What is Cobra ransomware? And how does it carry out its attack?
Cobra ransomware is a new crypto-malware threat and is a new variant of the Crysis/Dharma ransomware. This new variant appends the .cobra extension on the encrypted files. Is still currently unknown how this new variant spreads but in the past, Crysis ransomware was typically spread by hacking into the Remote Desktop Services and installing the ransomware manually. Once this ransomware gets installed, it scans the entire computer for files to encrypt. According to researchers, it appends files with these file extensions:
.PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG .CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG
When encrypting a file, Cobra ransomware appends an extension in the format of .id-[id].[email].cobra. Take note that this ransomware also encrypts mapped network drives as well as unmapped network shares. That’s why it’s important that your network shares are locked down so that the only ones who can access it are the ones with the necessary permission. Cobra ransomware also deletes the shadow volume copies of the encrypted files by running the command vssadmin delete shadows /all /quiet so that they can’t be used to recover the affected files.
After the encryption, Cobra ransomware creates two different ransom notes – one of which is the info.hta file that is launched by an autorun when the victim logs into the infected computer. It contains the following text:
“All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message [id]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention!
Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.”
The second ransom note is contained in a file named Files encrypted!!.txt which is placed on the desktop and contains a short message:
“All your files have been encrypted,
to decrypt them contact us using the email address:
[email protected]
As a proof we can decrypt 3 files for free.”
As you can see, both of the ransom notes have instructions to contact [email protected] for payment instructions. Even though these crooks promised to decrypt 3 files for free that does not mean that you should fall into their trap as it is only a bait to get you to pay the ransom. The best thing you can do for now, since you can’t recover your file through their shadow volume copies is to use any backups you have until a free decryptor is available.
To obliterate Cobra ransomware’s attack and malicious components from your PC, follow these instructions.
Step1. Open the Task Manager simply by tapping Ctrl + Shift + Esc keys on your keyboard.
Step2. Under the Task Manager, go to the Processes tab and look for info.hta and any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to Cobra ransomware.
Step3. After that, close the Task Manager.
Step4. Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step5. Under the list of installed programs, look for Cobra ransomware or anything similar and then uninstall it.
Step6. Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step7. Navigate to the following locations below and look for Cobra ransomware’s malicious components such as info.hta and Files encrypted!!.txt as well as other suspicious files and then delete all of them.
- %TEMP%
- %APPDATA%\Microsoft\Windows\Templates\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step8. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step10. Navigate to the following path:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE
- HKCU\SOFTWARE\WOW6432Node
Step11. Delete the registry keys and sub-keys created by Cobra ransomware.
Step12. Close the Registry Editor and empty your Recycle Bin.
It is important to make sure that nothing is left behind and that Cobra ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.