.BELGIAN_COCOA File Virus (Remove and Restore) - How to, Technology and PC Security Forum | SensorsTechForum.com

.BELGIAN_COCOA File Virus (Remove and Restore)

Article created to explain more about what is .BELGIAN_COCOA ransomware and how to remove it and restore encrypted files.

A ransomware infection, known as .BELGIAN_COCOA because of it’s file extension added to the encrypted files, has hit the wild, infecting multiple users all over the globe, starting with China. The virus encrypts the files on the compromised computers, altering their structure, which makes them no longer able to be opened. After doing so, .BELGIAN_COCOA drops a ransom note file, named “UNLOCK_guiDE.tXT” ransom note to demand from victims to pay a hefty ransom fee. The note is inn Chinese and asks to contact [email protected]

Threat Summary

NameBELGIAN_COCOA
TypeRansomware
Short DescriptionThe ransomware encrypts files on your computer machine. Then it displays a ransom note in Chinese demanding a payoff in BitCoin.
SymptomsThe ransomware will encrypt your files and adds the .BELGIAN_COCOA file extension.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by BELGIAN_COCOA

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BELGIAN_COCOA.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does .BELGIAN_COCOA Spread

In order to infect a maximum amount of victims, the ransomware may be spread via the usage of multiple different types of files. These files may be of the following types:

→ .js, .wsf, .docm, .docx, .PDF, .exe, .vbs, .bat, .cmd

The files may be concealed as multiple different objects when you encounter them online:

  • Important documents, like invoices, receipts, banking statements, etc. Usually encountered with malicious e-mails.
  • Setups of programs that the user is trying to download and use for free form various suspicious sites.
  • Key generators or game cracks which are in fact the infection file.

Once the victim clicks on those files, he or she may encounter various different types of weird behavior on his/hers computer, varying from the screen freezing to the system slowing down. This is the initiation of the infection process by the .BELGIAN_COCOA virus.

.BELGIAN_COCOA File Virus – Main Activity

The activity of this ransomware virus is involved in it connecting to a command and control server from which it transfers information from your computer, such as:

  • Your IP address.
  • Your OS version.
  • Your MAC address.
  • Other system information.

The .BELGIAN_COCOA file virus also drops it’s payload by downloading it from the servers it connects to. The other scenario is if the malware is completely offline-based and directly extracts and starts it’s main malicious executable.

The primary objective of .BELGIAN_COCOA ransomware is to encrypt the files on the user PC. This is achieved by taking advantage of the administrator privileges of Windows. They allow the virus to modify multiple aspects of the OS. One of those aspects is the Windows Registry Editor which may be attacked by the ransomware virus to set registry entries for it’s malicious files to run on system startup. These registry entries may be set in the following sub-keys and if you locate them, you may find the actual location of the malicious files:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After this, the .BELGIAN_COCOA ransomware virus may also execute administrative commands so that it deletes Windows shadow volume copies. Those commands are ran as administrator in Windows Command Prompt. They are also ran in the background while the victim does not realize what is going on. The commands may be the following:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to the activity of the .BELGIAN_COCOA ransomware infection is to focus on notifying you of the issue that is facing your computer and get you to pay the ransom. For this purpose, the malware drops a ransom note, named
UNLOCK_guiDE.txt written in Chinese:

您好,您的文件已经被加密。请不要求助于警察或防护软件,因为他们并不能帮助您解密文件。
我们还获取了部分有价值的数据在您的计算机上。
!解密方法:3天内支付2500人民币等价的比特币到地址1HPRcuSHAXFSaEuN9Jhe7RmVbv8oBdx16
!或按照以上价格支付等价的ZCash到地址t1bPWjxDoSrJzZD1PZfDCwbiMzpnQo5D7jo
(比特币Bitcoin和零币ZCash都是虚拟货币,详情请询问搜索引擎)
(比特币官网:Bitcoin.org)
(ZCash官网:Z.Cash)
!如果超过3天,则请您支付3500人民币等价的比特币
!!价格可以商量
我们是绝对不会类似WannaCry Ransomware,收钱不解锁
!!!如果您有疑虑,可以先为您解锁一批文件(通过邮箱发送)
!!!如果超过15天,我们将无法为您解锁
!!!并且您的数据会被公布。
您的ID:[redacted numbers].96-28504-10852-38972-19914-37721-28234
当您支付完成,请联系邮箱
[email protected]

[email protected]
请发送付款记录/截图以及ID
当您支付完成,我们保证一定遵守承诺,为您解密。谢谢您。
!!!我们支持先解密3个文件(通过邮箱发送)!!!
!!!我们支持先解密后付款(以展示我们的信任)!!!
如果有任何疑问,请发送至邮箱
[email protected]

[email protected]
支持的提问语言:英语(美国),俄语,西班牙语,中文(中国)
谢谢您的合作
您的语言:中文(中国)(不是您的语言?我们推荐:Google Translate)
Buying Bitcoin in China:
huobi.com
okcoin.com
btcchina.com
etc…
Buying Zcash in China:
yuanbao.com
yunbi.com
etc…
!China is a very great country!

.BELGIAN_COCOA File Virus – Encryption Process

The encryption process of the .BELGIAN_COCOA file virus is conducted in multiple stages. The preparation state, as described above is not only to ensure that the virus is not interrupted while it encrypts your files, but it also makes sure to minimize your chance of recovering those files. Then, the virus may get to the file scanning and encrypting stage. For this purpose, the .BELGIAN_COCOA file virus scans for specific file types to encrypt data. These types include file extensions associated with:

  • Documents.
  • Audio files.
  • Videos.
  • Virtual Drives.
  • Archives.

After the encryption process is completed, the files can no longer be opened. They contain the file extension of the virus and look like the following:

Remove .BELGIAN_COCOA File Ransomware and Restore Data

For the removal process of this virus, we strongly advise you to follow the instructions down below. They are specifically designed to help you get rid of the ransomware infection either manually or automatically. The ransomware infection also tampers with some important Windows objects, such as processes that may cause dysfunction in your Windows OS. This is the primary purpose why experts often advise to use a ransomware-specific tool for the removal process to be completed automatically. Such tool also ensures future protection.

In addition to taking advantage of this ransomware infection, we also recommend using multiple different types of file restoration methods. We have illustrated several of those in step “2. Restore files encrypted by .BELGIAN_COCOA Virus” below.

Manually delete BELGIAN_COCOA from Windows and your browser

Note! Substantial notification about the BELGIAN_COCOA threat: Manual removal of BELGIAN_COCOA requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Remove or Uninstall BELGIAN_COCOA in Windows
2. Remove BELGIAN_COCOA from Your Browser and Your Registry Editor

Automatically remove BELGIAN_COCOA by downloading an advanced anti-malware program

1. Remove BELGIAN_COCOA with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by BELGIAN_COCOA
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...