. In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus

Now, you can search for and remove COSW Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Special Offer

Compatibility: Microsoft Windows
See Full Review

RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically.

Step 1. Boot Windows in Safe Mode with Command Prompt

Instructions for Windows XP/Vista/7 users

  1. Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
  2. Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.

Instructions for Windows 8/8.1/10/11 users

  1. Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
  2. This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
  3. In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
  1. Wait until system loads and command prompt shows up.
  2. Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
  3. This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
  4. Click Yes to begin the system restoration process.

After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt COSW files

Fix and open large COSW files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

  1. Create a copy of encrypted file to a separate folder using Copy > Paste commands.
  2. Now, right-click the created copy and choose Rename. Select the COSW extension and delete it. Press Enter to save changes.
  3. In the prompt asking whether you want to make the changes as file might become unusable, click OK.
  4. Try opening the file.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. COSW Ransomware Virus is considered the new STOP/DJVU variant, just like DAZX, TYWD, TYCX, TYOS, TYPO, JYWD, JYPO (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.

Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.

In order to test the tool and see if it can decrypt COSW files, follow the given tutorial.

  1. Download the decryption tool from Emsisoft.
  2. Click the little arrow next to your download and choose Show in Folder.
  3. Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
  4. In UAC window, click Yes.
  5. Click Yes to agree to software terms in both windows.
  6. The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
    In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work.
  7. Click Decrypt to start restoring COSW files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
    You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.

Meanings of decryptor's messages

The COSW decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:

Error: Unable to decrypt file with ID: [example ID]

This message typically means that there is no corresponding decryption key in the decryptor's database.

No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible

This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.

Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.

If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your COSW extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Report Internet crime to legal departments

Victims of COSW Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.

Another recommendation is to contact your country's or region’s federal police or communications authority.

Frequently Asked Questions

✓ How can I open .COSW files?

You can only open COSW files if you have the decryption key, or if you were affected by offline encryption type.

✓ How do I know if my files were encrypted with offline or online encryption?

To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.

✓ My files contain very important information (family memories). Every tool I used says it is impossible to decrypt. What should I do?

Please follow the guidances provided by the official COSW decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).

✓ I am afraid virus is still in my computer system. What should I do?

We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.

✓ I saw several Youtube videos suggesting secret decryption tools. Can I trust them?

Beware of fake COSW decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.

Recent Posts

Remove JYPO Ransomware Virus (DECRYPT .jypo FILES)

JYPO virus arrives to encrypt files on computers JYPO ransomware is a harmful computer virus that…

2 days ago

Remove JYWD Ransomware Virus (DECRYPT .jywd FILES)

JYWD virus attacks files stored on computers and encrypts them JYWD virus is a ransomware-type…

3 days ago

Remove TYPO Ransomware Virus (DECRYPT .typo FILES)

TYPO ransomware operators attempt to extort computer users TYPO ransomware is a computer virus that…

4 days ago

Remove TYOS Ransomware Virus (DECRYPT .tyos FILES)

TYOS ransomware: a file-encrypting menace to computer users TYOS ransomware is a malicious computer virus…

1 week ago

Remove TYCX Ransomware Virus (DECRYPT .tycx FILES)

TYCX ransomware attack leaves all data on computer encrypted TYCX is a computer virus that…

1 week ago

Remove TYWD Ransomware Virus (DECRYPT .tywd FILES)

TYWD ransomware locks files, demands a ransom TYWD is a ransomware-type computer virus that has…

1 week ago