Copa Ransomware
The Copa Ransomware is a potent malware that can cause severe damage if it manages to infiltrate a computer. The Copa Ransomware uses a combination of powerful cryptographic algorithms - AES and RSA, to lock the users from accessing or using the files stored on the compromised system effectively. Nearly all filetypes can be encrypted by the Copa Ransomware, including documents, audio and video files, PDFs, photos, databases, spreadsheets, etc. Every locked file will have '.copa' added as a new extension to its original filename. The note with instructions from the hackers is dropped in every folder containing encrypted data and on the desktop. The ransom note file's name is '_readme.txt.'
The Copa Ransomware is a new ransomware threat that was discovered to be part of the prolific STOP/DJVU family of crypto locker threats. The Copa Ransomware is equipped with several harmful functions. Once it starts the encryption process, it attempts to distract the user by generating a pop-up window that could imitate a Windows Update. In the background, however, the Copa Ransomware modifies the system's hosts file to block the affected users from opening numerous cybersecurity sites alongside the encryption of the data. Furthermore, the Copa Ransomware has the ability to delete the default Windows backup, called Shadow Volume Copies of the encrypted files.
In the note, the criminals demand to be paid the sum of $980 for the decryption tool needed to restore the locked data potentially. If the victims initiate contact through the provided email addresses within the first 72 hours following the ransomware infection, the ransom would be cut in half to $490. The primary email of the hackers is helpmanager@mail.ch, while the reserve one is restoremanager@airmail.cc. One encrypted file is allowed to be sent to be decrypted for free.
Users suffering from a Copa Ransomware attack are strongly advised against contacting the criminals and following their instructions. Instead, a suitable backup should be used to restore the files, but only after the compromised system has been clean from the Copa Ransomware by a professional anti-malware program.
The full text of the ransom note is:
'ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-NjQb8RxCzz
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your email "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our email:
helpmanager@mail.ch
Reserve email address to contact us:
restoremanager@airmail.cc
Your personal ID:'
The good news is that there is some hope for victims. As the virus belongs to the STOP/DJVU ransomware family, there is a free decryption tool that may work to undo the infection and encryption. Unfortunately, it only works with specific versions of the ransomware. It can only unlock an offline infection, as everyone with an offline infection has the same decryption key. It is currently impossible to decrypt the online version, with unique keys, without help from the attackers.
Having a computer infected with ransomware like this is unpleasant, to say the least. The effects of Copa ransomware persist even after the ransomware is removed. Even the best anti-malware tool can’t unlock encrypted files. Hackers also mess with Windows "hosts" file to make it more difficult for antivirus programs to detect the infection in the first place.
The encryption process for Copa targets Office documents, PDF files, images, videos, and other popular file types. The malware presents an innocent-looking Windows update popup to deceive victims. The popup explains away potential slowdown caused by the virus using computer resources. People assume any slowdown is caused by this Windows update, which isn’t even happening. The ransomware connects to the Command and Control (C2) server and retrieves the unique identifier for the victim after making all these preparations and encrypting the data.
How to Recover .Copa-Infected Files
Security experts recommend against contacting the attackers and dealing with them. Sending the attackers the money they ask for is no guarantee that you will get your files back. There are many cases where hackers do not deliver their promised decryption tools. Even if they do provide a tool, there is no guarantee it will work. Contacting the attackers puts you at risk of losing money as well as data.
There is only one safe and effective way to recover your infected files. The first step is to remove the virus altogether. Doing so will prevent it from encrypting your computer again in the future. Unfortunately, removing the virus won’t undo the encryption that has already happened. Once you have removed the malware, you can safely restore your files through an external backup. It may be possible to recover files using recovery programs built into the computer, but this may prove difficult. Ransomware such as this deletes the Shadow Volume Copies used by file recovery programs, making it almost impossible to get your data back without a backup. The threat of data loss is one of the main reasons to keep a regular backup of your most important files.
