Remove LUCIFER KOBS Ransomware Virus (Removal Guide)

Remove LUCIFER KOBS ransomware virus and learn how to decrypt or recover your files (free guide)

Lucifer Kobs ransomware locks all of the files stored on a computer

Contents

Lucifer Kobs ransomware locks all of the files stored on a computer
Ransomware distribution explained
Remove Lucifer Kobs ransomware virus easily

Lucifer Kobs is a name of a malicious ransomware-type computer virus. According to our research, it is a variant of Spora ransomware. After being launched on the target computer, this virus encrypts all files and modifies their filenames by appending a string consisting of victim’s ID and the cybercriminal’s email address as well as random 4-character file extension. To illustrate, a file originally named 1.jpg may appear as 1.jpg[ID=7NoTll-Mail=Lucifer.kobs@mailfence.com].hgtk.

During the computer attack, the ransomware creates and saves a copy of a ransom note dubbed ReadMe_Now!.hta (HTML application that will be launched in a pop-up window for the victim) and a text version of it dubbed Read_Me!.txt.

Overview of the ransom note contents

The ransom note dropped by Lucifer Kobs ransomware explains that the virus has encrypted all data stored on the computer or the entire network and also downloaded original data to the criminals’ server. Identically to all typical ransomware operators, the actors behind this threat demand the victim to pay a ransom in order to get rid of problems – both data loss and leak of private information. The note threatens to publish sensitive data collected during the cyberattack and also send it to the competitors of the victim. Overall, the contents of the ransom note indicate that the primary targets of this computer virus are companies or government entities rather than regular home computer users.

The Read_Me!.txt note contains two email addresses that the victim can use to open a channel of communication with the attackers – lucifer.kobs@mailfence.com and luciferhelpe@cyberfear.com. The note also advises that the price of the file decryption tool will be doubled if the victim fails to contact the attackers within 48 hours. The note also advises checking the spam folder when waiting for the reply from the criminals.

Additionally, the note suggests the victim can send some encrypted files as email attachments to the criminals and they will respond by sending decrypted file versions back. This way, the attackers try to assure the victim there are “guarantees” that ransom payment will ensure complete data recovery.

The last section of the ransom note introduces some cryptocurrency exchange platfoms online that the victim can visit to buy Bitcoins. The criminals only accept these transactions in order to remain anonymous.

The ReadMe_Now!.hta ransom note is much shorter and contains only a few lines of text as shown below.

Files Encrypted Need Decrypt? Contact Us At: Lucifer.kobs@mailfence.com OR luciferhelpe@cyberfear.com.

Responding to ransomware attack: our tips

Just like any other ransomware-type malware, Lucifer Kobs ransomware aims to extort the computer user after encrypting all of the data stored on the compromised system. When comparing this piece of malware to thousands of other ransomware samples, we have discovered that it is relatively complex and therefore files locked by it cannot be decrypted. The best solution to ransomware victims is to use data backups created prior to the attack.

Even if the situation seems hopeless, we strongly advise you not to pay the ransom. The same approach is supported by the FBI and other cybersecurity experts. In most cases, cybercriminals do not care about helping ransomware victims despite their willingness to pay up. For this reason, you shouldn’t waste your money and help cybercriminals fund their ransomware operations.

We strongly recommend you to remove Lucifer Kobs ransomware virus using a robust antivirus tool after prepping your computer for the scan. Boot your computer in Safe Mode with Networking to ensure an ideal environment for your antivirus to operate. In addition, we’d like to remind you that you should only use a genuine copy of antivirus.

Finally, our team suggests you to download and try RESTORO to repair virus damage on Windows OS files. You can use the free scan results to find and fix the damage manually, or choose the full version option to apply suggested repairs automatically.

