Home / Spyware Help / Revon Ransomware Removal Guide

Revon Ransomware Removal Guide

by 0 Comments

Do you know what Revon Ransomware is?

If your personal files cannot be opened, and the “.id[unique code].[werichbin@protonmail.com].revon” extension is attached to them, Revon Ransomware is the infection at blame. This malware locks all personal files by ciphering them, which ensures that no one can access them without a special key. The decryption key is created along with the encryption key that is used to corrupt your files. Obviously, the attackers behind the infection are the ones who own it, and they are unlikely to give it to you regardless of what you do. They want you to believe that you can get your files back as soon as you pay for the decryptor, but if we know one thing about cybercriminals is that they cannot be trusted. Hopefully, backups exist, and you can replace the locked files after successfully deleting Revon Ransomware.

If Revon Ransomware has invaded your operating system and corrupted your personal files, there is a good chance that you have recently opened a malicious spam email attachment or downloaded a file or a program from an unreliable website. Note that cybercriminals are smart, and they can even use attractive and legitimate programs to hide malware that comes bundled with them. What we are trying to say is that you need to be more cautious. Of course, you could allow yourself to be more carefree if you installed legitimate anti-malware software to protect you. If such software existed, you would have the launcher of Revon Ransomware removed before it was executed. Also, note that there are plenty of other infections that you need protection against, some of which include the clones of Revon itself, such as Phobos Ransomware, Eight Ransomware, and Blend Ransomware.Revon Ransomware Removal GuideRevon Ransomware screenshot
Scroll down for full removal instructions

Once Revon Ransomware executes, it drops files to %HOMEDRIVE%, %PUBLIC%\Desktop, %LOCALAPPDATA%, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\, %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\, and %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\. It also creates values for these files in the Windows Registry (HKCM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). Once completely settled in, the malicious Revon Ransomware encrypts your personal files. Afterward, a window named “encrypted” is launched by a file called “info.hta.” The window displays a message, which declares that files were encrypted and also instructs to contact the attackers (werichbin@protonmail.com or werichbin@cock.li). Victims are instructed to send a message so that they could be introduced to the ransom payment instructions. We suggest NOT paying the ransom or even contacting cybercriminals. At the end of the day, whatever you do, you will not get your files back, and so why risk getting exposed to more malware, intimidating threats, and scams?

If you have no previous experience with the removal of malware, it is likely that you will have a hard time removing Revon Ransomware manually. The .exe file of this threat could be anywhere, and only if you know its exact location, can you delete it. If that is possible for you, completing the remaining steps should not be too hard following the instructions below. Alternatively, you can install a trusted anti-malware program, and it will automatically delete Revon Ransomware along with all malicious components. If you have copies of personal files stored in a secure location, you can use them as replacements after removing the threat. If you do not have copies, take this as a learning opportunity. We recommend using external drives and cloud storage systems to keep the copies of all important files safe from here on out.

Delete Revon Ransomware

  1. If you know where the {random}.exe launcher file is, right-click and Delete it.
  2. Move to the Desktop and right-click and Delete files named Info.hta and info.txt.
  3. Simultaneously tap Win and E keys on the keyboard to access File Explorer.
  4. Type %HOMEDRIVE% into the field at the top and then tap Enter.
  5. Right-click and Delete the files named Info.hta and info.txt.
  6. Simultaneously tap Win and R keys to access Run and then enter regedit into the dialog box.
  7. In Registry Editor, go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  8. Right-click and Delete the {random} value whose value data points to a malicious .exe file (check the name).
  9. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and repeat step 8.
  10. Go back to File Explorer and enter the following paths into the field at the top to find the malicious .exe file (right-click and Delete if you find it):
    • %LOCALAPPDATA%
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
  11. Empty Recycle Bin and then immediately scan your system using a legitimate malware scanner.

In non-techie terms:

If you have let Revon Ransomware in, this malware must have encrypted your personal files. Now, all you can do is replace them with backup copies that, we hope, you have stored somewhere safe. If you do not have backups, the attackers behind the infection might try to convince you that you can regain access to all files by paying a ransom in return for a decryptor. Unfortunately, there are no guarantees that you would obtain the tool if you followed the attackers’ demands, which is why we do not recommend that you get involved. Note that even sending a message to them is dangerous because that could open the floodgate of scams, malware launchers, and intimidation tactics. Hopefully, you have a way out this time, but if you do not want to find yourself in the same situation ever again, make sure you secure your Windows operating system. We recommend installing trusted anti-malware software that also can automatically remove Revon Ransomware.