Remove Coban Ransomware – Restore .coban Files
THREAT REMOVAL

Remove Coban Ransomware – Restore .coban Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Coban and other threats.
Threats such as Coban may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

remove coban ransomware restore .coban files

Coban ransomware is a new data locker malware that aims to corrupt sensitive data and extort ransom from the victims. Coban ransomware uses strong cipher algorithm to encode target files and make them completely inaccessible. Encrypted files can be recognized by the .coban extension appended at the end of their names. Then it displays a ransom note on the screen of the infected PC to inform victims about the attack and instruct them what they are expected to do in order to receive files back.

This article informs victims of Coban ransomware infection and provides comprehensive removal and data restore instructions.

Threat Summary

NameCoban
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on your computer, making them no longer openable. Asks for a ransom payment in Bitcoins.
SymptomsAdds the .coban file extension to the encrypted files and changes their names to random names. Drops a ransom note, named _HELP_INSTRUCTION.txt.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Coban

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Coban.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Coban Ransomware – Spread Techniques

Coban ransomware payloads can be spread via various distribution techniques. The most preferred one by cyber criminals is email messages with malicious attachments or infected elements like buttons and links placed in the email message body. Usually, the email messages are well crafted so they can easily trick users into infecting their computer systems with Coban ransomware. In most cases, the sender’s name and email address of the malicious emails are disguised as representatives of well-known business organizations, legal services, and even governmental institutions. And once the payload penetrates the system, it automatically triggers Coban ransomware infection.

In some cases, the ransomware may appear as fake software update notification that urges users to download a critical security patch. Additionally, the code of the malicious Coban crypto virus payload may be injected into web pages that are set to automatically start the download of the ransomware code on the PC. The links of these web pages may be included in malvertising campaigns or spread on social media channels.

Coban Ransomware – Infection Flow

The investigation of Coban ransomware samples is ongoing. Some security researchers believe that it can belong to the infamous CryptoMix ransomware family. This year our team detected and reported two other CryptoMix ransomware variants that are appending the .OGONIA and .EXTE extensions to the corrupted files.

The samples of Coban file locker affirm that it follows a typical ransomware pattern. The infection is triggered once a file named cc9b1e6806db5fb9628559162c3ebb62.virus is running on the system. Then Coban ransomware can connect with hackers’ controlled server and download all additional malware files it needs to complete the infection. Often the malicious files are situated in some of the following essential Windows system folders:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Common%
  • %System32%

Coban ransomware processes may be disguised as legitimate Windows system processes like – svchost.exe and services.exe making its detection even harder. After the threat establishes all malicious files on the system, it is capable of modifying Windows registry values in order to ensure its automatic execution on each Windows boot up. The following registry keys may be plagued by Coban ransomware:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

At the end of the infection, Coban crypto virus drops its ransom note called _HELP_INSTRUCTION.txt on the computer. Then it displays it on the screen and informs the following:

All your files are already encrypted due to a vulnerability in the system!
For decoding it is necessary to pay ransom by bitcoins.
Bitcoins can be bought here – localbitcoins.com in many ways.
Write to us at mail [email protected] and tell us your unique ID in the subject line. DECRYPT-ID-ea003afd-e55a-490a-bf5f-2e2f0db4e97b number

It is not known what is the amount of the demanded ransom, however, any negotiations with the crooks should be refrained so new troubles could be avoided.

Coban Ransomware – Data Encryption

Coban ransomware is believed to have the following file types in its target data list:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt.

The list includes all file types that are frequently used by users to store important and valuable information. Each time the virus finds a target file, it encrypts it by utilizing strong cipher algorithm which makes the file no longer to be opened. Also, it renames the original names of the corrupted files and appends the extension .coban at the end.

Remove Coban Ransomware – Restore .coban Files

To sum up, Coban ransomware is a devastating infection that should be removed as soon as it is detected on the PC. Only after the complete Coban ransomware removal from the system, you can use it normally again. Otherwise, the ransomware will start its malicious files each time you start the PC, encrypt all your new files which are part of its target list and interrupt the regular system performance. The removal process of Coban ransomware can be done either manually or automatically. Both methods are presented in the step-by-step Coban ransomware removal guide below. Security researchers recommend the help of advanced anti-malware tool for maximum efficiency.

After the removal of Coban be advised to back up all encrypted files to an external drive and then proceed with the .coban files restore process which is also presented in the instructions below.

Note! Your computer system may be affected by Coban and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Coban.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Coban follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Coban files and objects
2. Find files created by Coban on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Coban
Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections. She believes that in times of constantly evolving dependency of network connected technologies, people should spread the word not the war.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...