Ransomware attacks are becoming extreme these days and computer security experts keeps on sending warnings to people about this hazardous threat; hence, there are still many computers being infected with this highly dangerous threat due to negligence of users. In fact, there is an unprecedented increase of attack in recent years and one of the top offenders is STOP ransomware family. This group of virus has generated over a hundred of variants because their handlers found that file-locking virus is a perfect tool to easily swindle money from victims. Among the previous releases of this threat includes Mbed, Kodg, and Grod.
This day, new variant from the group has emerged with label Zobm ransomware. Similar to earlier releases, this latest threat was designed to corrupt major files on the computer by encrypting them with a complex algorithm. The ransom virus also adds a suffix .zobm extension to every encrypted file to identify the infection type. To site an example, a file word.doc will turn into word.doc.zobm after it was encrypted by the Zobm ransomware. Reminding victims and instructing them on how to proceed with the recovery of .zobm file is clearly stated on the ransom note generated on the same location as compromised data.
As what was declared in the document, victims are required to pay $980 in exchange of personal private key and decryption software. Hence, handlers of Zobm ransomware are ready to dispose the recovery items for only $490 if victims can meet the 72 hours transaction period from the time of initial attack. Here is an excerpt from the ransom note.
Beware that dealing with makers of Zobm ransom virus is highly risky. As reported on media and various security websites, numerous previous transactions with these cyber criminals did not materialize well. The fraudsters flee right away after receiving the ransom payment without delivering the private key and decryption software, thus, they left the victims with unrecoverable files and empty pockets.
Clearly, prevention and keeping the computer secure is always the key to prevent this kind of attack. Suggestions from security professionals to make it a habit to regularly back up important files proves to be the principal key to evade paying the ransom. Not to mention that it is easier to restore files from backup than going through the expensive and time consuming decryption process.
How to Remove Zobm Ransomware
Ransomware files are placed deeply into the system and on various locations, thus, thorough scanning is vital to totally remove Zobm virus. Aside from our suggested tool, you may also run your own security program.
Though affected files may be impossible to decrypt due to complexity of the encryption, you can still try recovery method like alternative tool, Shadow Explorer or Previous Version as described below.
Stage 1: Scan the Computer with Anti-Malware Tool
1. Download free anti-malware scanner called MalwareBytes Anti-Malware.
Malwarebytes Anti-Malware Download Link (this will open a new window)
2. After downloading, install the program. It may run automatically or you have to double-click on the downloaded file MB3-Setup-[version].exe.
3. Carry out the installation with default setup process.
4. At the last stage of installation process, click the Finish button. The program should launch momentarily.
5. On Malwarebytes Anti-Malware console, select Scan from the menu to see available Scan Method.
6. Next, click on Threat Scan. This is the most complete scan method that will surely find any hidden malicious objects associated to Zobm ransomware.
7. Finally, click on Start Scan begin checking the computer for malware and similar threats.
8. Once the scan has completed, the tool will display the list of detected threats. Remove all identified malicious items and restart the computer if necessary.
Stage 2: Double-check for Zobm’s leftover with Microsoft’s Malicious Software Removal Tool
1. Download the free scanner called Malicious Software Removal Tool.
Malicious Software Removal Tool Download Link (this will open a new window)
2. The tool automatically checks the operating system and suggest appropriate download version. Click on Download button to begin. Save the file to a convenient location, preferably on Desktop.
3. After downloading the file, Windows will prompt that download has completed. Click Run to start scanning for Zobm ransomware. Another option is to browse the location folder and double click on the file to run.
4. The tool will display Welcome screen, click Next. Please note the message “This tool is not a replacement for an antivirus product.” You must understand that this program is made specifically to find and remove malware, viruses, Trojans, and other harmful elements on the computer. It was not designed to protect the computer.
5. Next, you will see Scan Type. Please choose Full Scan to ensure that all Zobm ransom virus entities and other harmful files left on the computer will be found and removed. For advanced computer user, you can opt for Customized Scan, if there are other drives or folders you wanted to include in this scan.
6. Full scan may take a while, please wait for Malicious Software Removal Tool to complete the tasks. However, you may cancel the scan anytime by clicking on the Cancel button.
7. After scanning, the tool will reveal all identified threats. There may be other threats that our first scan fails to detect. Please remove/delete all detected items.
8. When removal procedure is complete, you may now close Malicious Software Removal Tool. We hope that Zobm ransomware have been completely deleted from the computer. Please restart Windows to proceed with the normal operation.
Stage 3 : Unlocking files with Zobm Decryption Tool
Emsisoft Decryptor for STOP Djvu will work only if affected files were encrypted using Offline Keys. Zobm ransomware uses the alternate Offline Keys during encryption if there is a problem encountered while communicating to a remote command-and-control server. Follow the guide to start recovering .zobm encrypted files.
1. As precautionary measures, we suggest to BACKUP all your .zobm encrypted files first on a separate media (USB Drive, Flash Drive, DVD Discs, etc…).
2. Download Emsisoft Decryptor for STOP Djvu from this archive page.
3. Right-click on decrypt_STOPDjvu.exe and click “Run as Administrator“. Windows may prompt “Do you want to allow this app…” just click Yes to continue.
4. By default, the tool will pre-populate the locations where encrypted files were identified. To include other directories, simply click Add Folder button.
5. To start recovering files infected by Zobm ransomware, click on Decrypt button to start the procedure. The interface will display status of the current decryption process.
We will update this section once the full decryption tool is on hand. In the meantime, please try other options below if the above procedure is not not effective.
Option 1: Windows Previous Version Tool
Windows Vista and Windows 7 have a feature called Previous Versions. However, this tool is only usable if restore point was made prior to Zobm ransomware infection. To use this tool and recover files affected by the virus, please follow these steps:
1. Open My Computer or Windows Explorer.
2. Right-click on the affected files or folders. From the drop-down list, please click on Restore previous versions.
3. New window will open display all backup copy of files and folders you wanted to recover. Choose the appropriate file and click on Open, Copy, or Restore. Restoring selected files overwrites the current encrypted files on the computer.
Option 2: Use ShadowExplorer to restore files encrypted by Zobm Ransomware
Just like Previous Version tool, ShadowExplorer is taking advantage of shadow copy created by Windows. This tool allows you to retrieve older version of files before it was encrypted by Zobm ransomware.
1. Download ShadowExplorer from the official web site.
2. Install the program with the default settings.
3. The program should run automatically after installation. If not, double-click on ShadowExplorer icon.
4. You can see the drop-down list on top of the console. Please select proper drive and the most recent point-in-time shadow copies of files you wish to restore prior to Zobm ransomware infection.
5. Right-click on the Drive, Folder, or File you wish to restore and click Export…
6. Lastly, ShadowExplorer will prompt for location where you want to save the copy of recovered files.