Cobra Ransomware

Posted by Lisa Blanc on December 1, 2017

What is Cobra Ransomware?

The malicious Cobra Ransomware is not like most other file-encryptor. Just like most threats of this nature, it encrypts personal files, such as photos, archives, or documents, but it also goes on to encrypt files that belong to programs. These, of course, are much easier to replace, but that still can create problems. When files are encrypted, the “.id-.[cranbery@colorendgrace.com].cobra” extension is added to their names, and so it is impossible for you to miss the ones that were hit. Unfortunately, removing the extension from files will not help you recover your files. You will also be unable to recover files if you rely on shadow volume copies because the ransomware erases them using the “vssadmin delete shadows /all /quiet” command. Third-party decryptors that would help in this situation do not exist either. Basically, there is nothing anyone can do to help you recover the encrypted files. Unfortunately, the cyber crooks behind this threat will dangle a decryptor in front of your nose using the ransom note, and instead of focusing on that, you need to focus on the removal of the threat!testtesttest

How does Cobra Ransomware work?

Crysis Ransomware is a well-known infection, and it was found that this is the threat that the malicious Cobra Ransomware was created looking at. Both of these threats are believed to slither into the operating system using spam emails or RDP vulnerabilities. Once in, this malware does not waste any time to encrypt files. The encryption process is silent, and so you will not notice it until it is complete. This is when you should discover the ransom note files. There are two of them, but multiple copies could be created. One file (“Files encrypted!!.txt”) is created on the Desktop, and the second one (“info.hta”) is concealed in the Start Menu directory under “Programs.” Both Cobra Ransomware files introduce you to an email address, cranbery@colorendgrace.com, which, as you can see, is also included in the extension that is added to the encrypted files. This email address allows you communicating with cyber criminals, but that is not such a good idea. If you email them – which you can do to have several of your files decrypted for free – you need to set up a different email address for yourself because you do not want it recorded for other purposes.

If you email the creator of Cobra Ransomware, you will receive instructions showing how to pay the ransom in return of a decryption tool. First of all, no one can guarantee that a tool like that exists at all. Most likely, it does not, and so spending money on it is a waste. Even if cyber crooks have a decryption key, they do not need to give it to you, and that is exactly what happens in most cases, regardless of which ransomware threat we are talking about. The only thing you can rely on is your own backups. If they exist, you will be able to replace the corrupted copies with the backup ones. Before you do that, you must remove Cobra Ransomware. You already know where you can find the ransom note files, and you can delete them right away. Unfortunately, that is not how you eliminate the entire infection.

How to delete Cobra Ransomware

Besides the launcher of the malicious Cobra Ransomware, there is at least one more copy of the threat – but no more than two – and it should be placed along with the info.hta file in the Programs folder. You can use the guide below, if you are sure that you can remove Cobra Ransomware all by yourself. Just keep in mind that this infection is not very straightforward, and eliminating it manually is not the best solution. Our research team recommends using anti-malware software instead. It can simultaneously take care of existing threats and the overall protection of your operating system as well. If you understand how crucial it is to set up the right security software to protect you in the future, this is the solution for you. Is it clear now what you need to do? If it is not, you can always contact our Anit-Spyware-101.com research team using the comments section below. We will try to respond as soon as possible.

Removal Instructions

  1. Delete the Files encrypted!!.txt file from the Desktop.
  2. Delete the info.hta file from these locations (launch Explorer by tapping Win+E and enter the pathinto the bar at the top to access the directory):
    • %ALLUSERSPROFILE%\Start Menu\Programs
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
  3. Find and Delete the malicious launcher .exe file responsible for the ransomware.
  4. Find and Delete the copies of the malicious launcher .exe file in the directories listed in step 2.
  5. Empty Recycle Bin to completely eliminate the infection.
  6. Install a trustworthy malware scanner to check if you have succeeded. 100% FREE spyware scan and
    tested removal of Cobra Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *