Revon ransomware (Removal Guide) - Decryption Steps Included

Revon virus Removal Guide

What is Revon ransomware?

Revon ransomware – a file locking malware that demands ransom payment in Bitcoin

Revon ransomwareRevon ransomware is a data locking virus that uses AES encryption algorithm to reach its goals

Revon ransomware is a file locking malware that was first spotted in early April 2020. As a member of the Phobos family, the virus does not differ much from its predecessors – its main goal is to extort money from unsuspecting victims. Once inside the system, it performs several changes to ensure smooth operation and then uses AES to encrypt personal files like pictures, videos, music, documents, databases, and other data. During this process, ransomware marks each of the files with .revon extension, restricting access to users.

To make sure that users find out about what happened, hackers behind the Revon virus also deliver a ransom note info.hta, as well as info.txt. In it, threat actors explain that all personal data is locked and that users need to write them via werichbin@protonmail.com or werichbin@cock.li emails to negotiate Bitcoin payment in order to acquire Revon ransomware decryptor. While this malware is currently not decryptable, users should not rush communicating with hackers, as there might be alternative ways to retrieve the locked files.

Name Revon ransomware
Type File locking virus, cryptomalware
Family Phobos ransomware
Related Fast.exeXX.exe
Encryption method Revon ransomware uses AES encryption algorithm to lock all non-system files on a Windows machine
File extension All personal files are modified in the following pattern: [file name].[original extension].id[random ID].[email].revon. An example of an encrypted file: picture.jpg.id[1R74D44-2945].[werichbin@protonmail.com].revon
Ransom note Upon successful file encryption, the virus drops info.hta and info.txt on victims' machines
Contact Malicious actors ask to email them via werichbin@protonmail.com or werichbin@cock.li
File decryption

Recovering data without backups is relatively difficult. The remaining options include:

  • Paying cybercriminals and hoping they will deliver what they promised (not recommended)
  • Waiting for a free decryption tool to be developed (might take very long and might not even be possible)
  • Using third-party recovery software that might, in some cases, retrieve at least some files
Malware removal To eliminate the virus, you should scan your system with a reputable security application, such as SpyHunter 5Combo Cleaner or Malwarebytes
System fix In some cases, malware might seriously damage Windows system files, so it will not perform optimally (start crashing, lagging, etc.). If you encounter suchlike problems after you eliminate the malware, you should repair your OS with the help of FortectIntego

Phobos is one of the most extensive data locking malware families around and closely resembles the Dharma family, using the same pattern for delivering users ransom notes and also incorporates many operation features, such as encryption algorithm.

Revon ransomware, just as its previous versions Razor, Dewar, and Dever, are primarily targeting public entities and businesses, although regular users could be targets as well. Since targets are mainly companies, the virus is mostly proliferated after the attackers scan the internet for vulnerable Remote Desktop connections and brute-force themselves in. Nonetheless, in case of the Revon virus would target regular users, it could spread in one of the following ways:

  • Spam email attachments;
  • Web injects;
  • Exploits and vulnerabilities;[1]
  • Software cracks;
  • Malicious ads;
  • Fake updates, etc.

In some cases, malware might be installed with Process Hacker 2 – an open-source application used for system monitoring purposes. As a result, Revon could also steal personal information from other apps and web browsers, including login data – users may suffer considerable financial losses. This is why Revon ransomware removal is so crucial at the early stage of the infection.

Before encrypting data, Revon virus performs a variety of changes to Windows machines. For example, it deletes Shadow Volume Copies with the help of “vssadmin delete shadows / all / quiet” command to complicate the data recovery for the victims, establishes Windows registry keys for persistence, gains access to external drives (such as USB flash or external hard drives), as well as networked resources such as NAS.

Once the preparations are complete, the Revon virus begins the encryption process with the help of a symmetric encryption algorithm AES.[2] This means that the same secret key is used to lock up the data and is later sent to a remote Command & Control server controlled by the attackers.

Revon ransomware virusRevon ransomware is crypto-malware that belongs to Phobos virus family

Due to this, blackmail is possible, as users need to retrieve it in order to decode all files. Nonetheless, there were confirmed cases of victims not receiving a decryption tool after a Bitcoin payment, hence users are not recommended contacting threat actors with the hopes for the Revon ransomware decryption tool.

After locking up the data, users can access an Info.hta and Info.txt file which explains users about data recovery process:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail werichbin@protonmail.com
Write this ID in the title of your message 1R74D44-2945
In case of no answer in 24 hours write us to this e-mail:werichbin@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Since no decryption software is currently available, we highly recommend you back up all the encrypted files before you remove Revon ransomware; otherwise, the data might get permanently damaged. For malware elimination, you should employ one of the anti-virus engines that can deal with the infection. Note that infiltration can also be prevented with the help of AV tools that detect the main executable file Fast.exeXX.exe as follows:

  • Trojan/Win32.RL_Generic.R325921;
  • Gen:NN.ZexaF.34106.duW@aSFkxzo;
  • Ransom.Phobos;
  • Win32:Malware-gen;
  • W32/Phobos.8B03!tr.ransom;
  • A Variant Of Win32/Filecoder.Phobos.C;
  • HEUR:Trojan.Win32.Generic, etc.

In case you do have backups, you should not bother with copying the encrypted files and simply eliminate the malware as soon as possible. In case your machine is still not working correctly after you get rid of Revon ransomware, you should fix the damage done with the help of such tools as FortectIntego.

Prevent ransomware intrusions and ensure you backup your data regularly

Since Phobos ransomware can access all the networked drives, the consequences of the infection can be devastating. Thus, the best way to negate the consequences of a ransomware infection is to have up-to-date backups that are stored on a remote server. This should not be connected to the main network, as the attackers can then easily access backups and encrypt them as well.

Unfortunately, many cybercriminal gangs behind the most popular ransomware families like Maze or DoppelPaymer now started extorting sensitive company information and publishing it online in case the ransom demands are not fulfilled.[3] This way, malware can cause not only loss of important data but also result in sensitive details compromise. There have been no reports of Phobos developers doing this, although it is most likely a matter of time.

Revon ransomware locked filesOnce Revon ransomware encrypts data, it is impossible to to open files, unless a special key is obtained

So, how do you protect the important data from ransomware infection? The answer is relatively straight forward – you must put resources into cybersecurity, such as regular staff training and adequate security solutions. Since Revon mainly spreads with the help of weak RDP connections, here are some tips on how to protect it better:

  • Never use a default TCP/UDP port 3389;
  • Limit RDP access to those that need it only;
  • Enable Network Level Authentication (NLA) via System Properties;
  • Employ a VPN;
  • Use strong passwords.

Eliminate Revon ransomware correctly

As previously mentioned, if you do not have working backups of your files, you should remove Revon ransomware immediately. First, you should employ an external storage device and place all the locked data there. Once done, you need to initiate a network-wide scan to find and eliminate all the malicious files that were placed by the Revon virus.

In case Revon ransomware removal is hindered due to its functionality, you can access Safe Mode with networking and performing a scan from there. Once you are sure that all the malware is gone, you can start with data recovery – simply connect your backups and copy it over. If no backups are available, you can try other methods listed below. Note that paying cybercriminals is also an option, but is not recommended due to a risk of cybercriminals not providing the decryption tool after payment. In such a case, you would not only lose your files but also money, so take that into consideration.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Revon virus. Follow these steps

Manual removal using Safe Mode

Access Safe Mode with Networking if you are struggling with Revon virus removal:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Revon using System Restore

System Restore can also be used to eliminate the malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Revon. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Revon removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Revon from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Revon, you can use several methods to restore them:

Data Recovery Pro option

In some cases, data recovery software might be able to retrieve working copies of at least some of your files from the hard drive.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Revon ransomware;
  • Restore them.

Using Windows Previous Versions feature

In case ransomware failed to remove Shadow Volume Copies and you had System Restore enabled, Windows Previous Versions feature might help you.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might be a tool that will save all your data

If Shadow copies were not removed, ShadowExplorer is the best tool to use for data recovery.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Revon and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

 

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 

 

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References