Remove Kovter Ransomware and Restore .Crypted Encrypted Files - How to, Technology and PC Security Forum |

Remove Kovter Ransomware and Restore .Crypted Encrypted Files

shutterstock-malwareMalware carrying the name Kovter with over three years of experience has evolved into ransomware; CheckPoint reports indicated. The malicious executables of this virus encrypt the user data with a strong encryption algorithm but what is more important is that they are obfuscated in a way that hides the malware and allows its successful implementation. All users who have been infected by Kovter, should immediately take actions towards removing the malware and decrypting their files using the instructions below.

Short DescriptionEncodes the user files via an obfuscated process..
SymptomsThe user may witness the files encrypted with a .crypted file extension.
Distribution MethodVia javascript, malicious macros, infected URLs.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Kovter
User Experience Join our forum to discuss Kovter.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Kovter Ransomware – How Is It Spread

To infect users successfully, the Kovter developers have developed the most cunning method to obfuscated their malicious processes. In fact, experts report that they have focused more on obfuscation than on encryption strength. In fact, the ransomware uses an obfuscator to encode a portion of the files so that they remain undetected and allow them to perform a “call” type of script to another obfuscated process which encrypts the data.

The initially obfuscated files may be dropped onto your computer via several different malware types:

  • Javascript.
  • Malicious macros.
  • Droppers.
  • Downloaders.
  • Exploit Kits.
  • Rogue programs.
  • Rootkits.

All of those methods are possible, but the main infection method that was the reason for most reports was via infected macros of.PDF documents. This may happen after you download a .PDF document and open it after which click on the “Enable Editing” button.

Not only this, but Kovter developers have improved the infection process as well, designing new and more clever methods to spread the malware effectively, like several layers of process obfuscation. This additional defensive layer hides the malware and allows the malware to perform the encryption and evade detection which was most likely the priority of the cyber-crooks.

Kovter Ransomware In Detail

To briefly put the history of this malware in perspective we have decided to illustrate its detected malwares in different years:


This malware family has a long story of infecting users to generate profit to its creators. At first, in 2013-2014, it was reported to be posing as lock screen police malware:

Kovter Ransomware Infections on Upward Trend


Later, on infected systems have reported that in 2014, Kovter has begun to monitor the victim PC’s traffic and induce a rootkit-like behavior. It was mainly oriented in click-fraud, generating hoax traffic to vendor websites.


In 2015, Kovter has been released in a new form. Its main purposes remained the same, but this time, the malware acted without having any logical trace on the user PCs. These type of “lifeless” malware are very difficult to detect and the developers behind the malware know it.

Present Days

Now, Kovter is back, and the crypto-nightmare wants only one thing – the user’s funds. What it does after infecting your computer is situated heavily obfuscated executables or other .tmp, .dll and other malicious files. The usually targeted locations and named executables by this malware may be the following:

commonly used file names and folders

After creating its files, the malware executes a malicious script that contains a “call-to-action” type of command that looks for specific files to encrypt. The command is reported by CheckPoint researchers to be the following:

→ Dir /B “C\”&& for /r “C:\” %%i in(*.zip*rar*.gz*.xls*.xls*.xlsx*.doc*.docx*.pdf*.rtf*.ppt*.pptx […]) do (REN “%%i” “%%~nxi.crypted” & call
C\Users\VMUser\AppData\Local\Temp\{malicious file name}.exe “%%i.crypted”

After this command has been executed, the malicious module that encrypts the files begins looking for the file types with extensions displayed above (separated with “*”). After this has been conducted, the malware encrypted the files with the .Crypted file extensions, for example.

→ New Text Document.txt.crypted

The encrypted files are unable to be opened in any way. Users are left with nothing but to wonder how to restore their data. Fortunately, we have discovered a solution below.

Remove Kofter Ransomware and Decrypt .Crypted Files

To remove the ransomware, you must locate the registry entries it has interacted with and the malicious executables it has created. Besides that, the ransomware may run active processes on your PC. This is why researchers strongly advise using an advanced anti-malware program to remove the ransomware without affecting key Windows Files. We have prepared step-by-step instructions below to cope you with the removal.

Fortunately for the users, the ransomware uses a locally generated key, which means that decryption via this key is possible. All users have to do is follow step “4. Restore files encrypted by Kovter”, download the decryptor and use it.

1. Boot Your PC In Safe Mode to isolate and remove Kovter
2. Remove Kovter with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Kovter in the future
4. Restore files encrypted by Kovter
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Kovter threat: Manual removal of Kovter requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share