.Cobra Files Virus (Dharma Ransomware) – Remove and Restore Files
THREAT REMOVAL

.Cobra Files Virus (Dharma Ransomware) – Remove and Restore Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by .cobra Virus and other threats.
Threats such as .cobra Virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article aims to help you by showing how to remove the latest variant of Dharma ransomware virus and restore files that have been encrypted with the .cobra file extension added to them.

A new variant of the notorious CrySiS ransomware variant, called Dharma Ransomware has reappeared and is likely to begin infecting computers all over the world. The virus may use the AES encryption algorithm to render important documents, images, videos and other types of files encrypted, meaning that they can no longer be opened, until they are unlocked with a specific decryption key. Since such key is only available to the creators of .cobra files virus, they ask from victims to make a ransom payment to get the files decrypted once again. If you are one of the victims of the .cobra Dharma ransomware, we recommend that you read this article immediately to learn how to effectively remove the .cobra ransomware variant of Dharma and how to try and recover most of your encrypted files without having to pay a hefty ransom.

Threat Summary

Name.cobra Virus
TypeRansomware, Cryptovirus
Short DescriptionNew variant of the notorious Dharma Ransomware, which derives from CrySiS virus family. Encrypts your files and then demands a rasnom to be paid to get them to work again.
SymptomsFiles are encrypted with an added .cobra extension and become no longer accessible. A ransom note appears on the infected computer with ransom instructions.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .cobra Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .cobra Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.cobra Files Virus – Infection Process

In order to effectively infect a certain computer, the .cobra variant of Dharma ransomware uses very cunning tactics. The main of those accounts to over 80% of ransomware infections worldwide and is conducted via malicious e-mail spam. The way it works is that the cyber-criminals who are behind this variant of Dharma ransomware use deceitful techniques to convince unsuspecting victims in order to open a malicious e-mail attachment. They often pretend that the attachment being sent is a legitimate document, like:

  • An invoice of a purchase that the user does not recall in making.
  • A receipt of an order.
  • A banking statement.

The e-mails often contain convincing statements, like the following example:

Most of the files which are attached to those e-mails often are either directly the infection executable file or a Microsoft Office document, using malicious macros to trigger the infection process. This happens after you open the document and enable the macros yourself:

So far, there has been one .exe file, related to the infection with the .cobra files variant of Dharma ransomware and it has been reported by researcher Jakub Kroustek‏ (@JakubKroustek) to have the following parameters:

Dharma .cobra Ransomware Variant – Malicious Activity

When an infection with this variant of Dharma ransomware takes place, the SERVICE_2017-11-04_12-18.EXE infection file may connect silently to a remote C&C (Command and Control) server and from there download the payload of the .cobra files variant of Dharma. This payload consists of main executable, responsible for encryption process and other support files added alongside it. The malicious files may be dropped in the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

In addition to simply dropping files on your computer, the Dharma .cobra files variant may also modify the Run and RunOnce Windows registry sub-keys. They are responsible for the automatic running of the malicious executable of this virus that encrypts files. In them, a value string may be created with data in it, pointing out the exact name (which is often random) and location of the malicious file, belonging to the .cobra files variant of Dharma. The sub-keys are located in the Windows Registry Editor, more specifically in the following keys:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

After it has been executed on your computer, this .cobra files iteration of Dharma ransomware aims to encrypt the files on your computer and make the file recovery process very difficult for you. To do this, the virus first deletes your backups and shadow volume copies by running the vssadmin and bceditcommands in the Windows Command Prompt silently:

→ vssadmin delete shadows /for={volume} /oldest /all /shadow={ID of the Shadow} /quiet

.cobra Files Virus – Encryption Process

For the encryption process, the .cobra files virus may use an advanced encryption technique, also used in it’s previous variants. Without going in to technical details, the most important thing to know about this encryption mode is that it alters the core structure code of the legitimate files on your computer with code from the encryption algorithm it uses. The virus does not replace the whole code of the file, however, but only a portion of it, like it’s header or footer, enough to make the file itself no longer openable. To encrypt files, the .cobra variant of Dharma ransomware has a pre-configured list in which it targets the most commonly used files on your computer, some of which are the following:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

The .cobra files variant of Dharma is also very careful not to encrypt any files in the %Windows% folder or other system directories. After the encryption process is complete, which usually takes couple of seconds, the .cobra extension is added to the files along with the e-mail to contact the cyber-criminals. An encrypted file by this Dharma ransomware variant may appear in the format below:

How to Remove .cobra Files Virus and Restore Encrypted Files

In order to remove this iteration of Dharma ransomware, you should follow the step-by-step removal instructions below. They are specifically organized in order to help you isolate and then delete Dharma ransomware. While those instructions are divided in manual and automatic removals, be advised that most ransomware researchers often advise removing dangerous malware, like the .cobra files variant of Dharma automatically, while using an advanced anti-malware software which will scan for them and remove any trace of the malware safely and quickly.

Furthermore, if you want to restore files that have been encrypted with the .cobra file extension, we advise you to check out the alternative file recovery methods which we have suggested below in step “2. Restore files encrypted by .cobra Virus” below. They may not be 100% effective to recover all the files, but may help you restore a lot of your encoded data without you having to pay the ransom yourself.

Note! Your computer system may be affected by .cobra Virus and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as .cobra Virus.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove .cobra Virus follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove .cobra Virus files and objects
2. Find files created by .cobra Virus on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by .cobra Virus

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...