Severity scale:  
  (90/100)

Remove Cov19 ransomware (Virus Removal Guide) - Bonus: Decryption Steps

removal by Linas Kiguolis - - | Type: Ransomware

Cov19 ransomware is a dangerous threat that can lock personal files and cause its victims significant financial losses

Cov19 ransomware

Cov19 ransomware is a dangerous file-encrypting cyber infection that is currently under an active contagion phase. Its developers misuse the name of the COVID-19 pandemic[1] that has resonated around the world in early 2020. The attackers trick people into downloading a malicious svchoster.exe file that serves as a downloader of the virus by with the help of phishing emails allegedly coming from WHO (World Health Organization) or CDC (Centers for Disease Control and Prevention), the COVID-19 Pandemic email and The Red Cross email.

This encryption-based virus stems from the infamous Scarab ransomware family, which is very rich in the number of its members. The ransomware seeks to gain financial profit by encrypting the most popular file types (images, videos, photos, Microsoft Office documents, etc.) with a sophisticated encryption algorithm. The most obvious symptoms of this encryption-based malware are .cov19 extension appended to corrupted files and the TO RECOVER.TXT note positioned on Windows desktop. 

Summary
Name Cov19
Geneology This ransomware is a member of the infamous Scarab ransomware
International classification Ransomware
Marker .cov19
Ransom note TO RECOVER.TXT
Distribution The primary source for this virus is malicious PDF, ZIP, DOC, DOCX, attachments of spam email messages impersonating organizations like WHO, RedCross, or Disease Control. Additionally, it may be disseminated via open RDPs, or launched as a secondary payload of trojans like Remcos, Orcus, or Gh0st.
Symptoms Most of the non-system files corrupted. All icons get the homogenous shape and the file marked .cov19. 
The ransom note is presented on the desktop.
Task Manager runs the svchoster.exe process.
“Svchoster.exe application error” may pop-up randomly
The system becomes sluggish, unresponsive, and may restart out of nowhere, etc.
Removal A powerful AV tool is required. Windows Safe Mode with Networking has to be enabled for the scan
Damage Missing Registry entries, files, and processes. Consequences – errors, BSODs, crashes, etc. Fix virus damage with the help of a repair tool. 
 Take advantage of the Reimage Reimage Cleaner Intego repair software.

Cov19 ransomware dropper is typically dispersed within malicious email spams that contain allegedly legitimate documents that are supposedly sent by the RedCross or governmental institutions providing instructions on how to behave during the Coronavirus pandemic to prevent infection. The obfuscated attachments are bundled with a malicious svchoster.exe file, which impersonates a legitimate Windows svchost.exe file. However, this file automatically downloads a ransomware payload and carries out activities (changes of the boot sequence, registry alterations, removal of core files, etc.) allowing a virus to root into the system. 

According to researchers from NoVirus.uk[2], this mid-May 2020 Scarab ransomware campaign uses the .cov19 file marker and load the ransom note on the victim's Desktop. TO RECOVER.TXT file contains an overview of the attack, warnings related to the usage of security tools and recovery software, and asks victims to contact the specified e-mail address (FushenKingdee@protonmail.com). 

Hello.
Many vulnerabilities detected on your server.
Because of this, all your files have been encrypted with the strongest encryption.
All attempts to decrypt files on their own will lead to data corruption.
Antivirus operation can permanently damage files.
Gather information about identifiers and send it by mail.
Remember that your keys are not stored for long and can be automatically deleted.
No data recovery company can recover it. Recovery company will be contacted by we on the indicated mail.
For information on decoding, please write to the e-mail FushenKingdee@protonmail.com
Your files are now encrypted!

The ransom message seems to be generated as a typical note used by its predecessors, so don't trust a word written on it and react immediately and remove Cov19 ransomware virus from your computer. Paying criminals is not a hundred-percent guarantee that the encrypted files will be restored. Even more, ransom payment definitely won't fix the damage that the virus initiated on the system. For this purpose, you will have to eradicate malicious entries with a reputable AV engine and then fully optimize the system with a repair tool like Reimage Reimage Cleaner Intego

 Anyway, before file recovery and system optimization processes, it's crucial to ensure a full Cov19 ransomware removal. In case of any malicious entries are left undelete, the virus may reappear and lock files again. According to the Virus Total[3] analysis, 50 AV programs out of 72 are capable of recognizing and decontamination the malicious files belonging to this ransomware. Typically, it is detected as:

  • Trojan/Win32.Ransom.C2445643
  • Win32:Trojan-gen
  • TR/Downloader.Gen
  • DeepScan:Generic.Ransom.Amnesia.318762
  • Trojan.TR/Downloader.Gen
  • HEUR:Trojan-Ransom.Win32.Generic
  • DeepScan:Generic.Ransom.Amnesia.31876
  • A Variant Of Win32/Filecoder.FS
  • Ransom-Scarab!AA87BE1B17D8, etc. 

