Coba ransomware (virus) - Free Instructions

Coba virus Removal Guide

What is Coba ransomware?

Coba ransomware is a malicious Windows program that locks personal files to acquire money from victims

Coba ransomwareCoba virus stems from Djvu ransomware family

Coba is a malicious ransomware that has been causing havoc in the cybersecurity world. This malware is notorious for encrypting all personal files, including documents, photos, videos, and databases, using advanced encryption algorithms, rendering them inaccessible to the victims. When files are encrypted, they are appended with the .coba extension, and their icons disappear, making it impossible for users to open them.

Cybercriminals behind the Coba attack often demand a ransom payment in bitcoin, claiming that only they can provide a unique key to decrypt the files. In the ransom note, which is usually named _readme.txt, victims are instructed to pay a specific amount of money, $490 or $980, to retrieve their data. The cybercriminals behind the attack provide communication channels such as and for the victims to contact them.

Coba is part of a larger family of ransomware known as the Djvu malware, which has had over 600 variants since its release. Some of the most recent variants include Goba, Gosw, and Qoqa, among others. In this article, we will discuss how to protect yourself from a Coba ransomware attack, how to deal with the aftermath of an attack and the steps you can take to attempt to restore your encrypted files without paying the ransom.

Name Coba virus
Type Ransomware, file-locking malware
File extension Malware appends .coba extension to all affected files
Family Djvu
Ransom note _readme.txt dropped at every location where encrypted files are located
Contact and datarestorehelp@airmail
File Recovery There is no guaranteed way to recover locked files without backups. Other options include paying cybercriminals (not recommended, might also lose the paid money), using Emisoft's decryptor (works for a limited number of victims), or using third-party recovery software
Malware removal After disconnecting the computer from the network and the internet, do a complete system scan using the SpyHunter 5Combo Cleaner security program
System fix As soon as it is installed, malware has the potential to severely harm some system files, causing instability problems, including crashes and errors. Any such damage can be automatically repaired by using FortectIntego PC repair

Ransom note

When a Coba ransomware attack occurs, one of the most common ways cybercriminals communicate with their victims is through a ransom note. This message is designed to instruct the victim on how to pay the ransom to the attackers in exchange for the decryption of their encrypted data.

The ransom note usually contains instructions on how to pay and how much is needed in bitcoin. Unlike some other ransomware, the attackers behind this one rely on a professional demeanor, making their ransom notes appear more convincing.

This message is displayed on the victim's device as soon as the Coba virus finishes encrypting the files. It can take the form of a text file, an image, or a webpage and typically contains clear instructions on how to make the ransom payment and regain access to the encrypted data.


Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Perpetrators of ransomware attacks often use psychological tactics to convince victims to pay the ransom quickly. One of the most common tactics is offering a 50% “discount” if payment is made within a certain timeframe, and sometimes even providing a free test decryption service to prove that the files can be recovered.

Coba virus

Despite these seemingly compelling offers, cybersecurity experts and law enforcement strongly advise against paying the ransom. By doing so, victims are essentially supporting criminal operations and funding future attacks. Additionally, there is no guarantee that the promised decryption key will work or even be delivered, as criminals cannot be trusted to uphold their end of the bargain.

Remove malware correctly

Experiencing a sense of panic is a common reaction when ransomware locks up personal files, but it is important to understand that reacting in this way will not solve the problem. In fact, panic can lead to further mistakes and data loss, making the situation worse. The best course of action is to remain calm and take the appropriate recovery steps in a methodical manner.

One of the first and most crucial steps in the recovery process is to prevent the infected computer from communicating with the remote server used by the hackers to store the decryption tool and issue commands. To accomplish this, it is essential to sever the internet connection before beginning any recovery procedures. This will prevent the ransomware from spreading and causing additional damage to the system.

  • Type in Control Panel in Windows search and press Enter.
  • Go to Network and Internet.Network and internet
  • Click Network and Sharing Center.Network and internet 2
  • On the left, pick Change adapter settings.Network and internet 3
  • Right-click on your connection (for example, Ethernet), and select Disable.Network and internet 4
  • Confirm with Yes.

While ransomware may sometimes remove itself after encrypting files, this does not mean the threat has been completely eliminated. It is possible that other harmful components remain on the device, such as data-stealing modules or other malware that can work in conjunction with the initial attack.

Fortunately, security software such as SpyHunter 5Combo Cleaner or Malwarebytes can effectively locate and remove all Coba ransomware-related files, as well as any additional modules and malware that may be present on the system. The software is designed to be user-friendly and does not require any specific IT experience, making it an accessible solution for individuals who have been impacted by ransomware attacks.

Once the infected files and malware have been removed from the system using security software, it is crucial to ensure that the system functions correctly and without any issues. This is where a reliable recovery tool like FortectIntego comes into play.

Recovery tools like FortectIntego are designed to address any system issues that may have arisen due to the ransomware attack, such as crashes or errors that can occur during the malware removal process. These issues can impact the system's overall performance and hinder its functionality. However, with the assistance of a recovery tool, users can fix these problems and restore their system to its optimal state.

Data recovery possibilities

There are a lot of misunderstandings surrounding ransomware attacks, particularly when it comes to the data encryption process and how malware works. Many victims of ransomware believe that a full system scan with security software will be enough to recover their files. They may also try to rename files and add the original extension, hoping to restore their lost data. Unfortunately, it's not as simple as that.

Ransomware uses complex encryption algorithms to lock every file with an alphanumeric sequence that is nearly impossible to guess or crack. This means that users cannot cheat the Coba ransomware and easily recover their files. Even if the malware is removed, the encrypted files remain inaccessible without the decryption key, which only the cybercriminals possess.

Once ransomware takes hold of a system, it begins encrypting files and creating a unique identifier along with a complex encryption key. This information is then transmitted to the attackers, who can use it to create a decryption key that allows them to access the victim's data. However, the cybercriminals behind the attack won't provide the decryption key for free, as they aim to profit from the extortion. This is the primary reason why ransomware attacks are so lucrative for hackers.

To avoid paying the ransom, we suggest exploring the alternative solutions we have compiled below. However, before attempting any of these methods, it is crucial to create a backup copy of the encrypted data to avoid any potential corruption during the recovery process.

We recommend starting with the Emsisoft decryption tool, but please note that its effectiveness may vary depending on the specific ransomware variant used in the attack and other factors.

  • Download the app from the official Emsisoft website.Coba ransomware
  • After pressing Download button, a small pop-up at the bottom, titled decrypt_STOPDjvu.exe should show up – click it.
    Coba ransomware
  • If User Account Control (UAC) message shows up, press Yes.
  • Agree to License Terms by pressing Yes.
    Coba ransomware
  • After Disclaimer shows up, press OK.
  • The tool should automatically populate the affected folders, although you can also do it by pressing Add folder at the bottom.
    Coba ransomware
  • Press Decrypt.
    Coba ransomware

From here, there are three available outcomes:

  1. Decrypted!” will be shown under files that were decrypted successfully – they are now usable again.
  2. Error: Unable to decrypt file with ID:” means that the keys for this version of the virus have not yet been retrieved, so you should try later.
  3. This ID appears to be an online ID, decryption is impossible” – you are unable to decrypt files with this tool.

If your data was encrypted with an online ID, Emsisoft's tool won't work. In such a case, we recommend trying a specialized data recovery software instead.

  • Download Data Recovery Pro.
  • Double-click the installer to launch it.
    Coba ransomware
  • Follow on-screen instructions to install the software.
  • As soon as you press Finish, you can use the app.
  • Select Everything or pick individual folders which you want the files to be recovered from.Select what to recover
  • Press Next.
  • At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  • Press Scan and wait till it is complete.Scan
  • You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  • Press Recover to retrieve your files.

Check out the instructions below for more tips and troubleshooting.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Coba virus. Follow these steps

Find a working decryptor for your files

File encryption is a process that is similar to applying a password to a particular file or folder. However, from a technical point of view, encryption is fundamentally different due to its complexity. By using encryption, threat actors use a unique set of alphanumeric characters as a password that can not easily be deciphered if the process is performed correctly.

There are several algorithms that can be used to lock data (whether for good or bad reasons); for example, AES uses the symmetric method of encryption, meaning that the key used to lock and unlock files is the same. Unfortunately, it is only accessible to the attackers who hold it on a remote server – they ask for a payment in exchange for it. This simple principle is what allows ransomware authors to prosper in this illegal business.

While many high-profile ransomware strains such as Djvu or Dharma use immaculate encryption methods, there are plenty of failures that can be observed within the code of some novice malware developers. For example, the keys could be stored locally, which would allow users to regain access to their files without paying. In some cases, ransomware does not even encrypt files due to bugs, although victims might believe the opposite due to the ransom note that shows up right after the infection and data encryption is completed.

Therefore, regardless of which crypto-malware affects your files, you should try to find the relevant decryptor if such exists. Security researchers are in a constant battle against cybercriminals. In some cases, they manage to create a working decryption tool that would allow victims to recover files for free.

Once you have identified which ransomware you are affected by, you should check the following links for a decryptor:

No More Ransom Project

If you can't find a decryptor that works for you, you should try the alternative methods we list below. Additionally, it is worth mentioning that it sometimes takes years for a working decryption tool to be developed, so there are always hopes for the future.

Restore Windows "hosts" file to its original state

Some ransomware might modify Windows hosts file in order to prevent users from accessing certain websites online. For example, Djvu ransomware variants add dozens of entries containing URLs of security-related websites, such as Each of the entries means that users will not be able to access the listed web addresses and will receive an error instead.

Here's an example of “hosts” file entries that were injected by ransomware:

Hosts file

In order to restore your ability to access all websites without restrictions, you should either delete the file (Windows will automatically recreate it) or remove all the malware-created entries. If you have never touched the “hosts” file before, you should simply delete it by marking it and pressing Shift + Del on your keyboard. For that, navigate to the following location:


Delete Windows "hosts" file

Create data backups to avoid file loss in the future

One of the many countermeasures for home users against ransomware is data backups. Even if your Windows get corrupted, you can reinstall everything from scratch and retrieve files from backups with minimal losses overall. Most importantly, you would not have to pay cybercriminals and risk your money as well.

Therefore, if you have already dealt with a ransomware attack, we strongly advise you to prepare backups for future use. There are two options available to you:

  • Backup on a physical external drive, such as a USB flash drive or external HDD.
  • Use cloud storage services.

The first method is not that convenient, however, as backups need to constantly be updated manually – although it is very reliable. Therefore, we highly advise choosing cloud storage instead – it is easy to set up and efficient to sustain. The problem with it is that storage space is limited unless you want to pay for the subscription.

Using Microsoft OneDrive

OneDrive is a built-in tool that comes with every modern Windows version. By default, you get 5 GB of storage that you can use for free. You can increase that storage space, but for a price. Here's how to setup backups for OneDrive:

  1. Click on the OneDrive icon within your system tray.
  2. Select Help & Settings > Settings.
    Go to OneDrive settings
  3. If you don't see your email under the Account tab, you should click Add an account and proceed with the on-screen instructions to set yourself up.
    Add OneDrive account
  4. Once done, move to the Backup tab and click Manage backup.
    Manage backup
  5. Select Desktop, Documents, and Pictures, or a combination of whichever folders you want to backup.
  6. Press Start backup.
    Pick which folders to sync

After this, all the files that are imported into the above-mentioned folders will be automatically backed for you. If you want to add other folders or files, you have to do that manually. For that, open File Explorer by pressing Win + E on your keyboard, and then click on the OneDrive icon. You should drag and drop folders you want to backup (or you can use Copy/Paste as well).

Using Google Drive

Google Drive is another great solution for free backups. The good news is that you get as much as 15GB for free by choosing this storage. There are also paid versions available, with significantly more storage to choose from.

You can access Google Drive via the web browser or use a desktop app you can download on the official website. If you want your files to be synced automatically, you will have to download the app, however.

  1. Download the Google Drive app installer and click on it.
    Install Google Drive app
  2. Wait a few seconds for it to be installed. Complete installation
  3. Now click the arrow within your system tray – you should see Google Drive icon there, click it once.
    Google Drive Sign in
  4. Click Get Started. Backup and sync
  5. Enter all the required information – your email/phone, and password. Enter email/phone
  6. Now pick what you want to sync and backup. You can click on Choose Folder to add additional folders to the list.
  7. Once done, pick Next. Choose what to sync
  8. Now you can select to sync items to be visible on your computer.
  9. Finally, press Start and wait till the sync is complete. Your files are now being backed up.

Report the incident to your local authorities

Ransomware is a huge business that is highly illegal, and authorities are very involved in catching malware operators. To have increased chances of identifying the culprits, the agencies need information. Therefore, by reporting the crime, you could help with stopping the cybercriminal activities and catching the threat actors. Make sure you include all the possible details, including how did you notice the attack, when it happened, etc. Additionally, providing documents such as ransom notes, examples of encrypted files, or malware executables would also be beneficial.

Law enforcement agencies typically deal with online fraud and cybercrime, although it depends on where you live. Here is the list of local authority groups that handle incidents like ransomware attacks, sorted by country:

Internet Crime Complaint Center IC3

If your country is not listed above, you should contact the local police department or communications center.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Coba and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions