.Cobra Files Virus (Dharma Ransomware) – Remove and Restore Files

.Cobra Files Virus (Dharma Ransomware) – Remove and Restore Files

This article aims to help you by showing how to remove the latest variant of Dharma ransomware virus and restore files that have been encrypted with the .cobra file extension added to them.

A new variant of the notorious CrySiS ransomware variant, called Dharma Ransomware has reappeared and is likely to begin infecting computers all over the world. The virus may use the AES encryption algorithm to render important documents, images, videos and other types of files encrypted, meaning that they can no longer be opened, until they are unlocked with a specific decryption key. Since such key is only available to the creators of .cobra files virus, they ask from victims to make a ransom payment to get the files decrypted once again. If you are one of the victims of the .cobra Dharma ransomware, we recommend that you read this article immediately to learn how to effectively remove the .cobra ransomware variant of Dharma and how to try and recover most of your encrypted files without having to pay a hefty ransom.

Threat Summary

Name.cobra Virus
TypeRansomware, Cryptovirus
Short DescriptionNew variant of the notorious Dharma Ransomware, which derives from CrySiS virus family. Encrypts your files and then demands a rasnom to be paid to get them to work again.
SymptomsFiles are encrypted with an added .cobra extension and become no longer accessible. A ransom note appears on the infected computer with ransom instructions.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .cobra Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .cobra Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.cobra Files Virus – Infection Process

In order to effectively infect a certain computer, the .cobra variant of Dharma ransomware uses very cunning tactics. The main of those accounts to over 80% of ransomware infections worldwide and is conducted via malicious e-mail spam. The way it works is that the cyber-criminals who are behind this variant of Dharma ransomware use deceitful techniques to convince unsuspecting victims in order to open a malicious e-mail attachment. They often pretend that the attachment being sent is a legitimate document, like:

  • An invoice of a purchase that the user does not recall in making.
  • A receipt of an order.
  • A banking statement.

The e-mails often contain convincing statements, like the following example:

Most of the files which are attached to those e-mails often are either directly the infection executable file or a Microsoft Office document, using malicious macros to trigger the infection process. This happens after you open the document and enable the macros yourself:

So far, there has been one .exe file, related to the infection with the .cobra files variant of Dharma ransomware and it has been reported by researcher Jakub Kroustek‏ (@JakubKroustek) to have the following parameters:

Dharma .cobra Ransomware Variant – Malicious Activity

When an infection with this variant of Dharma ransomware takes place, the SERVICE_2017-11-04_12-18.EXE infection file may connect silently to a remote C&C (Command and Control) server and from there download the payload of the .cobra files variant of Dharma. This payload consists of main executable, responsible for encryption process and other support files added alongside it. The malicious files may be dropped in the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

In addition to simply dropping files on your computer, the Dharma .cobra files variant may also modify the Run and RunOnce Windows registry sub-keys. They are responsible for the automatic running of the malicious executable of this virus that encrypts files. In them, a value string may be created with data in it, pointing out the exact name (which is often random) and location of the malicious file, belonging to the .cobra files variant of Dharma. The sub-keys are located in the Windows Registry Editor, more specifically in the following keys:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

After it has been executed on your computer, this .cobra files iteration of Dharma ransomware aims to encrypt the files on your computer and make the file recovery process very difficult for you. To do this, the virus first deletes your backups and shadow volume copies by running the vssadmin and bceditcommands in the Windows Command Prompt silently:

→ vssadmin delete shadows /for={volume} /oldest /all /shadow={ID of the Shadow} /quiet

.cobra Files Virus – Encryption Process

For the encryption process, the .cobra files virus may use an advanced encryption technique, also used in it’s previous variants. Without going in to technical details, the most important thing to know about this encryption mode is that it alters the core structure code of the legitimate files on your computer with code from the encryption algorithm it uses. The virus does not replace the whole code of the file, however, but only a portion of it, like it’s header or footer, enough to make the file itself no longer openable. To encrypt files, the .cobra variant of Dharma ransomware has a pre-configured list in which it targets the most commonly used files on your computer, some of which are the following:


The .cobra files variant of Dharma is also very careful not to encrypt any files in the %Windows% folder or other system directories. After the encryption process is complete, which usually takes couple of seconds, the .cobra extension is added to the files along with the e-mail to contact the cyber-criminals. An encrypted file by this Dharma ransomware variant may appear in the format below:

How to Remove .cobra Files Virus and Restore Encrypted Files

In order to remove this iteration of Dharma ransomware, you should follow the step-by-step removal instructions below. They are specifically organized in order to help you isolate and then delete Dharma ransomware. While those instructions are divided in manual and automatic removals, be advised that most ransomware researchers often advise removing dangerous malware, like the .cobra files variant of Dharma automatically, while using an advanced anti-malware software which will scan for them and remove any trace of the malware safely and quickly.

Furthermore, if you want to restore files that have been encrypted with the .cobra file extension, we advise you to check out the alternative file recovery methods which we have suggested below in step “2. Restore files encrypted by .cobra Virus” below. They may not be 100% effective to recover all the files, but may help you restore a lot of your encoded data without you having to pay the ransom yourself.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share