Coban Ransomware

The Coban Ransomware is a Trojan that uses a combination of file-locking encryption attacks to hold data hostage, and generated text messages to ask for money for undoing the previous attack. Since the Coban Ransomware's means of locking media may or may not be compatible with current decryption software, malware experts strongly recommend having backups that would nullify any requirement for decoding the Trojan's cipher. Appropriate anti-malware applications also can uninstall the Coban Ransomware safely or block its installation from happening.

Another Annal for the Tale of the CryptMix Ransomware

The grouping of file-blocking Trojans referenced as either CryptoMix or the CryptMix Ransomware alternately, has been a particularly quick family to see updates from its threat actors and affiliates. The second half of October continues demonstrating the threat actors' diligence to creating variants with the Coban Ransomware, a variation of the usual theme whose main alteration is a new marker on its name edits. Just like Exte Ransomware and other, familial members, the CryptMix Ransomware requires compromising the PC by external methods before blocking your media and holding it up for ransom.

Malware experts can find no evidence of the Coban Ransomware straying from its family's traditional encryption standard, which is reliant on an AES-based enciphering feature that it secures with an RSA algorithm currently. The Coban Ransomware does initiate network activity, which it can use for retrieving an updated version of the second key or notifying its threat actor of a successful infection. However, PCs without network connections also may have their data fully locked due to the Coban Ransomware including a default set of 'offline mode' keys.

The Coban Ransomware overwrites the names of all files that it locks with hexadecimal values that, to the user, may look like random alphanumeric characters apparently. The Coban Ransomware also adds its '.coban' extension to every locked file, further enabling the immediate identification of the affected content. Once the Coban Ransomware completes its task of locking documents, spreadsheets, pictures, and other media, the Coban Ransomware creates a ransom note, asking you to pay Bitcoins for the threat actor's decryptor.

Shutting the Book on a Rapidly-Aging Line of Trojans

Web-browsing threats like the RIG Exploit Kit are often preferred distribution methods for Trojans of the CryptMix Ransomware family. Other attempts to infect new PCs use email attachments or brute-forced compromises of administrative logins. Although business networks are routine targets for threat actors delivering payloads of this type, the Coban Ransomware also is capable of blocking files on personal-use computers. The Coban Ransomware also can damage 'recreational' data formats, such as pictures, movies or audio.

Since malware experts still are analyzing the Coban Ransomware's potential encryption key usage, they can't offer perfect confirmation of any decryption solutions that might be suitable for unlocking a victim's files. Having backups can eliminate any decryption requirements for restoring data, and it is recommended as a substitute for paying the Coban Ransomware's ransom especially, which uses anonymous currency methods that protect the threat actor, rather than the 'customer.' If they're updated sufficiently, most dedicated anti-malware programs also should remove the Coban Ransomware and interrupt any attempt at locking your files, in the process.

Some versions of the Coban Ransomware do seem to include bugs that prevent the Trojan from installing and completing its payload. While this fact is a boon to any users exposing their PCs to such security risks, the pattern of fast updates in this Trojan family makes presuming stagnancy on the Coban Ransomware's part a wrong assumption.

Technical Details