Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Kovter Ransomware and Restore .Crypted Encrypted Files

shutterstock-malwareMalware carrying the name Kovter with over three years of experience has evolved into ransomware; CheckPoint reports indicated. The malicious executables of this virus encrypt the user data with a strong encryption algorithm but what is more important is that they are obfuscated in a way that hides the malware and allows its successful implementation. All users who have been infected by Kovter, should immediately take actions towards removing the malware and decrypting their files using the instructions below.

Name Kovter
Type Ransomware
Short Description Encodes the user files via an obfuscated process..
Symptoms The user may witness the files encrypted with a .crypted file extension.
Distribution Method Via javascript, malicious macros, infected URLs.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by Kovter
User Experience Join our forum to discuss Kovter.

Kovter Ransomware – How Is It Spread

To infect users successfully, the Kovter developers have developed the most cunning method to obfuscated their malicious processes. In fact, experts report that they have focused more on obfuscation than on encryption strength. In fact, the ransomware uses an obfuscator to encode a portion of the files so that they remain undetected and allow them to perform a “call” type of script to another obfuscated process which encrypts the data.

The initially obfuscated files may be dropped onto your computer via several different malware types:

  • Javascript.
  • Malicious macros.
  • Droppers.
  • Downloaders.
  • Exploit Kits.
  • Rogue programs.
  • Rootkits.

All of those methods are possible, but the main infection method that was the reason for most reports was via infected macros of.PDF documents. This may happen after you download a .PDF document and open it after which click on the “Enable Editing” button.

Not only this, but Kovter developers have improved the infection process as well, designing new and more clever methods to spread the malware effectively, like several layers of process obfuscation. This additional defensive layer hides the malware and allows the malware to perform the encryption and evade detection which was most likely the priority of the cyber-crooks.

Kovter Ransomware In Detail

To briefly put the history of this malware in perspective we have decided to illustrate its detected malwares in different years:

2013

This malware family has a long story of infecting users to generate profit to its creators. At first, in 2013-2014, it was reported to be posing as lock screen police malware:

Kovter Ransomware Infections on Upward Trend

2014

Later, on infected systems have reported that in 2014, Kovter has begun to monitor the victim PC’s traffic and induce a rootkit-like behavior. It was mainly oriented in click-fraud, generating hoax traffic to vendor websites.

2015

In 2015, Kovter has been released in a new form. Its main purposes remained the same, but this time, the malware acted without having any logical trace on the user PCs. These type of “lifeless” malware are very difficult to detect and the developers behind the malware know it.

Present Days

Now, Kovter is back, and the crypto-nightmare wants only one thing – the user’s funds. What it does after infecting your computer is situated heavily obfuscated executables or other .tmp, .dll and other malicious files. The usually targeted locations and named executables by this malware may be the following:

commonly used file names and folders

After creating its files, the malware executes a malicious script that contains a “call-to-action” type of command that looks for specific files to encrypt. The command is reported by CheckPoint researchers to be the following:

→ Dir /B “C\”&& for /r “C:\” %%i in(*.zip*rar*.gz*.xls*.xls*.xlsx*.doc*.docx*.pdf*.rtf*.ppt*.pptx […]) do (REN “%%i” “%%~nxi.crypted” & call
C\Users\VMUser\AppData\Local\Temp\{malicious file name}.exe “%%i.crypted”

After this command has been executed, the malicious module that encrypts the files begins looking for the file types with extensions displayed above (separated with “*”). After this has been conducted, the malware encrypted the files with the .Crypted file extensions, for example.

→ New Text Document.txt.crypted

The encrypted files are unable to be opened in any way. Users are left with nothing but to wonder how to restore their data. Fortunately, we have discovered a solution below.

Remove Kofter Ransomware and Decrypt .Crypted Files

To remove the ransomware, you must locate the registry entries it has interacted with and the malicious executables it has created. Besides that, the ransomware may run active processes on your PC. This is why researchers strongly advise using an advanced anti-malware program to remove the ransomware without affecting key Windows Files. We have prepared step-by-step instructions below to cope you with the removal.

Fortunately for the users, the ransomware uses a locally generated key, which means that decryption via this key is possible. All users have to do is follow step “4. Restore files encrypted by Kovter”, download the decryptor and use it.

1. Boot Your PC In Safe Mode to isolate and remove Kovter
2. Remove Kovter with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Kovter in the future
4. Restore files encrypted by Kovter
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Kovter threat: Manual removal of Kovter requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.