What is Kovter ransomware?
Kovter is a dangerous money-extorting malware that belongs to the group of ransomware viruses. It was first recorded in May, 2014 and since then the threat has spread through the globe and infected thousands of computers. Kovter operates in the same manners as its forerunners – it overtakes a system and demands money for its restitution. Lately Kovter, however, exploited the disguise of governmental accusation. It blocked the screen with the notification of user’s law breaching and stated that there was a fine for the crimes. The warning looked very natural, as the ransomware had an ability to look through victims’ browsing history.
Now the Kovter ransomware abandoned this practice and acts like usual encryption virus. It still displays a large window with a message demanding to pay money, nevertheless now it openly shows the deceptive nature of itself. The note informs a victim about encryption of the data presenting on the computer and states the amount of ransom, which is usually from 0.5 to 1.5 Bitcoins, for its retrieval. We advise not to rush into transferring the money and trying to remove Kovter ransomware at first.
Symptoms of Kovter ransomware infection
It’s difficult not to notice ransomware, since it often has one of the processes responsible for displaying a notification message. This window blocks the screen leaving the user minimum alternatives. Besides, some files will be inaccessible, as in many cases ransomware encrypts them to exasperate the intimidating effect. Also the ransomware will set two processes – mshta.exe and dw20.exe to be launched with the start of system. So, if you open Task Manager you may see these processes running, sometimes multiplied. Alongside with it powershell.exe processes may act weird appearing in huge numbers and consuming the great amount of resources. On occasions some users experienced errors warning that PowerShell has shut down.
How Kovter ransomware got installed on your computer
Kovter is mainly distributed by the approaches that many other ransomware viruses apply to. Mostly it is attachments of spam emails disguised as business offers, official notifications, or something of the same sort, persuading a victim to open the enclosure. To not be tricked by crafty made letters you need to rely on an antimalware tool and keep a check on its updates. In parallel it’s good to learn some rules of safe web surfing, which is keeping out of suspicious websites, not clicking ads and various pop-ups.
What to do if your PC is infected with Kovter ransomware
As soon as you notice the presence of the ransomware on your system, you should turn your computer off. If it is possible try to create a backup or image of your hard drive info. This may let you to reserve the state of your drives in case a decryption method would be created afterwards.
How to remove Kovter ransomware?
To make sure that the adware won’t reappear, you need to delete Kovter ransomware completely. For this you need to remove the files and registry entries of the ransomware. We should warn you that performing some of the steps may require above-average skills, so if you don’t feel experienced enough, you may apply to automatic removal tool.
Steps of Kovter ransomware manual removal
Restart Windows in Safe Mode
For Windows XP:
- Restart the system
- While computer is rebooting press F8 several times
- In the appeared list of options choose Safe Mode
For Windows 7 and Vista:
- Restart the system
- While computer is rebooting press F8 several times
- In the appeared list of options choose Safe Mode
For Windows 8 and 8.1:
- Restart the system
- While computer is rebooting press F8 several times
- In the appeared list of options choose Safe Mode
For Windows 10:
- In the Start menu click on the power button
- Hold Shift and choose Restart
- Choose Troubleshoot
- In the Advanced Options choose Startup Settings
- Click Restart
- Select Enter Safe Mode
Delete files and registry entries added by Kovter ransomware
Now you will be able to reach the needed functions and files. For eliminating the ransomware activity, you need to find all of the following items and delete them.
Remove Kovter ransomware files and folders:
%ALLUSERSPROFILE%\Dados de aplicativos\Fonts-Adv\Dir-New.cpl
%LOCALAPPDATA%\KB[RANDOM NUMBER]\KB[RANDOM NUMBER].exe
%LocalAppData%\evum\
%LocalAppData%\evum\1QGNQ.2MGvFO
%AppData%\BlastoffCounterpoiseDissimilitude
%AppData%\ForesideDopattaEmpyrean
%AppData%\gangbang.dll
%AppData%\htmlhelp.title.xml
%AppData%\libertine.dll
%AppData%\minimize_hover.png
%AppData%\System.dll
Remove Kovter ransomware registry entries:
HKCU\Software\Classes\.2MGvFO
HKCU\Software\Classes\.2MGvFO\ ayC5
HKCU\Software\Classes\ayC5
HKCU\Software\Classes\ayC5\shell
HKCU\Software\Classes\ayC5\shell\open
HKCU\Software\Classes\ayC5\shell\open\command
HKCU\Software\3c1cee05f3
HKCU\Software\Classes\ayC5\shell\open\command\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ [unreadable_char]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ [unreadable_char]
Restore the files encrypted by Kovter ransomware
Use the decrypting tool
Unfortunately, currently the tool able to decrypt the files infected by Kovter ransomware is not released yet. You may try applying to the methods described below, however, they might not work with the latest versions of Kovter ransomware.
Restore the system
- Initiate the search for system restore
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore