Contents
Lucifer Kobs is a name of a malicious ransomware-type computer virus. According to our research, it is a variant of Spora ransomware. After being launched on the target computer, this virus encrypts all files and modifies their filenames by appending a string consisting of victim’s ID and the cybercriminal’s email address as well as random 4-character file extension. To illustrate, a file originally named 1.jpg may appear as 1.jpg[ID=7NoTll-Mail=Lucifer.kobs@mailfence.com].hgtk.
During the computer attack, the ransomware creates and saves a copy of a ransom note dubbed ReadMe_Now!.hta (HTML application that will be launched in a pop-up window for the victim) and a text version of it dubbed Read_Me!.txt.
The ransom note dropped by Lucifer Kobs ransomware explains that the virus has encrypted all data stored on the computer or the entire network and also downloaded original data to the criminals’ server. Identically to all typical ransomware operators, the actors behind this threat demand the victim to pay a ransom in order to get rid of problems – both data loss and leak of private information. The note threatens to publish sensitive data collected during the cyberattack and also send it to the competitors of the victim. Overall, the contents of the ransom note indicate that the primary targets of this computer virus are companies or government entities rather than regular home computer users.
The Read_Me!.txt note contains two email addresses that the victim can use to open a channel of communication with the attackers – lucifer.kobs@mailfence.com and luciferhelpe@cyberfear.com. The note also advises that the price of the file decryption tool will be doubled if the victim fails to contact the attackers within 48 hours. The note also advises checking the spam folder when waiting for the reply from the criminals.
Additionally, the note suggests the victim can send some encrypted files as email attachments to the criminals and they will respond by sending decrypted file versions back. This way, the attackers try to assure the victim there are “guarantees” that ransom payment will ensure complete data recovery.
The last section of the ransom note introduces some cryptocurrency exchange platfoms online that the victim can visit to buy Bitcoins. The criminals only accept these transactions in order to remain anonymous.
The ReadMe_Now!.hta ransom note is much shorter and contains only a few lines of text as shown below.
Files Encrypted Need Decrypt? Contact Us At: Lucifer.kobs@mailfence.com OR luciferhelpe@cyberfear.com.
Just like any other ransomware-type malware, Lucifer Kobs ransomware aims to extort the computer user after encrypting all of the data stored on the compromised system. When comparing this piece of malware to thousands of other ransomware samples, we have discovered that it is relatively complex and therefore files locked by it cannot be decrypted. The best solution to ransomware victims is to use data backups created prior to the attack.
Even if the situation seems hopeless, we strongly advise you not to pay the ransom. The same approach is supported by the FBI and other cybersecurity experts. In most cases, cybercriminals do not care about helping ransomware victims despite their willingness to pay up. For this reason, you shouldn’t waste your money and help cybercriminals fund their ransomware operations.
We strongly recommend you to remove Lucifer Kobs ransomware virus using a robust antivirus tool after prepping your computer for the scan. Boot your computer in Safe Mode with Networking to ensure an ideal environment for your antivirus to operate. In addition, we’d like to remind you that you should only use a genuine copy of antivirus.
Finally, our team suggests you to download and try RESTORO to repair virus damage on Windows OS files. You can use the free scan results to find and fix the damage manually, or choose the full version option to apply suggested repairs automatically.
Name | Lucifer Kobs Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | Spora ransomware |
Encryption type | AES-256 and RSA-2048 |
Extension | [ID=(victim’s ID)-Mail=Lucifer.kobs@mailfence.com].(4 random characters) |
Cybercriminal emails | Lucifer.kobs@mailfence.com, luciferhelpe@cyberfear.com |
Damage | This ransomware mainly targets large companies and governmental institutions. It encrypts all files on the compromised system and marks their names with an extension consisting of victim’s ID, cybercriminals’ email address and a 4 random characters. Ransom notes dropped by this virus are named as ReadMe_Now!.hta, Read_Me!.txt. The virus also claims to steal victim’s data and promise to publish it online and send it to the competitors of the victim if one refuses to pay the ransom. |
Ransom note | ReadMe_Now!.hta, Read_Me!.txt |
Ransom demand | Unknown |
Distribution | The threat actors use social engineering to trick potential victims into opening malicious files. They often hide this ransomware in spam email attachments (usually in PDF or DOC format). Furthermore, victims may find it inside illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico. |
Detection names | Trojan:Win32/Sabsik.FL.B!ml (Microsoft), DeepScan:Generic.Ransom.Spora.ED409FF5 (B) (Emsisoft), DeepScan:Generic.Ransom.Spora.ED409FF5 (BitDefender), Malware.AI.1426879145 (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using trustworthy software. To repair virus damage on Windows OS files, consider scanning with RESTORO (secure download link). |
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Example of data folder containing files encrypted by Lucifer Kobs ransomware is shown below.
Ransomware-type threats are mostly distributed with the help of deceptive techniques like social engineering or phishing. In simple terms, the threat actors typically hide the malicious executable into fake software update tools, pirated software versions, malicious email attachments. Keep in mind that ransomware always comes disguised as something else. For this reason, we recommend that you only visit legitimate and reputable websites to download software or updates. Avoid shady websites that use rogue ad networks often involving malvertising to monetize their content. These often display ads that are deceptive, for example, offer software updates for your computer that are packed with unwanted spyware or even more severe threats.
When it comes to Spora ransomware variants such as Lucifer Kobs virus, cybersecurity experts have spotted that it mainly gets distributed via fake emails containing deceptive invoices in ZIP archives. The file inside the archive poses as a PDF or DOC document while in reality it is a HTML application (HTA file type) which, once executed, extracts a JScript component in computer’s %TEMP% directory, saves an encoded script into it and then runs this file to begin the attack.
Computer users are advised to be extremely vigilant when inspecting their email inboxes. Avoid opening any email attachments or inserted URLs if you can sense a tone of urgency in the email’s message. Furthermore, ask yourself if you were expecting such email to reach you. In addition, check if the sender’s email address wasn’t spoofed. This can be a sign that the sender’s intentions are malevolent, despite that the nicely designed message and the name of the email attachment do not raise any suspicion.
Automatic malware removal is always a recommended option. Trying to remove Lucifer Kobs ransomware virus manually can result in partial threat removal which leaves your computer at risk. For this reason, we recommend that you follow the tutorial given below and remove the virus using genuine antivirus solution, ideally, one that has real-time protection feature.
Furthermore, once you finalize Lucifer Kobs ransomware removal, consider downloading tools like RESTORO to identify and repair virus damage on Windows OS files.
OUR GEEKS RECOMMEND
Our team recommends removing malware using a professional antivirus software and then using the following tool to repair virus damage to Windows system files:
REPAIR VIRUS DAMAGE TO YOUR COMPUTER
RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.
RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.
Read full review here.
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
Lucifer Kobs Ransomware Virus Removal Guidelines
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
Now, you can search for and remove Lucifer Kobs Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
JHGN ransomware locks all computer files using encryption JHGN ransomware is a new computer virus…
JHBG ransomware seeks to illegally encrypt all files saved on a computer JHBG ransomware is…
DEWD Ransomware Maliciously Aims To Encrypt Files Contained In Victims' Computers DEWD is a newly…
YGVB ransomware is a computer virus that encrypts all computer-stored files YGVB ransomware is a…
JHDD ransomware is a file-encrypting computer virus JHDD is a newly discovered ransomware-type virus that…
DMAY ransomware description DMAY is a malicious computer program classified as a ransomware virus. It…
This website uses cookies.