Coban Ransomware Removal Guide

Ransomware is usually noticed very easily because of its interfaces that pop up once users' data is encrypted. The Coban Ransomware does not have this feature because its ransom warning is available only in a .txt file named _HELP_INSTRUCTION.txt. The Coban threat is another ransomware infection that is ascribed to the CryptoMix family, including threats such as Mole, CryptoShield, and Revenge. All these threats, including Coban, should be removed from the computer once spotted without paying attention to the attacker's requirements provided in the notepad files. Ransomware is created for financial gain, but you can deprive cyber criminals of profit by taking preventative measure of ransomware attacks so that you sensitive data remains intact.

Like many other ransomware infections, the Coban Ransomware tinkers encrypted files. The infection adds its extension .coban to the existing one. However, our analysis of the infection has revealed that  the Coban Ransomware does not affect all the files; instead of compromising all your data, the threat bypasses files in the Windows and Program Files directories.

As regard ransom notes, they are created in every directory so that victims find the attackers' requirements in every affected directory they access. The first sentence informs users that their devices are affected because of some vulnerability, which is partially true. Every unprotected operating system is an easy bait for ransowmare. For example, the notorious ransomware WannaCry has caused global havoc after exploiting a vulnerability named EternalBlue MS17-010. The ransomware was targeted at outdated operating system, so, if you keep your OS, as well as software programs, non-updated, you put yourself at risk.

In the ransom message, the attackers do not mention the sum of the ransom, only that the payment has to be made in bitcoins. A link to a page where the currency can be bought is given, without any further information. However, victims are required to sent the attackers the unique code created by the ransomware threat to ms.decry@aol.com. In most cases when attackers do not bother to set a fixed sum for decryption, victims are told that the price depends on how quickly their victims contact the attackers for more information. Sometimes the longer the delay, the bigger the sum. However, you should not worry about purchasing bitcoins and submitting the payment because the odds of getting some decryption tool is very low. Cyber attackers usually do not decrypt their victims' files because their primary goal is to collect money, but not help their victims restore their data.

In order to prevent similar incidents in the future, you should always keep the operating system protected. Moreover, it is highly advisable to back up files on regular basis to a storage device. Other preventative measures such as avoiding harmful websites and not opening questionable emails should also be taken into consideration. Malware is spread by employing different methods and channels, and you should beware of browsing the Net carelessly. Every device connected to the networks is an attractive target, so, if you want to use the Internet without exposing yourself to potential danger, take the measures recommended.

The Coban Ransomware should be removed from the computer once noticed. The fact that the computer is infected implies that your operating system could be found by other threats. Malware is installed surreptitiously, so you may not suspect that some malicious software is running in the background. We recommend that you remove have the Coban Ransomware removed by a reputable security tool, but if you feel the need to try removing the threat yourself, the instructions below should help you terminate the infection. After removing the threat, consider scanning the system to make sure that the operating system is malware-free.

How to remove the Coban Ransomware

1. Press Win+R to open the Run utility.
2. Type in regedit and click OK.
3. Follow these two paths and delete the registry values BC0EBCF2F2 and *BC0EBCF2F2:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run     | BC0EBCF2F2
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce | *BC0EBCF2F2

1. After deleting the malicious registry values, press Win+R  and type in %ALLUSERSPROFILE%.
2. Delete BC0EBCF2F2.exe.
3. Also access the Application Data directory and remove BC0EBCF2F2.exe.