Cyber Security Center

How to delete Kobos ransomware


Kobos ransomware is file-encrypting malware. It adds .kobos to encrypted files and and shows a pop-up ransom note which demands users pay a ransom in order to get a decryptor.

 

Ransomware image

Kobos ransomware is malware that encrypts files. Once it manages to get into the computer, it will encrypt all important files, including photos, videos and documents. Once files are encrypted, users will be unable to open them. Users can know which files are encrypted by the [ArtemisDC@keemail.me].kobos extension added to files.

Once the file encryption process is complete, a ransom note will pop up and it will contain information about how users can start the file recovery process. Unfortunately, getting the decryptor involves paying the ransom. But paying the ransom is usually not recommended, mainly because it does not guarantee that a decryptor will be sent to users. Users should keep in mind that they are dealing with cyber crooks, and trusting them to keep their end of the deal would be naive. They can just take the money and not send the decryptor. It has unfortunately happened many times in the past, and it will probably happen in the future.

We should also warn users that there are many fake decryptors promoted on highly questionable websites, which could contain all kinds of malware. Malware researchers are sometimes able to release free decryptors to help users recover files but one for Kobos ransomware is not currently available. If a decryptor was to be released, it would be posted on NoMoreRansom, which is a legitimate website for free decryptors released by anti-virus vendors and malware researchers.

Bad browsing habits can lead to a ransomware infection

Users can infect their computers with ransomware by doing something as simple as opening an email attachment, downloading a torrent, clicking on a ad when on a high-risk website, etc. Not installing essential security updates can also lead to a malware infection.

Ransomware is often distributed via malspam. Malicious spam emails have a file attached to them, which if opened would initiate the ransomware. Users whose email addresses have leaked in the past have a high chance of receiving a malspam email. The malicious emails are often quite obvious because they are sent from random email addresses, and contain loads of grammar and spelling mistakes. The senders of malspam usually pressure users into opening the email attachments by claiming they’re important documents that need to be reviewed promptly. While the emails are often fairly obvious, we recommend scanning all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Torrenting can also often lead to a malware infection. Torrent sites are often unregulated, which allows the cyber crooks to upload malware disguised as torrents for popular content, such as movies, videos games, TV shows, and software. It should be mentioned that it’s especially common for a torrent of something very popular to contain malware. For example, torrents for the recently-released long-awaited video game Cyberpunk 2077 will likely contain malware. Users are discouraged from torrenting, not only because it’s stealing content but also because it’s dangerous for the computer.

What does the ransomware do?

As soon as the ransomware is initiated, it will start encrypting files. While users may not notice the process, they will immediately notice once files are encrypted. Affected files will have the .[ArtemisDC@keemail.me].kobos extension added to them. The extension will also contain users’ unique IDs, which are necessary when contacting the cyber crooks to initiate the decryption process. For example, image.jpg would become image.jpg.unique ID.[ArtemisDC@keemail.me].kobos. Users will not be able to open files with that extension, unless they’re first decrypted. Instructions on how to initiate the decryption process is explained in the pop-up ## HOW TO RECOVER ##.hta ransom note.

The price for the decryptor is not mentioned in the ransom note, it supposedly depends on how quickly victims contact the cyber crooks behind this ransomware. Whatever the price may be, users should be very skeptical because paying is risky. When it comes to ransomware, there are no guarantees that a decryptor will be sent to users, or that it will work. Unfortunately, many users in the past did not receive the decryptor despite paying. Furthermore, paying encourages cyber crooks to continue their malicious activities. The reality is that as long as users continue to pay, cyber crooks will continue operating ransomware to make profit.

Below is the ransom note dropped by this ransomware:

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail : ArtemisDC@keemail.me
Write this ID in the title of your message : –
In case of no answer in 12 hours write us to this e-mail : ArtemisDC@protonmail.ch
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
# Do not rename encrypted files.
# Do not try to decrypt your data using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

If users have backup, there should be no issues with file recovery, as long as they first remove Kobos ransomware. If the ransomware still remains installed when backup is accessed, backed up files would become encrypted as well.

Kobos ransomware removal

Users should only try to remove Kobos ransomware via anti-virus software. If they try to delete Kobos ransomware manually, they may end up causing even more damage, as ransomware is a complex malware infection. Once the ransomware is gone, users should be able to safely access backup to start recovering their files.

Kobos ransomware is detected as:

  • A Variant Of MSIL/Kryptik.CHY by ESET
  • FileRepMalware by AVG
  • Trojan.Crypt.Generic by Malwarebytes
  • UDS:DangerousObject.Multi.Generic by Kaspersky
  • ML.Attribute.HighConfidence by Symantec
  • Artemis!99D3CC737B0A by McAfee
  • Trojan:Win32/Wacatac.DC!ml by Microsoft