Covm Ransomware Removal Guide

Do you know what Covm Ransomware is?

The description is very simple: Covm Ransomware is a Windows infection that uses stealthy distribution techniques to invade vulnerable operating systems to encrypt personal files, after which its creator can make demands for a ransom payment. There are hundreds and thousands of file-encrypting threats, and there are even clones of Covm itself, including Koti Ransomware, Mzlq Ransomware, Sqpc Ransomware, and Mpaj Ransomware. All of them belong to the so-called STOP Ransomware family, which is the name of the first infection, after which all others were modeled after. We believe that the same attacker(s) stands behind these threats. If you continue reading this report, you will learn how to remove Covm Ransomware from your Windows operating system, how to protect it against the attacks of similar infections and, hopefully, how to decrypt your personal files.

You are not supposed to know when Covm Ransomware slithers in, but you can suspect when that happened if you remember downloading new files/programs, opening spam email attachments, or for example, clicking pop-ups alerting you about security updates or something alike. If your system does not have security software installed, the launcher of the threat cannot be caught and deleted right away. Not much time is needed for the attackers to use Covm Ransomware for file encryption, after which all personal files are given the additional “.covm” extension. You can remove this extension, but that will not help you read the encrypted files. When they are encrypted, the data is scrambled to ensure that only a special decryptor can read the files. The good news is that malware researchers have come up with a free decryptor (STOP Decryptor) that might be able to restore files corrupted with an offline key.Covm Ransomware Removal GuideCovm Ransomware screenshot
Scroll down for full removal instructions

Unfortunately, if the free decryptor does not work for you, or if you do not know to look for it, you might end up trusting the message that is carried using the “_readme.txt” file. You can delete this file from the %HOMEDRIVE% directory. According to the message inside the file, all personal files are encrypted and can be recovered only with the help of a decryption tool and a unique decryption key. How are you supposed to obtain these? The attackers suggest that they would send you the tool and the key as soon as you contacted them (at helpmanager@mail.ch or restoremanager@firemail.cc) and then paid the ransom of $490 (or $980 after three days). Of course, trusting cybercriminals is not a good idea, and you do not want to do it. Note that if you pay the ransom, you will get nothing in return. Furthermore, if you expose yourself by sending an email, you could be flooded with intimidating and misleading messages.

You might be able to delete Covm Ransomware manually. The instructions below are meant to help you with that. However, you will not succeed, unless you can identify the main .exe file. Hopefully, you can do that with the help of the linked Run value. After you are done with the removal of the ransomware, it is a must that you scan your system because it is possible that other threats exist and require removal too. Of course, we suggest installing anti-malware software that will automatically scan for threats, delete them, and also secure your system all at the same time. After you are done with Covm Ransomware, you can try using the free decryptor, but if you have copies of personal files stored outside the operating system, you should use them to replace the encrypted files. In the future, always secure your files using this method.

Remove Covm Ransomware

  1. Tap WINDOWS and R keys on the keyboard to launch Run.
  2. Enter regedit into the dialog box, and the Registry Editor will open.
  3. In the pane on the left, move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  4. Find the value named SysHelper and check the name of the .exe file (and the folder it is in) associated with it.
  5. Right-click the value and click Delete.
  6. Tap WINDOWS and E keys to launch File Explorer.
  7. Enter %LOCALAPPDATA% into the field at the top to access the directory.
  8. Right-click and Delete the {unknown name} folder that contains the malicious {unknown name}.exe file. It should match the name of the file associated with the value in step 4.
  9. Enter %WINDIR%\System32\ into the field at the top.
  10. Open the Tasks folder and then right-click and Delete the task named Time Trigger Task.
  11. Enter %HOMEDRIVE% into the field at the top.
  12. Right-click and Delete the ransom note named _readme.txt.
  13. Empty Recycle Bin and then, finally, perform a full system scan using a trusted malware scanner.

In non-techie terms:

Covm Ransomware is a malicious infection that can encrypt your files and then send you a message to convince you that you must pay a ransom in return for a decryptor. Whatever you do, do not trust the promises of cybercriminals because they are most likely to be completely empty. If you send an email to the attackers and then pay the ransom as instructed, it is unlikely that you will get anything besides more misleading and intimidating messages in your inbox. Hopefully, after you remove Covm Ransomware, you can restore your personal files using your own backups or the free decryptor. To remove this threat, we strongly recommend implementing legitimate anti-malware software, but if you want to get rid of it yourself, you can try following the instructions above.