Remove Coverton Ransomware and Restore .Coverton Encrypted Files

A new devastating ransomware and it’s variants have been reported to infect users on a global scale. It’s name is Coverton, and it is reported to use several extensions that it ads after data encryption. One of the extensions is .Coverton – its name, however, the ransomware may also generate random extensions. This variant has also been reported by several sources that it may contain a bad code and even paying the ~400 USD for the decryption of the files in BitCoins may not restore 100% of them. Either way, we strongly advise against Paying any ransom money and for looking towards an alternative solution.

NameCoverton
TypeRansomware
Short DescriptionEncrypts user data adding the .Coverton file extension and making them impossible to open.
SymptomsThe user may witness a “WARNING” ransom message file on the folder of their encrypted files as well as on their desktop.
Distribution MethodVia PUPs, installed by bundling (Browser Hijackers) or by visiting a suspicious third-party site that is advertising it.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Coverton
User Experience Join our forum to discuss Coverton.

Coverton Ransomware – How Is It Spread?

Coverton is reported by researchers to spread its payload via different type of spam:

  • Spam links by social media spam bots.
  • Email attachments or links redirecting to malicious URLs.
  • Malicious URLs featured in comments.

The executable of the dropper of Coverton may resemble a legitimate Windows application, and it may also resemble a program user is trying to download and install. Either way the final method Coverton uses to spread is very effective since it has quickly gained popularity.

Coverton Ransomware In Detail

Once the payload carrying file is executed, it may drop the following modules:

In %Users%/%user’s profile%:
userlog.exe
Desktop\!!!-WARNING-!!!.html
Desktop\!!!-WARNING-!!!.txt
In %System%
crrss.exe

After it drops the data, the ransomware is reported by malware researchers to create a registry entry so that it automatically runs when you turn on your computer:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\userlog $user’s profile%\userlog.exe

Once it has been activated on Windows startup, the “userlog.exe” file may begin to scan over 950 of the most commonly used types of files. This is an unusually big number of file extensions, and most of them may even be unfamiliar to experienced users. This indicates that a very experienced hacker or hacker group has created the malware.

After the data scanned by Coverton has been encrypted with the .Coverton extension, the ransomware displays the following ransom message:

→ “Warning!
What happened to your computer?
All your files on hard drives, removable media and network files were encrypted by a cryptographically strong algorithm AES-256 with encryption key RSA-2048.
The expansion of encrypted files is: .Coverton
For the time the decryption of AES-256 is impossible.
What have you to do?
To receive a pair of keys for decrypting your files you have to go through the following steps:
Simple variant: click to {custom URL for the infected user} and follow the instructions OR complex variant:
1. Download TOR Browser: {tor download page}
2. Open link in TOR Browser: {custom URL for the infected user via TOR}
3. Follow the instructions.
We recommend you not to disconnect your computer from the electrical supply.
We recommend you not to disconnect your computer from the Internet.
We recommend you not to extract the encrypted electronic data carriers.
Danger!
Do not try to cheat the system, do not attempt to edit encrypted files, do not attempt to remove the program.
Such actions can easily bring to the inability to recover your files and data, so we can not help.
Danger!
The key to decrypt your files is stored on our remote server.”

The encrypted files look like the following example:
coverton-encrypted file-sensorstechforum

After encrypting the data, Symantec researchers report that the malware may connect to these hosts:

  • 190.10.8.128
  • 81.2.237.32
  • 172.81.176.146
  • bitgotothetoma.bit

Remove Coverton Ransomware and Restore Your Files

To remove this ransomware, you should act as if you have a Trojan or another malicious software on your computer. But never underestimated it, because it might as well have Rootkit capabilities. This is why we advise you to follow the step by step removal instructions below and install an advanced anti-malware software. It will make sure that all files and other objects associated with this malicious software are permanently gone and protect you in the future as well.

Regarding the recovery of the data, the bad news is that there was most likely a mistake during the coding of this ransomware. This is why several users who paid the ransom money have complained in security forums that despite that, they managed to restore around 80% of their data best case scenario. Below, we have suggested several free alternatives that you cannot try. We suggest you not to try direct decryption until a specific decryptor for this Ransomware comes out. And even though it may come out, it may take a lot of time to deal with the combination of two of the strongest ciphers in the world(RSA and AES).

1. Boot Your PC In Safe Mode to isolate and remove Coverton
2. Remove Coverton with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Coverton in the future
4. Restore files encrypted by Coverton
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Coverton threat: Manual removal of Coverton requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.