Cov19 virus
Cov19 is a highly dangerous virus that spreads via malspam campaigns impersonating RedCross emails and then blackmails its victims

The problem is that the malicious Cov19 virus downloader is not the only entry that has to be removed. This infection runs a whole package of malicious processes and is usually protected by helper objects. Not only they help the virus remain persistent but also block AV programs from running. 

In this case, the Cov19 ransomware removal can become a tough nut to crack. To solve this problem, try restarting Windows into Safe Mode (if you don't know how to do that, please find instructions at the end of this post). Then initiate a deep system scan with reputable AV programs, for example, SpyHunter 5Combo Cleaner or Malwarebytes.

Sophisticated email messages with malicious attachments remain the main trickery used against unsuspecting users 

Scamming campaigns are extremely actively used by hackers to initiate ransomware attacks. Legitimate looking email messages with subject lines about financial information, order confirmations, order tracking information, Coronavirus management methods, etc. spread with malicious attachments (macros) that drop ransomware downloader once opened. 

Such and similar emails typically are well-crafted. Full content, e-mail signatures, subject line, reliable sender, in general, all reliable look makes thousands of people fall victims of file-encrypting viruses. 

To protect your PC from being attacked by hackers, be very cautious when checking the email inbox. If you did not order anything, there's no need to open a message that claims to contain order confirmation or tracking number. In general, skip all emails that are not related to your activities, but if you see the need to check the received content, use a professional AV tool to scan the attachment. 

Cov19 ransomware soam campaigns
Cov19 ransowmare typically spreads via malicious spam attachments that carry svchoster.exe ransomware dropper

Eliminate Cov19  ransomware using professional AV programs and ensure full system's repair afterward

Manual Cov19 ransomware removal is not possible due to many reasons. For example, it is not possible to know which processes running on the system are malicious because encryption-based viruses can replace legitimate system files and mimic their behavior. Besides, there may be tens of interconnected files and processes, which protect each other from removal. 

To fully eliminate a virus such as Cov19 ransomware, it is important to understand the risks that it causes. Not only it can lead to permanent file loss, but it also causes a complete system's crash if it is not cured properly upon the removal of crypto-extortionist. A full recovery of Windows Registries is crucial and we strongly recommend taking advantage of the Reimage Reimage Cleaner Intego tool for that. 

The best tool for you that we can recommend for Cov19 ransomware removal is a professional anti-malware software. In other words, a full package of the antivirus solution that exhibits a high detection rate. Unfortunately, removing the virus will not solve the problem with encrypted files. Thus, if you have fallen victim, here's what steps you should initiate:

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Cov19 virus, follow these steps:

Remove Cov19 using Safe Mode with Networking

Reboot the machine in Safe Mode with Networking to get rid of Cov19 ransomware virus completely

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Cov19

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Cov19 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Cov19 using System Restore

System Restore is the feature that people can take advantage of after the system's crash or virus infection

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Cov19. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Cov19 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Cov19 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Unfortunately, neither of Scarab ransomware versions can be decrypted. There's no official software for recovering files encrypted by .cov19 file extension, so victims can either use backups or try third-party data recovery programs.

If your files are encrypted by Cov19, you can use several methods to restore them:

Data Recovery Pro can help to retrieve a part of compromised files.

Make sure that the ransomware is fully removed before running a scan with it.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Cov19 ransomware;
  • Restore them.

Windows Previous Version is useful in retrieving individual files

Although the recovery of all files damaged by Cov19 ransomware can be a tiresome process, it can be helpful in recovering the most valuable data.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is the feature helpful for encoded files

Volume Shadow copies could be a perfect way out. However, most of the ransomware viruses enable a command that deletes these copies right after infiltration.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Unfortunately, there is no official Cov-19 decryption software

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cov19 and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References


Your opinion regarding Cov19 ransomware