Coty Virus


Coty is a computer virus of the Ransomware variety. The purpose of Coty is to blackmail you for a ransom payment by keeping your data “hostage”.

The Coty ransomware will leave a _readme.txt file with instructions

Getting infected with ransomware representatives like BozaBoty collectively costs millions of dollars in ransom money to both companies, and private individuals every year. At the same time, impressive numbers of web users get infected by this type of malware and, recently, some concerned people have approached us to ask for ways to help them decrypt the files that this particular threat has encrypted in their computers. For this reason, we’ve created a removal guide (which you will find below), with instructions on how to find the Coty virus, and how to carefully remove it. The same guide provides concrete steps that may help you restore the information that has been compromised by the strong encryption of the ransomware. While we can’t promise you that our steps will automatically restore all your files, it’s important that you actually remove the virus before you give them a try. This will prevent the infection from encrypting the files that you potentially manage to recover and, of course, will make the computer safe again.

The Coty virus

The Coty virus is a ransomware threat able to quickly lock your data. Once the Coty virus infects the computer, it scans it for certain files formats, and then encrypts the found data.

Coty Virus
The Coty will encrypt your files

While this type of malware has been around for more than twenty years, over the past few years, it has had a massive surge in its numbers, and in its ability to cause trouble. Experts partly blame the development of digital currencies such as bitcoins, since the hackers who demand a ransom for the encrypted files frequently request the payment in bitcoins. Bitcoins are almost untraceable, and guarantee the kind of anonymity to the cyber criminals, which gives them the boldness to blackmail people for money without the fear of getting caught.

The Coty file encryption

The Coty file encryption is the process used to seal the files. The Coty file encryption is almost unbreakable, and dealing with it is very tricky.

The Ransomware does not damage the encrypted information, or steal it from you. Instead, it secretly penetrates your computer, and starts creating copies of certain file types, while the file extensions of the copies get modified. This way, the infection renders the files unreadable by any existing program, which ultimately means they cannot be accessed or used. The file originals are then removed, and only the inaccessible data is left to the victim, which can only be decrypted with a special decryption key. The hackers who are in control of the infection inform you through a ransom note that they will send you the decryption key if you pay a fixed amount of money.

Although this may seem like a possible solution for people who can afford to pay the ransom, there are a number of issues with it. You might never get a key, for one, and, secondly, you may get a key that doesn’t work. But who cares about it after the crooks receive your money. After all, that’s all they want, so they will not be one bit interested in what happens to your files after that. With this in mind, we suggest you try alternative methods, and refuse to follow the ransom instructions. If you agree with us, we advise you to try the removal guide below, and the file-recovery suggestions you will also find there.


Danger LevelHigh (Ransomware is by far the worst threat you can encounter)
Data Recovery ToolNot Available
Detection Tool

Remove Coty Ransomware


The successful elimination of Coty from the computer may need several system reboots. That’s why, in order to avoid losing the instructions for removing the ransomware, we recommend that you bookmark this page now, before you do anything else.

Next, follow the instructions from this link and restart your computer in Safe Mode to prevent some of the ransomware-related processes from operating in the background.



After the system has been restarted in Safe Mode, go to the Task Manager and look for any processes that are associated with the ransomware and are now operating in the background.

For this, you must open the Task Manager (by holding CTRL, SHIFT, and ESC simultaneously) and look at the Processes Tab to see if there are any processes that might be harmful or linked to malicious activity.

Open the files associated with the suspicious-looking process by right-clicking on it and selecting Open File Location from the quick menu.


Use a trustworthy malware scanner or the free online virus scanner provided below to check these files for malicious code:

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    End any running processes whose files turn out to be dangerous, and delete the infected files from their location as soon as you find them.

    If a specific process catches your attention, but you are not sure about it, it’s a good idea to do some research online to find out whether there’s any danger associated with that process and then act accordingly.


    In the third step, you can use Windows Key and R together to open a Run window on the screen. Next, copy the line below inside the text bar of the Run box and hit Enter:

    notepad %windir%/system32/Drivers/etc/hosts

    In the text of the Hosts file that opens on the screen, find Localhost and look for any IP addresses that look suspicious like those on the example image:

    hosts_opt (1)

    Let us know in the comments section if you detect anything disturbing. If not, just close the window and go on to the next step.

    There is a chance that ransomware victims may not be aware that Ransomware-related entries may have been added to the list of startup items. That’s why, the next thing we recommend is to open System Configuration by using the Start menu search bar, type msconfig and press Enter. 

    When the System Configuration opens, click the Startup tab to check whether there are any such entries on your system.


    If you suspect the Coty infection is linked to any of the startup items listed there, uncheck their checkboxes to disable them. Pay attention to startup items with suspicious-looking or strange names or unknown manufacturers. 


    Malicious Registry changes are often a consequence of ransomware infections. Because of this, the next step is to check the registry for harmful entries. To complete this step, you’ll need to open the Registry Editor. Just enter “Regedit” in the Start menu search field and press Enter.

    After the Editor opens, press CTRL+F to open a Find box and type in the exact name of the infection in it to quickly locate ransomware-related items. If anything with that name is found in the Registry, delete it.

    Attention! There is a high risk of system damage if you delete registry entries that are not associated with the ransomware. If you are unsure about your Coty removal actions, please use a trusted malware cleaning application like the one available on our website. 

    After you clean the registry, we recommend you to manually search the following five locations for other Coty-related files. To do that, go to the Windows Search bar, type each of the locations exactly as they are shown and press Enter:

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    Search for anything new in these locations, that could potentially be linked to Coty.

    The ransomware may have left behind some temporary files, so please select and delete all of them from the Temp folder.


    How to Decrypt Coty files

    A thorough understanding of your ransomware infection and how to eliminate it is of a key importance for beginning the file recovery procedure. In order to identify between various ransomware strains, you may look at the extensions that have been added to the encrypted files.

    However, you must first remove the ransomware infection from your machine. You should follow the removal steps above or run a system scan with a trusted anti-virus program or an online virus scanner to ensure your protection.

    New Djvu Ransomware 

    Users throughout the world are being threatened by a new Djvu ransomware version know as STOP Djvu Ransomware. Adding the suffix .Coty to encrypted files makes this particular version easier for victims to recognize from previous variants of the infection.

    In general, new ransomware variants are tough to deal with. However, it is possible to decrypt STOP Djvu encryption with the help of a special decryption application that you may download by going to the URL below and clicking the “Download” button on the page that opens.

    The decryption software must be run as administrator and the confirmation dialog box must be clicked “Yes” to proceed. Before moving on, read the license agreement and the on-screen instructions. In order to unlock your data, you need to press the Decrypt button. We need to inform you, though, that decryption of data that has been encrypted with unknown offline keys or online encryption may not be possible with this tool.


    About the author


    Lidia Howler

    Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1