Remove Coban Ransomware – Restore .coban Files

Remove Coban Ransomware – Restore .coban Files

remove coban ransomware restore .coban files

Coban ransomware is a new data locker malware that aims to corrupt sensitive data and extort ransom from the victims. Coban ransomware uses strong cipher algorithm to encode target files and make them completely inaccessible. Encrypted files can be recognized by the .coban extension appended at the end of their names. Then it displays a ransom note on the screen of the infected PC to inform victims about the attack and instruct them what they are expected to do in order to receive files back.

This article informs victims of Coban ransomware infection and provides comprehensive removal and data restore instructions.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on your computer, making them no longer openable. Asks for a ransom payment in Bitcoins.
SymptomsAdds the .coban file extension to the encrypted files and changes their names to random names. Drops a ransom note, named _HELP_INSTRUCTION.txt.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Coban


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Coban.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Coban Ransomware – Spread Techniques

Coban ransomware payloads can be spread via various distribution techniques. The most preferred one by cyber criminals is email messages with malicious attachments or infected elements like buttons and links placed in the email message body. Usually, the email messages are well crafted so they can easily trick users into infecting their computer systems with Coban ransomware. In most cases, the sender’s name and email address of the malicious emails are disguised as representatives of well-known business organizations, legal services, and even governmental institutions. And once the payload penetrates the system, it automatically triggers Coban ransomware infection.

In some cases, the ransomware may appear as fake software update notification that urges users to download a critical security patch. Additionally, the code of the malicious Coban crypto virus payload may be injected into web pages that are set to automatically start the download of the ransomware code on the PC. The links of these web pages may be included in malvertising campaigns or spread on social media channels.

Coban Ransomware – Infection Flow

The investigation of Coban ransomware samples is ongoing. Some security researchers believe that it can belong to the infamous CryptoMix ransomware family. This year our team detected and reported two other CryptoMix ransomware variants that are appending the .OGONIA and .EXTE extensions to the corrupted files.

The samples of Coban file locker affirm that it follows a typical ransomware pattern. The infection is triggered once a file named cc9b1e6806db5fb9628559162c3ebb62.virus is running on the system. Then Coban ransomware can connect with hackers’ controlled server and download all additional malware files it needs to complete the infection. Often the malicious files are situated in some of the following essential Windows system folders:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Common%
  • %System32%

Coban ransomware processes may be disguised as legitimate Windows system processes like – svchost.exe and services.exe making its detection even harder. After the threat establishes all malicious files on the system, it is capable of modifying Windows registry values in order to ensure its automatic execution on each Windows boot up. The following registry keys may be plagued by Coban ransomware:


At the end of the infection, Coban crypto virus drops its ransom note called _HELP_INSTRUCTION.txt on the computer. Then it displays it on the screen and informs the following:

All your files are already encrypted due to a vulnerability in the system!
For decoding it is necessary to pay ransom by bitcoins.
Bitcoins can be bought here – in many ways.
Write to us at mail and tell us your unique ID in the subject line. DECRYPT-ID-ea003afd-e55a-490a-bf5f-2e2f0db4e97b number

It is not known what is the amount of the demanded ransom, however, any negotiations with the crooks should be refrained so new troubles could be avoided.

Coban Ransomware – Data Encryption

Coban ransomware is believed to have the following file types in its target data list:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt.

The list includes all file types that are frequently used by users to store important and valuable information. Each time the virus finds a target file, it encrypts it by utilizing strong cipher algorithm which makes the file no longer to be opened. Also, it renames the original names of the corrupted files and appends the extension .coban at the end.

Remove Coban Ransomware – Restore .coban Files

To sum up, Coban ransomware is a devastating infection that should be removed as soon as it is detected on the PC. Only after the complete Coban ransomware removal from the system, you can use it normally again. Otherwise, the ransomware will start its malicious files each time you start the PC, encrypt all your new files which are part of its target list and interrupt the regular system performance. The removal process of Coban ransomware can be done either manually or automatically. Both methods are presented in the step-by-step Coban ransomware removal guide below. Security researchers recommend the help of advanced anti-malware tool for maximum efficiency.

After the removal of Coban be advised to back up all encrypted files to an external drive and then proceed with the .coban files restore process which is also presented in the instructions below.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share