Ransomware Summary

Name	Lucifer Kobs Ransomware Virus
Type	Ransomware; Crypto-malware; Virtual Extortion Virus
Family	Spora ransomware
Encryption type	AES-256 and RSA-2048
Extension	[ID=(victim’s ID)-Mail=Lucifer.kobs@mailfence.com].(4 random characters)
Cybercriminal emails	Lucifer.kobs@mailfence.com, luciferhelpe@cyberfear.com
Damage	This ransomware mainly targets large companies and governmental institutions. It encrypts all files on the compromised system and marks their names with an extension consisting of victim’s ID, cybercriminals’ email address and a 4 random characters. Ransom notes dropped by this virus are named as ReadMe_Now!.hta, Read_Me!.txt. The virus also claims to steal victim’s data and promise to publish it online and send it to the competitors of the victim if one refuses to pay the ransom.
Ransom note	ReadMe_Now!.hta, Read_Me!.txt
Ransom demand	Unknown
Distribution	The threat actors use social engineering to trick potential victims into opening malicious files. They often hide this ransomware in spam email attachments (usually in PDF or DOC format). Furthermore, victims may find it inside illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico.
Detection names	Trojan:Win32/Sabsik.FL.B!ml (Microsoft), DeepScan:Generic.Ransom.Spora.ED409FF5 (B) (Emsisoft), DeepScan:Generic.Ransom.Spora.ED409FF5 (BitDefender), Malware.AI.1426879145 (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection name variations on VirusTotal
Removal	Remove ransomware and related malware from your PC using trustworthy software. To repair virus damage on Windows OS files, consider scanning with RESTORO (secure download link).

REPAIR VIRUS DAMAGE

DOWNLOAD AND SCAN WITH RESTORO

See Full Review

Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.

Example of data folder containing files encrypted by Lucifer Kobs ransomware is shown below.

Ransomware distribution explained

Ransomware-type threats are mostly distributed with the help of deceptive techniques like social engineering or phishing. In simple terms, the threat actors typically hide the malicious executable into fake software update tools, pirated software versions, malicious email attachments. Keep in mind that ransomware always comes disguised as something else. For this reason, we recommend that you only visit legitimate and reputable websites to download software or updates. Avoid shady websites that use rogue ad networks often involving malvertising to monetize their content. These often display ads that are deceptive, for example, offer software updates for your computer that are packed with unwanted spyware or even more severe threats.

When it comes to Spora ransomware variants such as Lucifer Kobs virus, cybersecurity experts have spotted that it mainly gets distributed via fake emails containing deceptive invoices in ZIP archives. The file inside the archive poses as a PDF or DOC document while in reality it is a HTML application (HTA file type) which, once executed, extracts a JScript component in computer’s %TEMP% directory, saves an encoded script into it and then runs this file to begin the attack.

Computer users are advised to be extremely vigilant when inspecting their email inboxes. Avoid opening any email attachments or inserted URLs if you can sense a tone of urgency in the email’s message. Furthermore, ask yourself if you were expecting such email to reach you. In addition, check if the sender’s email address wasn’t spoofed. This can be a sign that the sender’s intentions are malevolent, despite that the nicely designed message and the name of the email attachment do not raise any suspicion.

Remove Lucifer Kobs ransomware virus easily

Automatic malware removal is always a recommended option. Trying to remove Lucifer Kobs ransomware virus manually can result in partial threat removal which leaves your computer at risk. For this reason, we recommend that you follow the tutorial given below and remove the virus using genuine antivirus solution, ideally, one that has real-time protection feature.

Furthermore, once you finalize Lucifer Kobs ransomware removal, consider downloading tools like RESTORO to identify and repair virus damage on Windows OS files.

OUR GEEKS RECOMMEND

Our team recommends removing malware using a professional antivirus software and then using the following tool to repair virus damage to Windows system files:

REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Lucifer Kobs Ransomware Virus Removal Guidelines

Method 1. Enter Safe Mode with Networking

Step 1. Start Windows in Safe Mode with Networking

Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:

Instructions for Windows XP/Vista/7 users

First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.

Instructions for Windows 8/8.1/10 users

Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.

Step 2. Remove files associated with the virus

Now, you can search for and remove Lucifer Kobs Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).

REPAIR VIRUS DAMAGE

DOWNLOAD AND SCAN WITH RESTORO

See Full Review

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically.

Step 1. Boot Windows in Safe Mode with Command Prompt

Instructions for Windows XP/Vista/7 users

Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.

Instructions for Windows 8/8.1/10 users

Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.

Step 2. Start System Restore process

Wait until system loads and command prompt shows up.
Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
Click Yes to begin the system restoration process.

After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.