What is Coban ransomware? And how does it carry out its attack?
Coban ransomware is a new crypto-malware aiming to corrupt sensitive data in a targeted computer and extort money from its victims. This new crypto-malware is a part of the CryptoMix family of ransomware Trojans. Coban ransomware is slightly different from its CryptoMix family as its attack includes new obfuscation and other websites involved in the attack which could bypass some security measures which became a standard against previous variants in this group of ransomware.
On the onset of its attack, Coban ransomware looks for files to target, particularly files with the following extensions:
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt.
When it starts the encryption, it uses a sophisticated encryption algorithm which is AES 256 and adds the .coban extension on every affected file. By the end of the encryption, Coban drops a file named _HELP_INSTRUCTION.txt that displays the following message:
“All your files are already encrypted due to a vulnerability in the system!
For decoding it is necessary to pay ransom by bitcoins.
Bitcoins can be bought here – localbitcoins.com in many ways.
Write to us at mail [email protected] and tell us your unique ID in the subject line. DECRYPT-ID-[8 CHARACTERS]-[4 CHARACTERS]-[4 CHARACTERS]-[4 CHARACTERS]-[12 CHARACTERS] number”
Victims are asked to pay a ransom using Bitcoins to receive the decryption tool. However, you must never reach out to these crooks as you will only end up losing money with no decryption tool. Cyber crooks are not really known to keep their promises so it would be better if you try other alternative ways to recover your files instead of paying the ransom.
How does Coban ransomware proliferate?
Coban proliferates using a file named cc9b1e6806db5fb9628559162c3ebb62.virus. This malicious file spread and lurks in the web obfuscated. It could also be sent out as an attachment in an email or it could be an obfuscated program or a fake update – which is why it is important to always keep your operating system as well as your antivirus programs updated – this way you can keep your PC protected from ransomware infections like Coban ransomware.
The first step below involves the Registry Editor so before you proceed, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 1: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 2: Navigate to the following path:
Step 3: Delete the values named BC0EBCF2F2 and *BC0EBCF2F2 which are both created by Coban ransomware and then close the Registry Editor.
Step 4: Tap Ctrl + Shift + Esc to open the Task Manger.
Step 5: Once you’ve opened the Task Manager, go to the Processes tab and look for cc9b1e6806db5fb9628559162c3ebb62.virus or BC0EBCF2F2.exe and end its process by clicking on End Task or End Process.
Step 6: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 7: Look for Coban Ransomware or any suspicious program and then Uninstall it/them.
Step 8: Tap Win + E keys to launch File Explorer.
Step 9: Navigate to the following locations below and look for Coban ransomware’s malicious components such as _HELP_INSTRUCTION.txt, BC0EBCF2F2.exe and cc9b1e6806db5fb9628559162c3ebb62.virus as well as other suspicious files and then delete all of them.
Step 10: Close the File Explorer.
Step 11: Empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Coban ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To make sure that nothing is left behind and that the Coban is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.