During the pandemic, ransomware attacks spiked by 148% compared to the February 2020 baseline. Security experts have noticed the increasing frequency of COVID-19 related attacks, but instances including other ransomware variants also skyrocketed. This could be attributed to the sudden rise in possible targets, with 70% of the workforce forced to work from home, where internet security is much more relaxed compared to the office setting.
One of the ransomware attacks that wreaked havoc during the global lockdown is the Cobra Locker ransomware. The files are locked using AES and RSA algorithms and given the .cobra file extension. This threat is usually spread via downloads from malicious websites, clicking on spam emails, or direct injection by other malware. The attackers usually demand payment for the files to be unlocked, otherwise the users won’t be able to access them.
What is Cobra Locker Ransomware?
Cobra Locker ransomware, also known as Cobra_Locker, was first discovered by Twitter user @dnwls0719 last June 2020. This is a new ransomware strain that has been developed to exploit those who have been affected by the pandemic. This cryptovirus works by encrypting the users’ data and demanding the victims to pay up for the decryption service. Cobra Locker ransomware usually targets videos, pictures, documents, archives, databases, and other types of data on your computer. All these files will be locked and encrypted, making them inaccessible to the user until the ransom is paid.
It is very obvious when your computer is infected with the Cobra Locker ransomware because you’ll get a pop-up message with a glaring red background, that reads:
Cobra_Locker
Oops! Your have been encrypted!
If you want decrypt your files you must have decryption code
All your important files were encrypted on this PC.
All files with .Cobra extension are encrypted.
Encryption was produced using unique private key generated for this computer.
To decrypt your files, you need to obtain private key.
To retrieve the private key you need to contact us by email
Cobra_Locker@protonmail.com send us an email and wait for further
instructions.
E-mail address to contact us:
Cobra_Locker@protonmail.com
If you want decrypt your files you must have decryption code
Cobra Locker ransomware detections:
- DrWeb: Trojan.Encoder.31957 and Trojan.Encoder.32077
- ALYac: Trojan.Ransom.Filecoder
- Avira (no cloud): TR / Ransom.avuwe
- BitDefender: Gen: Heur.Ransom.RTH.1, Trojan .GenericKD.43441079
- ESET-NOD32: Variant of the MSIL / Filecoder.YQ or Variant of the MSIL / Filecoder.AAX
- Malwarebytes: Ransom.FileCryptor or Ransom.CobraLocker
- Rising: Ransom.Encoder 8.FFD4
- Symantec: ML.Attribute.HighConfidence
- Tencent: Msil.Trojan.Encoder.Wtod
- TrendMicro: TROJ_GEN.R002H09FE20
A month later, a new ransomware came out using the .IT extension to encrypt the files. This was detected in early July, and it uses the same email address mentioned in the Cobra Locker ransomware notification. The attacker also uses a picture of Pennywise from the movie IT as a background, for added scare factor. The pop-up message usually reads:
You have fallen victim to IT ransomware!
All your important files have been encrypted! And your screen is locked!
let me introduce you to the rules
- to unlock screen you must enter special key
- to decrypt files you must contact with us: Cobra_Locker@protonmail.com
IT Detections:
- DrWeb: Trojan.Encoder.32077
- BitDefender: Trojan.GenericKD.43441079
- ESET -NOD32: Variant of MSIL / Filecoder.AAX
- Malwarebytes: Ransom.CobraLocker
- Symantec: ML.Attribute.HighConfidence
Looking at the two emails, the attacker does not mention how you’re going to pay the ransom or how much you need to pay, you need to email them directly using the email address given to know more how your files can be decrypted.
However, don’t get your hopes up. Even if you pay the ransom, there is no guarantee that the attacker will still care to decrypt your files. It is possible that you’ll be ignored once the payment has been made.
What Can Cobra Locker Ransomware Do?
Cobra Locker and IT ransomware come from the same group of attackers and we can safely assume that they work the same way.
Cobra Locker ransomware encrypts the user’s files using AES + RSA algorithms, adding a .Cobra extension to every file. IT ransomware, on the other hand, adds the .IT extension to the files. Both ransomware works by scanning your system and automatically encrypting MS Office documents, OpenOffice files, PDF, text files, databases, images, music, videos, archives, and others. According to the ransomware note, you won’t be able to access these files unless you pay the fee demanded by the attacker.
This ransomware can cause quite a headache, especially if the victim does not have a backup copy of the encrypted files. So what do you do when your computer is infected by the Cobra Locker ransomware?
Cobra Locker Ransomware Removal Instructions
The first thing you need to do when you get infected by either the Cobra Locker or IT ransomware is to remove the threat first from your computer to prevent it from encrypting more files. After that, you can try recovering your files.
Here’s how to remove Cobra Locker ransomware and IT ransomware from your computer:
Step 1: Boot Into Safe Mode With Networking.
- Click Windows > Power icon, then choose Restart while pressing the Shift key.
- Select Troubleshoot > Advanced Option.
- Click on Startup Settings > Restart to reboot your computer.
- When Windows boots up, press F5 or number 5 on the keyboard to boot into Safe Mode With Networking.
Step 2: Remove the Ransomware.
The next step requires a security software that is able to detect and remove the ransomware from your computer. If you don’t have the right Anti-Malware, make sure to download it first before proceeding with this step. Once you have installed the antivirus, scan your computer and delete all the infected files. Here are the files related to the ransomware:
- Ransomware.exe or IT.exe
- CobraLocker.dll
- _readme.txt
- readme.txt
Step 3: Recover Your Files.
The last step is to try and recover your files. There is no decryptor yet designed for this ransomware, so let’s try any of the options here:
Use a generic decryptor.
There are several decryption software available today, designed by security experts, such as Michael Gillespie, Kaspersky, Emsisoft, and others. You can try any of them to see which works.
Use a system restore point.
Your other option is to roll your system back to a restore point before the infection happened. This can be tricky, especially if you don’t know at which point your system got infected. To be safe, choose a restore point that is way before the ransomware was discovered (June 2020).
Use a third-party recovery software.
If you decryptors don’t work and you do not have a system restore point you can use, your last option is to use recovery programs, such as Recuva, EaseUS Data Recover, or Stellar. You can check other recovery programs you can use here.
Summary
Ransomware can be difficult to deal with, particularly if you don’t have a backup of your files. The most important thing is to delete the ransomware from your device first before trying any of the recovery methods mentioned above. Make sure you copy all the encrypted files first before trying to unlock them to avoid data loss. If all else fails, you can simply choose to wait for a Cobra Locker-dedicated decryptor to be released.