ZOBM ransomware is yet another DJVU ransomware update
Contents
ZOBM ransomware is a new variant of STOP DJVU virus that encrypts all files on victim’s computer to demand a ransom. The virus marks infected files with .zobm file extension and creates ransom notes _readme.txt in each folder with affected data. This variant of the STOP ransomware suggests buying a decryption key for $490 or $980 in Bitcoin. In addition, virus’ developers provide new contact emails – datarestorehelp@firemail.cc and datahelp@iran.ir.
If you have found out that all your files were affected by .zobm file virus and you can’t open them now, it means that you have recently downloaded a malicious file. Typically, all STOP/DJVU versions such as ROTE, TOEC, MBED, KODG, COOT or others spread via infectious software cracks or keygens (tools used to activate paid software for free).
Once installed, the ransomware disables security software and corrupts all files on the system using RSA cryptography, then deletes Volume Shadow Copies and installs Azorult Trojan on the system. In parallel, ZOBM ransomware creates ransom notes and drops them in all scanned folders. The ransom note contains a message from the cyber criminals, which suggests paying a ransom to recover all data.
To convince the victim to pay, the attackers suggest a 50% discount ($490) if the victim rushes to pay up within 72 hours. Otherwise, the ransom price remains the same – $980. In addition, the ransom note suggests sending one file to the attackers via one of provided emails and receive a decrypted version back.
The attackers want to prove that it is worth paying the ransom to them. However, remember that they can vanish immediately right after receiving your money and forget about you. Of course, another reason not to pay up is the fact that paying funds their malicious operations.
Threat Summary
| Name | ZOBM file virus |
| Type | Ransomware (STOP/DJVU virus variant) |
| Version | v0186 |
| File marker | .zobm extension |
| Encryption method | RSA |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 |
| Contact emails | datarestorehelp@firemail.cc or datahelp@iran.ir |
| Distribution | Malicious downloads such as software cracks and keygens |
| Installs | Azorult password-stealing malware |
| Decryption | Impossible at the moment |
| Removal | Remove using trustworthy antivirus software |
Things to know if your files were encrypted by this ransomware
The most searched question about this ransomware is “how to decrypt files locked by ZOBM virus”. Unfortunately, currently there are no ways to recover files encrypted by ZOBM ransomware. However, please pay attention to the fact that this malicious program uses either offline or online key to lock victim’s files. If you are victim of the offline key attack, you might be able to restore your files in the future.
To find out which key was used to encrypt your files, open any _readme.txt ransom note and look at your personal ID. If it ends with t1, you’ll be able to recover your files in the future. If it ends with any other two symbols, there are no ways, and possibly won’t be to recover your files.
ZOBM ransomware along with other STOP ransomware versions affected thousands of people worldwide. No matter how important your files were, they cannot be recovered at this moment (especially if encrypted with online key). Please develop a habit of creating data backups regularly so that you would have data copies in case your computer gets infected/destroyed etc.
Your personal ID doesn’t end with t1. It means your files are locked with online key and can’t be recovered. The only possible way to recover files would happen in a scenario if the ransomware developers get caught and their key databases seized. However, chances of such situation to become a reality are very, very low.
If your personal ID ends with t1 (the virus used offline key for your files), you will be able to recover .zobm data in the future. Check this guide on how to decrypt files locked by STOP ransomware here. Currently, there are no solutions for victims affected by the online key.
If your computer was affected by this virus, we suggest you to remove ZOBM ransomware as soon as you can along with Azorult virus it installed on your system. Please use instructions provided below the article. Next, change all your passwords, primarily those saved in your web browser.
Detailed explanation on how you got infected with STOP ransomware variant
ZOBM ransomware spreads via malicious peer-to-peer downloads, or, to be precise, files that help to crack licensed software so that you could use premium features for free. Widely known tools to achieve this are various cracks and keygens or tools like KMSPico. Please stay away from such downloads as they are well-known distributors of various malware.
Despite that, such downloads are still extremely popular, which explains why STOP ransomware has infected so many PCs around the world. Besides, it doesn’t seem that the ransomware developers are willing to switch to any other ransomware distribution method anytime soon. If you want to learn more about file-encrypting malware distribution tricks and practices to avoid installing such viruses, check this guide.
Remove ZOBM ransomware and protect your computer
The easiest way to remobe ZOBM file virus is to update your antivirus and let it scan your computer system from Safe Mode. If this is your first time dealing with such dangerous virus, we recommend reading the instructions given down below.
Once you succeed in ZOBM ransomware removal, please backup your encrypted data and wait for the best. If your personal ID ends with t1, expect the offline key to appear within the following months and wait for updates on the STOP Decrypter.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
ZOBM Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove ZOBM Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply