Severity scale:  
  (96/100)

Remove Revon ransomware (Removal Guide) - Decryption Steps Included

removal by Gabriel E. Hall - - | Type: Ransomware

Revon ransomware – a file locking malware that demands ransom payment in Bitcoin

Revon ransomwareRevon ransomware is a data locking virus that uses AES encryption algorithm to reach its goals

Revon ransomware is a file locking malware that was first spotted in early April 2020. As a member of the Phobos family, the virus does not differ much from its predecessors – its main goal is to extort money from unsuspecting victims. Once inside the system, it performs several changes to ensure smooth operation and then uses AES to encrypt personal files like pictures, videos, music, documents, databases, and other data. During this process, ransomware marks each of the files with .revon extension, restricting access to users.

To make sure that users find out about what happened, hackers behind the Revon virus also deliver a ransom note info.hta, as well as info.txt. In it, threat actors explain that all personal data is locked and that users need to write them via werichbin@protonmail.com or werichbin@cock.li emails to negotiate Bitcoin payment in order to acquire Revon ransomware decryptor. While this malware is currently not decryptable, users should not rush communicating with hackers, as there might be alternative ways to retrieve the locked files.

Name Revon ransomware
Type File locking virus, cryptomalware
Family Phobos ransomware
Related Fast.exeXX.exe
Encryption method  Revon ransomware uses AES encryption algorithm to lock all non-system files on a Windows machine 
File extension  All personal files are modified in the following pattern: [file name].[original extension].id[random ID].[email].revon. An example of an encrypted file: picture.jpg.id[1R74D44-2945].[werichbin@protonmail.com].revon
Ransom note Upon successful file encryption, the virus drops info.hta and info.txt on victims' machines
Contact Malicious actors ask to email them via werichbin@protonmail.com or werichbin@cock.li 
File decryption

Recovering data without backups is relatively difficult. The remaining options include:

  • Paying cybercriminals and hoping they will deliver what they promised (not recommended)
  • Waiting for a free decryption tool to be developed (might take very long and might not even be possible)
  • Using third-party recovery software that might, in some cases, retrieve at least some files
Malware removal  To eliminate the virus, you should scan your system with a reputable security application, such as SpyHunter 5Combo Cleaner or Malwarebytes 
System fix In some cases, malware might seriously damage Windows system files, so it will not perform optimally (start crashing, lagging, etc.). If you encounter suchlike problems after you eliminate the malware, you should repair your OS with the help of Reimage Reimage Cleaner Intego

Phobos is one of the most extensive data locking malware families around and closely resembles the Dharma family, using the same pattern for delivering users ransom notes and also incorporates many operation features, such as encryption algorithm.

Revon ransomware, just as its previous versions Razor, Dewar, and Dever, are primarily targeting public entities and businesses, although regular users could be targets as well. Since targets are mainly companies, the virus is mostly proliferated after the attackers scan the internet for vulnerable Remote Desktop connections and brute-force themselves in. Nonetheless, in case of the Revon virus would target regular users, it could spread in one of the following ways:

  • Spam email attachments;
  • Web injects;
  • Exploits and vulnerabilities;[1]
  • Software cracks;
  • Malicious ads;
  • Fake updates, etc.

In some cases, malware might be installed with Process Hacker 2 – an open-source application used for system monitoring purposes. As a result, Revon could also steal personal information from other apps and web browsers, including login data – users may suffer considerable financial losses. This is why Revon ransomware removal is so crucial at the early stage of the infection.

Before encrypting data, Revon virus performs a variety of changes to Windows machines. For example, it deletes Shadow Volume Copies with the help of “vssadmin delete shadows / all / quiet” command to complicate the data recovery for the victims, establishes Windows registry keys for persistence, gains access to external drives (such as USB flash or external hard drives), as well as networked resources such as NAS.

Once the preparations are complete, the Revon virus begins the encryption process with the help of a symmetric encryption algorithm AES.[2] This means that the same secret key is used to lock up the data and is later sent to a remote Command & Control server controlled by the attackers.

Revon ransomware virusRevon ransomware is crypto-malware that belongs to Phobos virus family

Due to this, blackmail is possible, as users need to retrieve it in order to decode all files. Nonetheless, there were confirmed cases of victims not receiving a decryption tool after a Bitcoin payment, hence users are not recommended contacting threat actors with the hopes for the Revon ransomware decryption tool. 

After locking up the data, users can access an Info.hta and Info.txt file which explains users about data recovery process:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail werichbin@protonmail.com
Write this ID in the title of your message 1R74D44-2945
In case of no answer in 24 hours write us to this e-mail:werichbin@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Since no decryption software is currently available, we highly recommend you back up all the encrypted files before you remove Revon ransomware; otherwise, the data might get permanently damaged. For malware elimination, you should employ one of the anti-virus engines that can deal with the infection. Note that infiltration can also be prevented with the help of AV tools that detect the main executable file Fast.exeXX.exe as follows:

  • Trojan/Win32.RL_Generic.R325921;
  • Gen:NN.ZexaF.34106.duW@aSFkxzo;
  • Ransom.Phobos;
  • Win32:Malware-gen;
  • W32/Phobos.8B03!tr.ransom;
  • A Variant Of Win32/Filecoder.Phobos.C;
  • HEUR:Trojan.Win32.Generic, etc.

In case you do have backups, you should not bother with copying the encrypted files and simply eliminate the malware as soon as possible. In case your machine is still not working correctly after you get rid of Revon ransomware, you should fix the damage done with the help of such tools as Reimage Reimage Cleaner Intego.

Prevent ransomware intrusions and ensure you backup your data regularly

Since Phobos ransomware can access all the networked drives, the consequences of the infection can be devastating. Thus, the best way to negate the consequences of a ransomware infection is to have up-to-date backups that are stored on a remote server. This should not be connected to the main network, as the attackers can then easily access backups and encrypt them as well.

Unfortunately, many cybercriminal gangs behind the most popular ransomware families like Maze or DoppelPaymer now started extorting sensitive company information and publishing it online in case the ransom demands are not fulfilled.[3] This way, malware can cause not only loss of important data but also result in sensitive details compromise. There have been no reports of Phobos developers doing this, although it is most likely a matter of time.

Revon ransomware locked filesOnce Revon ransomware encrypts data, it is impossible to to open files, unless a special key is obtained

So, how do you protect the important data from ransomware infection? The answer is relatively straight forward – you must put resources into cybersecurity, such as regular staff training and adequate security solutions. Since Revon mainly spreads with the help of weak RDP connections, here are some tips on how to protect it better:

  • Never use a default TCP/UDP port 3389;
  • Limit RDP access to those that need it only;
  • Enable Network Level Authentication (NLA) via System Properties;
  • Employ a VPN;
  • Use strong passwords.

Eliminate Revon ransomware correctly

As previously mentioned, if you do not have working backups of your files, you should remove Revon ransomware immediately. First, you should employ an external storage device and place all the locked data there. Once done, you need to initiate a network-wide scan to find and eliminate all the malicious files that were placed by the Revon virus.

In case Revon ransomware removal is hindered due to its functionality, you can access Safe Mode with networking and performing a scan from there. Once you are sure that all the malware is gone, you can start with data recovery – simply connect your backups and copy it over. If no backups are available, you can try other methods listed below. Note that paying cybercriminals is also an option, but is not recommended due to a risk of cybercriminals not providing the decryption tool after payment. In such a case, you would not only lose your files but also money, so take that into consideration.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Revon virus, follow these steps:

Remove Revon using Safe Mode with Networking

Access Safe Mode with Networking if you are struggling with Revon virus removal:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Revon

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Revon removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Revon using System Restore

System Restore can also be used to eliminate the malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Revon. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Revon removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Revon from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Revon, you can use several methods to restore them:

Data Recovery Pro option

In some cases, data recovery software might be able to retrieve working copies of at least some of your files from the hard drive.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Revon ransomware;
  • Restore them.

Using Windows Previous Versions feature

In case ransomware failed to remove Shadow Volume Copies and you had System Restore enabled, Windows Previous Versions feature might help you.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might be a tool that will save all your data

If Shadow copies were not removed, ShadowExplorer is the best tool to use for data recovery.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Revon and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References


Your opinion regarding Revon ransomware