Remove COVM Ransomware Virus (.COVM File Virus Decryption Guide)

COVM is the 227th DJVU ransomware variant

COVM ransomware (also known as COVM File Virus) is the name of a currently-active computer virus that encrypts personal files on victim’s computer, removing any chances to access them. It is the 227th STOP/DJVU malware variant. During the cyber attack, the ransomware uses either online or offline encryption key to make files unreadable, then appends .covm file extension after the original file extension. As a result, the file can no longer be opened or edited. The virus creates and drops _readme.txt text notes, widely known as ransom notes, in every affected data folder. The note explains that the only way to recover personal files is to pay a ransom to cybercriminals, or data will be lost forever.

Covm ransomware virus is a new STOP/DJVU variant, which functions similarly to the other versions such as MZLQ, ZIPE or SQPC. Once the virus infects the computer, it displays a fake Windows update screen to trick the user into thinking that it is the original cause of sudden system slowdown.

However, in the meantime, the ransomware is silently scanning all folders for target files and encrypting them. Once finished, the victim discovers that all photos, videos, documents and other data is now COVM file type and cannot be opened with any program. Thus, each folder contains _readme.txt ransom note, which suggests paying a ransom worth $490 (if paid within 72 hours) or $980 later.

The ransom note explains that the victim shouldn’t worry as all files can be returned. However, the victim is instructed to purchase “a decrypt tool and unique key” from the criminals. The price for such decryption set depends on how fast the victim contacts the ransomware developers. If the victim writes to them within 72 hours (3 full days), the suggested price with 50% discount is $490. Otherwise, it rises back to the full price – $980.

The crooks ask contacting them via helpmanager@mail.ch or restoremanager@firemail.cc for further instructions regarding ransom payment. If the victim hesitates whether to pay up or not, the attackers suggest decrypting one .covm extension file for free.

Paying a ransom to cybercriminals is never a good idea. Not only you risk losing your money for nothing, but communicating with attackers via email exposes you to additional risks such as deceptive infectious attachments or links. If you decide to contact them, be extremely careful and remember that they cannot be trusted. our recommendation is to remove COVM ransomware using the free instructions given below the article and take actions to protect your privacy as soon as possible. If you’d like to repair virus damage on your computer automatically, you might be interested in downloading RESTORO.

New STOP/DJVU variants install password-stealing Trojan and modify HOSTS file

COVM virus is extremely dangerous because it can silently install additional malware on your computer. To be precise, it distributes AZORult, a password-stealing Trojan. This malicious piece of software can steal login credentials from your browsers. Therefore, if you have been victimized by the said ransomware, you must keep in mind that passwords you have saved in your browsers are now stolen and can be accessed by cybercriminals.

To protect yourself from identity thefts, scams, and other dangers, we strongly recommend you to remove the ransomware and the Trojan first, then change all passwords for accounts saved in your browsers.

Moreover, COVM ransomware is configured to modify victim’s HOSTS file on the Windows system. The file can be used to restrict access to specific websites, which is exactly what the virus aims to do. The malicious Updatewin2.exe process complements the file with a lenghtly list of computer-related websites such as Microsoft, BleepingComputer, and others. It is believed that the virus attempts to suppress victim’s attempts to look for help and ransomware-related information online.

Threat Summary

Name	COVM file virus
Type	Ransomware; file-encrypting virus
Version	227th version of STOP/DJVU
Attack lenght	Depends on file system size; typically around 5 minutes
Ransom note	_readme.txt
Ransom price	$490 or $980
Extension	.covm file extension
Detection names	TR/AD.InstaBot.nwhir (Avira), Trojan.MalPack.GS (Malwarebytes) Win/malicious_confidence_100% (W), A Variant Of Win32/Kryptik.HCSI, Trojan-Ransom.Win32.Stop.mh and others (full list on VirusTotal)
Symptoms	Ransomware disables Windows Task Manager and then launches a fake Windows update screen (updatewin2.exe process). It then encrypts and marks all files with .covm file extensions. Additionally, the ransomware creates and drops files named _readme.txt will in every affected folder. The note tells that there is no way to restore files except of paying a ransom.
Contact emails	helpmanager@mail.ch or restoremanager@firemail.cc
Associated processes	0a6f026cea5ea8e6072d95a6613f51fe022068e5.exe 58ff.tmp.exe 4fe7.tmp.exe 68dd.tmp.exe FF86.tmp.exe 32DF.tmp.exe FC8.tmp.exe updatewin2.exe
Distribution	Software cracks, keygens, illegal files, peer-to-peer downloads
Removal	Use trustworthy anti-malware to delete the virus. To identify and repair virus damage on Windows OS files, we recommend using RESTORO.
Post-removal steps	Restore files using data backups, or, if you have been affected by the offline encryption, wait for STOP Decrypter update. Change all of your passwords due to Azorult Trojan’s activity.

File-encrypting threats await in malicious downloads

COVM ransomware distribution mainly relies on illegal downloads. That said, you should stay away from high-risk online downloads such as cracked software, keygens, KMSPico and similar files.

Cyber criminals know that many computer users head to peer-to-peer download websites to get fully functional versions of popular software ranging from photo editing to gaming categories. Unfortunately, unauthorized distribution of copyrighted software versions is a crime, just like distribution of malware. If you decide to opt for such bad version of programs, you pose a threat to your computer security and your own privacy, as most likely your download will contain threats like ransomware, Trojans, miners, and other viruses.

That said, malicious downloads is the primary distribution vector for STOP/DJVU ransomware variants. In the meantime, viruses from other ransomware creators can also be transmitted in the following ways:

• Compromised websites. Hackers can breach security of well-known websites and modify these sites to push malicious downloads. Or, they can also create malicious domains and redirect victims to them with the help of deceptive online ads.
• Malicious email attachments. File-encrypting viruses are mostly distributed using this particular method. It involves creating deceptive messages, legitimate-looking file names, and inserting malicious code into them. Victims often suspect nothing wrong with opening an attached document named report.pdf, which can actually contain malicious JavaScript. JS code can be used to download and run a file from external source.
• Outdated software vulnerabilities. You are prone to malware infections if you do not update your operating system or software versions as soon as the updates become available. Therefore, attackers can use a variety of methods to exploit the existing vulnerabilities in the software present on your computer to gain unauthorized access.

Guide to Remove COVM Ransomware

The best way to remove COVM ransomware virus is to do it in Windows Safe Mode. Please follow the directions given below to start your computer in the said mode. This will provide a safe environment and shut down all malicious processes that might attempt to interfere your security-related actions in the normal Windows mode.

COVM file virus removal is explained in detail below. Once you finish it, you can start recovering your files from a data backup and changing your passwords. If you’re one of those unlucky victims who do not have data backup, you should check for updates in this comprehensive guide about STOP/DJVU decryption. In the meantime, we recommend removing the virus and performing a system scan with RESTORO to identify damage to your system.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Frequently Asked Questions