.ncov Virus File (Dharma Ransomware) – Remove It

.ncov Virus File (Dharma Ransomware) – Remove It


The .ncov files virus is a ransomware from the Crysis/Dharma family. It is extremely dangerous ransomware due to the fact that it encrypts personal files located on the local drives as well as shared network directories. The primary goal of Dharma .ncov ransomware is to extort a hefty ransom fee from infected users. The extortion happens via a ransom note file and a lockscreen instance.

Security experts strongly advise all victims against paying the demanded ransom to hackers. Otherwise, cyber criminals will be encouraged to continue developing vicious ransomware infections like .ncov files virus and harassing online users. Keep up with this ransomware removal guide and find out how to clean malicious files from infected PC as well as how to potentially recover .ncov files.

Threat Summary

Name.ncov virus
TypeRansomware, Cryptovirus
Short DescriptionA ransomware dsigned to corrupt valuable files and extort a ransom free for their decryption.
SymptomsImportant files cannot be opened due to changes of their code. They are all renamed with .ncov extension.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .ncov virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .ncov virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

The .ncov virus is a new release of the Dharma ransomware which has been spotted in an ongoing campaign targeting users globally. It is very possible that a new hacking group is behind this new version. Dharma ransomware strains are easily created as the source code can be found on several underground marketplaces and also offered from custom shops. In general Dharma ransomware infections are done by creating samples for one particular campaign. This makes it easier for the hackers to track down the damage they have been able to inflict.

Related: .WHY Virus File (Dharma Ransomware) – How to Remove

There are several popular distribution tactics which have been used to spread Dharma ransomware, common ones include the following:

  • Phishing Email Messages — The criminals can send out SPAM messages in bulk in order to impersonate well-known notifications and web services. They can include dangerous links or scripts that will lead to the virus delivery. In other cases attachments will be directed against the users.
  • Hacker-controlled Web Sites — These are dangerous sites which will impersonate web companies and services. They are hosted on domain names that sound very similar to the faked companies and may also integrate stolen content, as well as security certificates.
  • Malware-Infected Files — The .ncov virus can infect users via malware files that include the relevant installation code. They can be office documents (including the most popular file types) or setup files of popular software. The virus-infected files can also easily be uploaded onto file-sharing networks such as BitTorrent — they are often used by users to spread both pirate and legitimate data.
  • Indirect Attacks — The .ncov virus can be delivered via other malware such as Trojans and Browser hijackers.

An analysis of one of the captured samples shows that this particular is not so different than the previous versions. It includes a built-in obfuscation module which will attempt to hide the virus installation from the host computer.

Related: Crown Virus (Dharma Ransomware) Removal Guide

In this version of Dharma this component can also detect if there any running security applications, including virtual machine hosts. They can be disabled or removed, this will depend on the configuration of the virus.

The ransomware engine will be installed as a persistent threat by re configuring the system to launch it as soon as the computer is powered on. This step may also disable access to the recovery boot options which will make recovery more difficult. The .ncov virus engine can interact with running programs by changing their actions. This can result in process hookups which can result in harvesting of sensitive data. All collected information about the system can then be processed by a built-in algorithm which will output an unique ID for each infected computer.

The virus can delete backups and important files thus aiming to make it much more difficult to effectively restore the computer using manual methods. This strategy is used in many Dharma ransomware variants.

When everything has finished running the actual encryption process will start. This is done by using a list of target data which will be processed by the virus. Usually this will include files such as the following: multimedia files, archives, backups, databases, documents and etc. All affected data will be renamed with the .ncov extension, like previous infections a ransom note and/or a ransom lockscreen will be shown to the users. They will blackmail the victims into paying a ransom fee in cryptocurrency.

Remove .ncov Virus Files and Restore Data

The ransomware associated with .ncov extension is a threat with highly complex code that plagues not only your files but your whole system. So you should clean and secure your infected system before you could use it regularly again. Below you could find a step-by-step removal guide that may be helpful in attempting to remove this ransomware.

Choose the manual removal approach if you have previous experience with malware files. If you don’t feel comfortable with the manual steps select the automatic section from the guide. Steps there enable you to check the infected system for ransomware files and remove them with a few mouse clicks.

In order to keep your system safe from ransomware and other types of malware in future, you should consider the installation of a reliable anti-malware program.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share