NCOV Ransomware

NCOV Ransomware is an infection that encrypts files and adds the “.id-{ID}.[coronavirus@qq.com].ncov” extension to their names. The last part of the extension has predetermined the name of the threat itself, but victims can also know it as coronavirus@qq.com Ransomware or simply Coronavirus Ransomware. All in all, regardless of which name you choose to identify this threat by, it acts the same. First, it slithers into an operating system, and it is most likely to be vulnerable because if legitimate anti-malware software is installed, the launcher of the threat should be deleted before execution. It is most likely for this malware to use bundled downloaders and spam emails to enter. Second, after the threat slithers in, it has to encrypt files, and it can successfully do that without you knowing a thing. Finally, once the files are corrupted, the threat can deliver the demands that you are supposed to fulfill if you want to have your files restored. We suggest that you focus on removing NCOV Ransomware instead.

Crysis or Dharma Ransomware is the predecessor of NCOV Ransomware, just like Dewar Ransomware, Devos Ransomware, Dever Ransomware, and many other threats that have been reported on our website already. While the different variants might belong to different parties – that is because the malware code is publicly available and can be used by anyone – the structure of the infection always stays the same. As soon as NCOV Ransomware is executed on the system, it encrypts files, and it uses a unique encryptor for that. Once the main task is complete, the threat can drop additional files to deliver a message. One of these files is called “FILES ENCRYPTED.txt,” and it declares this: “all your data has been locked us You want to return? Write email coronavirus@qq.com.” As you can see, cybercriminals do not need to use proper English to get their message across. Another file that you will need to delete is called “Info.hta,” and it launches a window with a more detailed message. The title of this window is “coronavirus@qq.com,” and you cannot miss it. In fact, if you do not remove the infection from startup, you are likely to face this window even when you restart the computer. It is not enough to close it once.

The message represented via the NCOV Ransomware window informs that you need to send a unique ID code to coronavirus@qq.com so that the attackers could explain how to pay a ransom in Bitcoins in return for a decryptor. The message includes links on how to obtain Bitcoins, but you need a unique wallet address to make the payment. Also, the message does not reveal how much you are supposed to pay. Many victims of NCOV Ransomware might see no harm in emailing the attackers, but hopefully, you know better. If you expose yourself in that manner, you could be terrorized even after you pay the ransom. Of course, if you pay it, you are unlikely to obtain a decryptor, which is why we do not advise emailing the attackers in the first place. Unfortunately, if the infection has encrypted highly important files, you might choose to take the risk. You do not have to if you have copies of your files or if you can employ a free decryptor. Crysis and Dharma decryptors have been built by malware researchers, but they cannot decrypt all variants, which is why we cannot guarantee that you will be able to use them successfully. If you are going to install a decryptor, make sure it is legitimate and harmless first.

The removal of NCOV Ransomware is both simple and complicated. It is simple because there aren’t many components that need to be eliminated. It is complicated because the launcher of the infection could be located in a unique location, and its name could be random too. If you are up for a challenge, you can try deleting NCOV Ransomware yourself, but if you fail, remember that you can always employ an anti-malware program. It will have no problem detecting all malware components after a thorough system scan. If you want to save time and also take care of your system, we suggest installing a trusted anti-malware program immediately. Afterward, replace the corrupted files with backups or try restoring them with the help of a legitimate free decryptor. In the future, remember to create copies of all files (store them outside the original location) and beware of security backdoors via which malware spreads.

NCOV Ransomware Removal

1. Identify the .exe file that executed the infection and then Delete it.
2. Delete the ransom note file named FILES ENCRYPTED.txt (if copies exist, erase them too).
3. Simultaneously tap Win and E keys to access File Explorer.
4. Enter the following paths into the quick access field to find and Delete a file named Info.hta:
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
   • %APPDATA%
5. Move to these folders to find and Delete a malicious {unique name}.exe file that belongs to the threat:
   • %WINDIR%\System32\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
6. Exit File Explorer and then launch Registry Editor (tap Win and R keys to launch Run and then enter regedit into the dialog box).
7. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
8. Delete all values that are linked to Info.hta and {unique name}.exe files.
9. Exit Registry Editor and then Empty Recycle Bin.
10. Perform a full system scan using a trusted malware scanner to check for potential leftovers.