Guide to Remove Kovasoh Ransomware

Hackers behind the infamous stop djvu Ransomware Family have developed another menacing variant – Kovasoh Ransomware! This pernicious file locking virus, just like its siblings, has been created with the strong financial motive.

.Kovasoh file virus is spreading its infection world-wide via spam e-mail campaigns, fraudulent online advertising & fake software updaters.

After infecting the system, it searches for some specific file extensions to encrypt & lock. When found, it employs Encryption Algorithms to make it instantly inaccessible by adding Kovasoh extension to the filenames.

A ransom-demanding note appears every time a victim tries to access the encrypted files. It suggests that decryption of files is possible with the interference of the hackers only.

Pay the ransom & get Kovasoh decrypter & unique key in exchange, the note states.

But, how far is this claim true? Are there other possible ways to remove Kovasoh Ransomware from the system?

Victims from around the world are looking for ways to get rid of Kovasoh Ransomware & decrypt .Kovasoh files. Read on to find if it is possible to recover .Kovasoh files.

Threat Summary

Threat Behavior of Kovasoh Ransomware

Kovasoh Ransomware is the brand-new addition to the ever-growing & infamous Stop Djvu Ransomware Family. Alike other variants it propagates its infection through various spread techniques.

It enters the system stealthily & does not require any manual help to install on the PC. Upon installation, it searches the entire system for certain targeted file extensions & types. When located, it employs highly-complex Encryption Algorithms to encrypt the files & generate a private unique key for each infected system. These keys are stored on the server controlled by hackers.

The encrypted files are renamed & .Kovasoh Extension is added as a suffix to the file names.

A file named image.jpg might be renamed as “image.jpg.kovasoh” after the encryption.

All the .kovasoh files are instantly made inaccessible due to significant modifications in their codes.

Some of the file extensions that .Kovasoh virus Ransomware is capable of encrypting are mentioned below:

• Document files (.docx, .doc, .odt, .rtf, .text, .pdf, .htm, .ppt)
• Audio Files (.mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4)
• Video Files (.3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob)
• Images (.jpg, .jpeg, .raw, .tif, .gif, .png)
• Backup Files (.bck, .bckp, .tmp, .gho)

Insight into the Ransom Note & Amount Demanded by Hackers

A ransom demanding banner appears on the screen every time an encrypted file is accessed. This note is a text document named “_readme.txt”. The note contains the ransom amount & instructions on how victims can contact the hackers.

The note states that the only possible way to restore the encrypted data is to contact the hackers & pay them the ransom amount of $980 in Bitcoins. They may contact the hackers on gorentos@bitmessage.ch & gorentos2@firemail.cc.

Once the payment has been made, Kovasoh decryption tool & unique key will be sent to the victims via e-mail.

The note further states that any victim who contacts the hackers within 72 hours of the encryption will be given a discount of 50% on the ransom amount i.e., $490 in Bitcoins.

Fake Claims made by the Kovasoh Developers

Hackers behind the Kovasoh Ransomware offer to decrypt any one file for free of cost. The victims can send one file (that should not contain sensitive information) to the hackers. Once decrypted, the file will be send back to the victim.

These claims are made by the hackers to guarantee the decryption of encrypted files. Please note that the sole motive of hackers behind encrypting the files with .Kovasoh virus Ransomware is to extort colossal amount in exchange of files recovery.

Analysis has shown that victims who paid ransom amount got scammed. They do not get the promised Kovasoh decryption tool & decryption tool after paying the ransom. The hackers stop responding once they have received the amount.

Therefore, victims should avoid any sort of negotiation with the hackers concerning decryption or paying the ransom amount. For the sake of the data security, victims may either download Kovasoh decrypter tool or navigate to the removal guidelines for .Kovasoh File Virus.

Distribution Techniques of Kovasoh Ransomware

The family of the pernicious Kovasoh Ransomware is considered as the most wide-spread file-encrypting virus. The reason behind it is the use of multiple distribution channels to spread the infection.

These channels help the hackers to increase the number of Kovasoh victims & possibility of generating colossal money from them.

Amongst all the spread methods, malvertising e-mail campaign is the most prevalent one.

Hackers send out a large number of infected & malware-laden e-mails. These e-mails suggest the receivers about an undelivered package from a shipping service. The e-mail appears genuine as it is contains name of legit shipping services in the subject-line.

Many users, out of their curiosity, click on the infected e-mails, not realizing that they might contain something harmful. A mere click on the attachments/links specified in the e-mail installs Kovasoh File Virus on the system.

Other common distribution techniques that Kovasoh is using to proliferate are-

• Zipped Java Script Attachments
• Unreliable Software Download Sources
• Fake Software Updater & Activation Tools
• Exploit Kits
• Malware laden websites, infected discount coupons.

How to remove Kovasoh Ransomware infection from the system

STEP A: Reboot your system to Safe Mode

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

STEP B: Delete the suspicious key from the Configuration Settings

1. Type “Msconfig” in search box / Run Box, select it and press Enter.
2. Click on “Services” Tab and click on “Hide all Microsoft services”.
3. Select Kovasoh Ransomware from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.

STEP C: Remove Malicious Program from Command Prompt

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

1. Type the command “sc delete Kovasoh Ransomware” in the command prompt and press Enter.
2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.

STEP D: Restore the System Files & Settings

How to prevent Kovasoh Ransomware from infecting your system

1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Vipre, Kaspersky & BULL GUARD so that it remains safe.
6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

Hits: 116