Kovasoh Ransomware
Ransomware | 08/06/2019

How to remove Kovasoh Ransomware from your system?

About: Kovasoh Ransomware is the latest addition to stop djvu Ransomware family. It encrypts files with .kovasoh extension & demands hefty ransom in exchange of the file recovery. Read on to find how you can protect your system against the attack of this ma...  Read More  

| Ransomware | How to remove Kovasoh Ransomware from your system?

Guide to Remove Kovasoh Ransomware

Hackers behind the infamous stop djvu Ransomware Family have developed another menacing variant – Kovasoh Ransomware! This pernicious file locking virus, just like its siblings, has been created with the strong financial motive.

.Kovasoh file virus is spreading its infection world-wide via spam e-mail campaigns, fraudulent online advertising & fake software updaters.

Threat Summary - Kovasoh

After infecting the system, it searches for some specific file extensions to encrypt & lock. When found, it employs Encryption Algorithms to make it instantly inaccessible by adding Kovasoh extension to the filenames.

A ransom-demanding note appears every time a victim tries to access the encrypted files. It suggests that decryption of files is possible with the interference of the hackers only.

Pay the ransom & get Kovasoh decrypter & unique key in exchange, the note states.

But, how far is this claim true? Are there other possible ways to remove Kovasoh Ransomware from the system?

Victims from around the world are looking for ways to get rid of Kovasoh Ransomware & decrypt .Kovasoh files. Read on to find if it is possible to recover .Kovasoh files.

Threat Summary

Name Kovasoh
Type Ransomware
Category Malware
Operating System Impacted Windows
Symptoms Files are encrypted with .kovasoh extension. A ransom demanding note appears every time victim tries to open the encrypted files.



Threat Behavior of Kovasoh Ransomware

Kovasoh Ransomware is the brand-new addition to the ever-growing & infamous Stop Djvu Ransomware Family. Alike other variants it propagates its infection through various spread techniques.

It enters the system stealthily & does not require any manual help to install on the PC. Upon installation, it searches the entire system for certain targeted file extensions & types. When located, it employs highly-complex Encryption Algorithms to encrypt the files & generate a private unique key for each infected system. These keys are stored on the server controlled by hackers.

The encrypted files are renamed & .Kovasoh Extension is added as a suffix to the file names.

Targeted Files - Kovasoh

A file named image.jpg might be renamed as “image.jpg.kovasoh” after the encryption.

All the .kovasoh files are instantly made inaccessible due to significant modifications in their codes.

Some of the file extensions that .Kovasoh virus Ransomware is capable of encrypting are mentioned below:

  • Document files (.docx, .doc, .odt, .rtf, .text, .pdf, .htm, .ppt)
  • Audio Files (.mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4)
  • Video Files (.3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob)
  • Images (.jpg, .jpeg, .raw, .tif, .gif, .png)
  • Backup Files (.bck, .bckp, .tmp, .gho)


Insight into the Ransom Note & Amount Demanded by Hackers

A ransom demanding banner appears on the screen every time an encrypted file is accessed. This note is a text document named “_readme.txt”. The note contains the ransom amount & instructions on how victims can contact the hackers.

The note states that the only possible way to restore the encrypted data is to contact the hackers & pay them the ransom amount of $980 in Bitcoins. They may contact the hackers on gorentos@bitmessage.ch & gorentos2@firemail.cc.

Ransom note - Kovasoh

Once the payment has been made, Kovasoh decryption tool & unique key will be sent to the victims via e-mail.

The note further states that any victim who contacts the hackers within 72 hours of the encryption will be given a discount of 50% on the ransom amount i.e., $490 in Bitcoins.

Fake Claims made by the Kovasoh Developers

Hackers behind the Kovasoh Ransomware offer to decrypt any one file for free of cost. The victims can send one file (that should not contain sensitive information) to the hackers. Once decrypted, the file will be send back to the victim.

These claims are made by the hackers to guarantee the decryption of encrypted files. Please note that the sole motive of hackers behind encrypting the files with .Kovasoh virus Ransomware is to extort colossal amount in exchange of files recovery.

Analysis has shown that victims who paid ransom amount got scammed. They do not get the promised Kovasoh decryption tool & decryption tool after paying the ransom. The hackers stop responding once they have received the amount.

Therefore, victims should avoid any sort of negotiation with the hackers concerning decryption or paying the ransom amount. For the sake of the data security, victims may either download Kovasoh decrypter tool or navigate to the removal guidelines for .Kovasoh File Virus.

Distribution Techniques of Kovasoh Ransomware

The family of the pernicious Kovasoh Ransomware is considered as the most wide-spread file-encrypting virus. The reason behind it is the use of multiple distribution channels to spread the infection.

These channels help the hackers to increase the number of Kovasoh victims & possibility of generating colossal money from them.

Amongst all the spread methods, malvertising e-mail campaign is the most prevalent one.

Spread Techniques - Kovasoh

Hackers send out a large number of infected & malware-laden e-mails. These e-mails suggest the receivers about an undelivered package from a shipping service. The e-mail appears genuine as it is contains name of legit shipping services in the subject-line.

Many users, out of their curiosity, click on the infected e-mails, not realizing that they might contain something harmful. A mere click on the attachments/links specified in the e-mail installs Kovasoh File Virus on the system.

Other common distribution techniques that Kovasoh is using to proliferate are-

  • Zipped Java Script Attachments
  • Unreliable Software Download Sources
  • Fake Software Updater & Activation Tools
  • Exploit Kits
  • Malware laden websites, infected discount coupons.


How to remove Kovasoh Ransomware infection from the system

STEP A: Reboot your system to Safe Mode

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click  Restart.
  3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
  5. Click on the username and enter the password.

STEP B: Delete the suspicious key from the Configuration Settings

  1. Type “Msconfig” in search box / Run Box, select it and press Enter.
  2. Click on “Services” Tab and click on “Hide all Microsoft services”.
  3. Select Kovasoh Ransomware from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.

Windows 7

  1. Click on the next tab – “Startup”.
  2. Find any blank or suspicious entry or the entry with Kovasoh Ransomware mentioned and remove the check mark.
  3. Click on Apply button and then click on OK.

Windows 10

  1. Click on the next tab – “Startup”.
  2. Take the mouse cursor to ‘Open task Manager‘ link and click on it.  This opens the Task Manager window.
  3. Find any blank or suspicious entry or the entry with Kovasoh Ransomware mentioned and click on it.
  4. Then click on Disable button.

STEP C: Remove Malicious Program from Command Prompt

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

  1. Type the command “sc delete Kovasoh Ransomware” in the command prompt and press Enter.
  2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.


STEP D: Restore the System Files & Settings

Method 1 using Control Panel

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
  3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
  4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
  5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
  6.  Select the restore point that is prior the infiltration of Kovasoh Ransomware. After doing that, click Next.
  7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Kovasoh Ransomware.


Method 2 using Command Prompt

  1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
  2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
  3. Now type rstrui and press Enter again.
  4. When a new window shows up, click Next and select your restore point that is prior the infiltration of Kovasoh Ransomware. After doing that, click Next.
  5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Kovasoh Ransomware.



Method 3 : Directly type 'rstrui' in the search box

  1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

How to prevent Kovasoh Ransomware from infecting your system

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like VipreKaspersky BULL GUARD so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

Hits: 125

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866