.Zobm file extension is an extension that is appended to the file that is encrypted with the latest version of STOP (Djvu) ransomware. Zobm virus is a malware that makes the contents of victim files inaccessible by encrypting them. Encrypted files cannot be unlocked by removing the new file extension. The only way to recover .zobm files is to decrypt them using the decryptor and a unique key.
Zobm virus is a ransomware that is the 186th variant (v0186) of STOP (Djvu). Similar to previous versions, it uses the same methods of distribution, such as cracks, torrents, adware and key generators. When a computer is infected, Zobm creates a folder in the Windows system directory, copies itself to this directory and changes some Windows OS settings that will enable the virus to run automatically when the computer is restarted or turned on.
Zobm establishes a connection with its command-and-control (C&C) server. If the connection has been established, then it sends information about the infected computer to the C&C server and receives the key that will be used to encrypt files. The received key is so called ‘online key’, this key is unique for each infected computer. This means that the key from one computer cannot be used to decrypt files encrypted on another computer. If a connection to the C&C server could not be established, then Zobm uses a fixed key (so called ‘offline key’) to encrypt files. The offline key is the same for all victims, this means that this key can be used to decrypt the files no matter where they were encrypted.
Zobm virus encrypts files using a strong encryption algorithm, which eliminates the ability to decrypt the affected files without a key. All files on the victim’s computer will be encrypted, with the exception of files located in system directories, files with the extension .sys, .dll, .lnk, .ini, .bat and files with the filename ‘_readme.txt’. For example, the following are file types that can be encrypted:
.fsh, .zif, .pem, .forge, .avi, .odb, .zdc, .cfr, .lvl, .xls, .dba, .big, .wgz, .vpk, .wbmp, .kf, .flv, .wbd, .wp, .ff, .p12, .arw, .crw, .odt, .ws, .vpp_pc, .nrw, .sb, .sis, .pdd, .vcf, .qdf, .webdoc, .indd, .rtf, .wps, .dng, .pkpass, .gdb, .db0, .csv, .bkf, .ztmp, .xlsx, .xxx, .wpe, .odp, .re4, .rim, .css, .wpg, .wbz, .wmd, .sr2, .wpd, .x3f, .y, .dbf, .bkp, .pptm, .0, .xy3, .das, .rwl, .xls, .xdl, .wsd, .xbdoc, .1st, .wot, .wbk, .xyw, .z, .r3d, .wma, .wdb, .wmv, .der, .js, .ods, .t13, .mlx, .m2, .pef, .raw, .raf, .epk, .kdc, .hvpl, .xpm, .dwg, .bik, .d3dbsp, .rofl, .bsa, .zip, .zi, .bay, .3ds, .yml, .srf, .p7b, .wp6, .wsh, .hplg, .docm, .litemod, .jpg, .dxg, .xf, .iwd, .slm, .xx, .mp4, .tor, .mddata, .zw, .mcmeta, .ybk, .ncf, .orf, .mrwref, .dazip, .hkdb, wallet, .crt, .wpb, .psk, .zdb, .wpt, .fpk, .webp, .cr2, .itdb, .pfx, .wm, .1, .m4a, .odm, .wbc, .zip, .mov, .menu, .wb2, .sid, .wp7, .wire, .xmmap, .doc, .arch00, .mef, .kdb, .lbf, .apk, .wn, .gho, .xar, .sidd, .wpa, .ltx, .wsc, .wma, .wdp, .desc, .xyp, .erf, .z3d, .map, .wp5, .svg, .rw2, .itl, .wmf, .zabw, .bc6, .x3d, .snx, .wpl, .wbm, .itm, .wav, .dcr, .jpeg, .vdf, .xlk, .xmind, .tax, .xlsx, .p7c, .xll, .wp4, .3fr, .bar, .xlsm, .icxs, .3dm, .jpe, .mpqge, .ibank, .txt, .sav, .blob, .layout, .asset, .iwi, .qic, .wri, .srw, .mdbackup, .pst, .wmv, .sidn, .t12, .xwp, .wotreplay, .esm, .wmo, .xdb, .x3f, .cdr, .vfs0, .pdf, .hkx, .ntl, .xml, .m3u, .lrf, .cer, .psd, .sum, .eps, .mdb, .rgss3a, .ai, .rar, .pptx, .cas, .wps, .w3x, .xlsm, .xlgc, .yal, .fos, .x, .ppt, .xlsb
Each file that has been encrypted gets a new filename, which consists of its old filename and the extension ‘.zobm’ appended to the right. This literally means the following: if the file was called ‘price.xlsx’, then its encrypted version will be called ‘price.xlsx.zobm’. Zobm virus encrypts files in each directory on all drives on the computer. When all the files in the directory are encrypted, it drops a new file with the name ‘_readme.txt’ in this directory. The following is the contents of such a file.
This file contains a ransom demand message from Zobm authors. This ransom note says that all the files on the computer are encrypted and the only working way to decrypt them is to buy a decryptor and a key. Attackers demand a ransom of $490. If the victim hesitates and does not pay it within 72 hours, then the amount of the ransom increases to 980 dollars. Criminals offer to decrypt one file for free. To do this, the victim must send them one small file with unimportant information. Of course, a successful decryption of a single file does not at all guarantee that paying a ransom is a way that will allow the victim to decrypt .zobm files.
Threat Summary
Name | Zobm |
Type | Ransomware, Crypto virus, File locker, Crypto malware, Filecoder |
Encrypted files extension | .zobm |
Ransom note | _readme.txt |
Contact | datarestorehelp@firemail.cc, datahelp@iran.ir |
Ransom amount | $490,$980 in Bitcoins |
Detection Names | TRCrypt.Agent, Malware.Win32Ransom, Trojan:Encoder, Trojan:RansomCrypted, UDS.DangerousObject.MultiGeneric, Trojan:Win32Kryptik, FileRepMalware |
Symptoms | Files encrypted with .zobm extension. Unable to open documents, photos and music. Windows Explorer displays a blank icon for the file type. Files called like ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. |
Distribution ways | Adware. Phishing email scam. Torrent web sites. Drive-by downloads. Cracks. Social media posts. Activators |
Removal | Zobm virus removal guide |
Decryption | Free Zobm Decryptor |
Zobm authors tell the truth, saying that the victim’s files are encrypted. Security researchers confirm this, as well as the fact that to decrypt files the victim needs to use the decryptor and the key. Fortunately, a free decryptor was created, which can be used to decrypt files encrypted with all known versions of STOP (Djvu) ransomware. This means that .zobm files can also be decrypted by this decryptor. Unfortunately, at the moment, this decryptor can only decrypt files encrypted with so called ‘offline key’. If the files are encrypted with so called ‘online key’, then decryption is not yet possible. Even if the decryptor does not help decrypt the files, there are several alternative methods, each of which gives a chance to recover encrypted files.
If your files were encrypted with Zobm virus, we recommend using the following action plan, which will allow you to remove the ransomware and decrypt (restore) the encrypted files. Read carefully the entire instructions below, print it, or open it on your smartphone. This will allow you not to miss anything important.
Remove Zobm ransomware virus
Before you start decrypting files, you need to check your computer for malware, find all Zobm virus components and remove them. If you do not delete the ransomware, then it can again encrypt the recovered files. Moreover, do not forget that active malware is a breach in protecting your computer, criminals can access the entire computer, control your computer, or use your computer to hack into other computers.
We recommend using free malware removal tools to detect and remove Zobm ransomware. At the same time, it is better to use not one tool, but two or more. This will allow you to scan your computer best and be sure that Zobm virus will be found and completely removed.
Use Zemana Anti Malware to remove Zobm virus
We recommend using a malware removal tool called Zemana AntiMalware because it can find and remove Zobm ransomware, other malware, trojans and worms. If you have any Zobm removal problems, which cannot be fixed by this tool automatically, then Zemana provides 24X7 online assistance from the highly experienced support staff.
- Download Zemana Anti-mlaware from the following link. Save it on your Desktop.
Zemana AntiMalware
164113 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Run the downloaded file. Follow the prompts.
- Once the installation is finished, click the “Scan” button to search for Zobm virus.
- When the scanning is done, click “Next” button.
Remove Zobm ransomware with MalwareBytes
MalwareBytes is a malware removal utility. It is created to search for and remove various security threats including ransomware, trojans, malware, worms, adware and so on. MalwareBytes have an advanced system monitoring tool that uses a white-list database to stop suspicious processes and programs. As with Zemana Anti-Malware, MalwareBytes allows you to remove all found malware for free.
- Download MalwareBytes from the following link.
Malwarebytes Anti-malware
326464 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- Once downloading is finished, double-click on a downloaded file called MBsetup.
- Follow the prompts.
- Once installation is complete, click the “Scan Now” button to perform a system scan for Zobm ransomware and other security threats.
- Once MalwareBytes has finished scanning your machine, it will open the Scan Results. Click “Quarantine Selected” button.
To learn more about How to use MalwareBytes to remove Zobm virus, we recommend that you read the following guide: How to use MalwareBytes Anti-malware.
Use Kaspersky virus removal tool to remove Zobm
Kaspersky virus removal tool (KVRT) is the third utility that we recommend using to check your computer for Zobm virus and make sure that the ransomware is removed. It is a completely free utility that is based on the core of the famous antivirus created by Kaspersky Lab. KVRT can detect and remove a variety of malware, including ransomware, adware, trojans, worms, spyware, browser hijackers and so on.
- Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
Kaspersky virus removal tool
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
- Double-click the downloaded file.
- Click Start scan button to detect Zobm virus and other known infections.
- When the scan is complete, click the Continue button to remove the found malware.
To learn more about How to use Kaspersky virus removal tool to remove Zobm virus, we recommend that you read the following guide: How to use Kaspersky virus removal tool.
How to decrypt .zobm files
Files with extension .zobm are encrypted files that cannot be decrypted without a decryptor and a key. Zobm authors demand a ransom for the key and the decryptor. Of course, no one can guarantee that after paying the ransom, the victim will be able to decrypt the encrypted files. Security experts do not recommend paying a ransom, as this pushes criminals to create a new ransomware.
Fortunately for all victims of Zobm virus, there is a free decryptor. It allows each victim to decrypt files encrypted with STOP (Djvu) ransomware. And since Zobm is one of the variants of this ransomware, this decryptor can be used to decrypt .zobm files.
To decrypt .zobm files, use free STOP (Zobm) decryptor
- Download STOP (Djvu) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
STOP (Zobm) decryptor is a free tool that allows everyone to decrypt .zobm files for free. At the moment, the decryptor can only decrypt files that have been encrypted with an offline key. Unfortunately, if the files were encrypted with an online key, then the free decryptor is completely useless.
How to find out which key was used to encrypt files
Since STOP (Zobm) decryptor only decrypts files encrypted with the offline key, each Zobm’s victim needs to know which of the two types of keys (online key or offline key), was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
First of all, you can look at the personal ID that is given in the ‘_readme.txt’ file (ransom note).
Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Zobm virus stores the Personal IDs used for encryption.
The ‘Perosnal ID’ is not a key, it is a set of characters by which everyone can find out which key was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, then Zobm used an online key. If you could not understand which key was used to encrypt the files, then we can help you. Just write a request in the comments below.
What to do if STOP (Zobm) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .zobm files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
Restore .zobm files
If STOP (Zobm) decryptor did not help you, or your files are encrypted with so called ‘online key’, then there is no need to panic! There are several other alternative ways that may allow you to restore the contents of encrypted files. However, if you have not tried the free decryptor, then try it first by following step 2 of this instruction, and then return here.
Alternative methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Restore .zobm files using Shadow Explorer
First of all, try to recover encrypted files from their Shadow Volume Copies, which are automatically created by Windows. In order to recover music, photos, documents and other files encrypted by Zobm virus from Shadow Volume Copies you can use a free tool called ShadowExplorer. We recommend using this utility because it is small in size, has a simple interface and does not require installation on a computer. Unfortunately, ransomware often removes all Shadow copies. Therefore, if this tool cannot help you, then immediately proceed to the second method, which is given below.
Download ShadowExplorer on your Windows Desktop by clicking on the following link.
438823 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is finished, extract the saved file to a folder on your system. This will create the necessary files as shown in the following example.
Start the ShadowExplorerPortable application. Now choose the date (2) that you want to restore from and the drive (1) you want to recover files (folders) from as on the image below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and press the Export button as displayed in the figure below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Recover .zobm files with PhotoRec
Another alternative way to recover encrypted files is to use data recovery software. This method requires a lot of time, but in most cases it allows you to recover part, and sometimes all, encrypted files. To recover .zobm files, use a free tool called PhotoRec. It has a simple interface and does not require installation.
Download PhotoRec by clicking on the link below.
After the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Windows. It will display a screen as on the image below.
Select a drive to recover as displayed in the following example.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as shown below.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to select where restored files should be written, then press Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, press on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed in the following example.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
To sum up
This guide was created to help all victims of Zobm ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .zobm files; how to recover files, if STOP (Zobm) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Zobm related issues, go to here.
by ZOBM
0186Asd374y5iuhldJto0wkNq5NcNTOFe7GMXNAN0DnSTO38NGjOqa5ex
help help
help help
Error: Unable to decrypt file with ID: FLN5gPpwnL7v6ghPTU8keTdTbIMj0qOybptiTx5z
.zobm .rote
The “FLN5gPpwnL7v6ghPTU8keTdTbIMj0qOybptiTx5z” ID is related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the following guide: How to recover ransomware encrypted files.
Help me, please
0186Asd374y5iuhldzJJ7TgCqsyqGmamxe4gJhqa6VTcwmzSn96p1MUmo
The “0186Asd374y5iuhldzJJ7TgCqsyqGmamxe4gJhqa6VTcwmzSn96p1MUmo” ID is related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the following guide: How to recover ransomware encrypted files.