Cov19 ransomware is a dangerous threat that can lock personal files and cause its victims significant financial losses

Cov19 ransomware is a dangerous file-encrypting cyber infection that is currently under an active contagion phase. Its developers misuse the name of the COVID-19 pandemic[1] that has resonated around the world in early 2020. The attackers trick people into downloading a malicious svchoster.exe file that serves as a downloader of the virus by with the help of phishing emails allegedly coming from WHO (World Health Organization) or CDC (Centers for Disease Control and Prevention), the COVID-19 Pandemic email and The Red Cross email.
This encryption-based virus stems from the infamous Scarab ransomware family, which is very rich in the number of its members. The ransomware seeks to gain financial profit by encrypting the most popular file types (images, videos, photos, Microsoft Office documents, etc.) with a sophisticated encryption algorithm. The most obvious symptoms of this encryption-based malware are .cov19 extension appended to corrupted files and the TO RECOVER.TXT note positioned on Windows desktop.
| Summary | |
| Name | Cov19 |
| Geneology | This ransomware is a member of the infamous Scarab ransomware |
| International classification | Ransomware |
| Marker | .cov19 |
| Ransom note | TO RECOVER.TXT |
| Distribution | The primary source for this virus is malicious PDF, ZIP, DOC, DOCX, attachments of spam email messages impersonating organizations like WHO, RedCross, or Disease Control. Additionally, it may be disseminated via open RDPs, or launched as a secondary payload of trojans like Remcos, Orcus, or Gh0st. |
| Symptoms | Most of the non-system files corrupted. All icons get the homogenous shape and the file marked .cov19. The ransom note is presented on the desktop. Task Manager runs the svchoster.exe process. “Svchoster.exe application error” may pop-up randomly The system becomes sluggish, unresponsive, and may restart out of nowhere, etc. |
| Removal | A powerful AV tool is required. Windows Safe Mode with Networking has to be enabled for the scan |
| Damage | Missing Registry entries, files, and processes. Consequences – errors, BSODs, crashes, etc. Fix virus damage with the help of a repair tool. |
| Take advantage of the FortectIntego repair software. | |
Cov19 ransomware dropper is typically dispersed within malicious email spams that contain allegedly legitimate documents that are supposedly sent by the RedCross or governmental institutions providing instructions on how to behave during the Coronavirus pandemic to prevent infection. The obfuscated attachments are bundled with a malicious svchoster.exe file, which impersonates a legitimate Windows svchost.exe file. However, this file automatically downloads a ransomware payload and carries out activities (changes of the boot sequence, registry alterations, removal of core files, etc.) allowing a virus to root into the system.
According to researchers from NoVirus.uk[2], this mid-May 2020 Scarab ransomware campaign uses the .cov19 file marker and load the ransom note on the victim's Desktop. TO RECOVER.TXT file contains an overview of the attack, warnings related to the usage of security tools and recovery software, and asks victims to contact the specified e-mail address (FushenKingdee@protonmail.com).
Hello.
Many vulnerabilities detected on your server.
Because of this, all your files have been encrypted with the strongest encryption.
All attempts to decrypt files on their own will lead to data corruption.
Antivirus operation can permanently damage files.
Gather information about identifiers and send it by mail.
Remember that your keys are not stored for long and can be automatically deleted.
No data recovery company can recover it. Recovery company will be contacted by we on the indicated mail.
For information on decoding, please write to the e-mail FushenKingdee@protonmail.com
Your files are now encrypted!
The ransom message seems to be generated as a typical note used by its predecessors, so don't trust a word written on it and react immediately and remove Cov19 ransomware virus from your computer. Paying criminals is not a hundred-percent guarantee that the encrypted files will be restored. Even more, ransom payment definitely won't fix the damage that the virus initiated on the system. For this purpose, you will have to eradicate malicious entries with a reputable AV engine and then fully optimize the system with a repair tool like FortectIntego.
Anyway, before file recovery and system optimization processes, it's crucial to ensure a full Cov19 ransomware removal. In case of any malicious entries are left undelete, the virus may reappear and lock files again. According to the Virus Total[3] analysis, 50 AV programs out of 72 are capable of recognizing and decontamination the malicious files belonging to this ransomware. Typically, it is detected as:
- Trojan/Win32.Ransom.C2445643
- Win32:Trojan-gen
- TR/Downloader.Gen
- DeepScan:Generic.Ransom.Amnesia.318762
- Trojan.TR/Downloader.Gen
- HEUR:Trojan-Ransom.Win32.Generic
- DeepScan:Generic.Ransom.Amnesia.31876
- A Variant Of Win32/Filecoder.FS
- Ransom-Scarab!AA87BE1B17D8, etc.

The problem is that the malicious Cov19 virus downloader is not the only entry that has to be removed. This infection runs a whole package of malicious processes and is usually protected by helper objects. Not only they help the virus remain persistent but also block AV programs from running.
In this case, the Cov19 ransomware removal can become a tough nut to crack. To solve this problem, try restarting Windows into Safe Mode (if you don't know how to do that, please find instructions at the end of this post). Then initiate a deep system scan with reputable AV programs, for example, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.
Sophisticated email messages with malicious attachments remain the main trickery used against unsuspecting users
Scamming campaigns are extremely actively used by hackers to initiate ransomware attacks. Legitimate looking email messages with subject lines about financial information, order confirmations, order tracking information, Coronavirus management methods, etc. spread with malicious attachments (macros) that drop ransomware downloader once opened.
Such and similar emails typically are well-crafted. Full content, e-mail signatures, subject line, reliable sender, in general, all reliable look makes thousands of people fall victims of file-encrypting viruses.
To protect your PC from being attacked by hackers, be very cautious when checking the email inbox. If you did not order anything, there's no need to open a message that claims to contain order confirmation or tracking number. In general, skip all emails that are not related to your activities, but if you see the need to check the received content, use a professional AV tool to scan the attachment.

Eliminate Cov19 ransomware using professional AV programs and ensure full system's repair afterward
Manual Cov19 ransomware removal is not possible due to many reasons. For example, it is not possible to know which processes running on the system are malicious because encryption-based viruses can replace legitimate system files and mimic their behavior. Besides, there may be tens of interconnected files and processes, which protect each other from removal.
To fully eliminate a virus such as Cov19 ransomware, it is important to understand the risks that it causes. Not only it can lead to permanent file loss, but it also causes a complete system's crash if it is not cured properly upon the removal of crypto-extortionist. A full recovery of Windows Registries is crucial and we strongly recommend taking advantage of the FortectIntego tool for that.
The best tool for you that we can recommend for Cov19 ransomware removal is a professional anti-malware software. In other words, a full package of the antivirus solution that exhibits a high detection rate. Unfortunately, removing the virus will not solve the problem with encrypted files. Thus, if you have fallen victim, here's what steps you should initiate:
- First of all, rely on tools like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to get rid of the ransomware;
- Initiate a full scan with FortectIntego or similar tool to repair the needed parts of your PC;
- Use data backups of third-party data recovery software to encrypt files.
Was this guide helpful?
Be the first to comment