Revon Ransomware

Revon Ransomware is one of those infections that you definitely do not want to face because it was created to encrypt personal files. This malware uses disguises and clever tricks to slither in. For example, the execution file of this ransomware could be sent to you as a harmless-looking document along with a misleading message that, allegedly, asks to check boarding information, package tracking details, or something along those lines. More vigilant recipients of such a message should be able to recognize a scam right away. Unfortunately, there are plenty of other ways for ransomware to spread, and the help of other threats and even system vulnerabilities could be used. Once inside, this malware encrypts every single personal file found. That means that documents and photos, along with various other kinds of files, are automatically encrypted. Afterward, even if you remove Revon Ransomware, your files will remain encrypted. That being said, deleting this malware is important.

We cannot talk about Revon Ransomware and not mention Phobos Ransomware. This is the predecessor of the infection discussed in this report as well as Eight Ransomware, Blend Ransomware, Devil Ransomware, Dewar Ransomware, and many others. Although they might be operated by different parties that obtain and build upon the same malware code, they are all pretty much identical. After files get encrypted, all of these infections add monstrous extensions to their original names that consist of unique ID codes, email addresses, and then final extensions. Revon Ransomware adds “.id[*].[werichbin@protonmail.com].revon” to the personal files it corrupts. You can successfully remove this extension, but what would be the point of that? It is the data within your files that you need to change back, not the names of the files. Unfortunately, you cannot do that manually, and at the time of research, we could not confirm the existence of a definitively effective free decryptor. So, if you are going to install a free decryptor, please research it first. The last thing you need is to install something else that you will need to delete later on.

Besides encrypting files, Revon Ransomware also drops two of its own files. They are called “info.hta” and “info.txt,” and you should find them on the Desktop and also in the %HOMEDRIVE% directory. The .hta file opens a window entitled “encrypted,” and the message inside asks to email werichbin@protonmail.com or werichbin@cock.li to receive information about a ransom payment. Not much is shared about it, but it is clear that it would have to be paid in Bitcoin. The ransom message also suggests sending five encrypted files to the same email addresses to have decrypted for free. Note that even if the attackers can decrypt these five files for free, that does not mean that they would assist you in any other way. The .txt file dropped by Revon Ransomware delivers a much shorter message that simply instructs to contact the attackers. If you are thinking about emailing them, note that if you do that, they will get the power to send and demand pretty much anything. In the end, even if you pay the ransom, you are unlikely to get your files back.

The instructions you see below might make it easier to delete Revon Ransomware, but since we cannot know the location of the launcher file, you will have to find it yourself. If you are unable to do it, why not install a legitimate anti-malware application that will automatically remove Revon Ransomware along with other threats that might exist. As we mentioned earlier, this malware could be spread by other infections – such as trojans – and so you must be cautious of that. Another great thing about anti-malware software is that it can secure your operating system and keep ransomware – as well as other types of malware – away in the future. If you are prepared for a disaster like this, once you eliminate the threat, you might be able to replace the corrupted files with backup copies. In the future, always create backups of all important files, and store them outside the computer (e.g., online) for safe keeping. If you need more information about the threat or its removal, send us your questions via the comments section.

Revon Ransomware Removal

1. Delete recently downloaded files.
2. Go to the Desktop.
3. Delete the files named info.hta and info.txt.
4. Launch File Explorer by tapping Win+E keys.
5. Enter %HOMEDRIVE% into the field at the top.
6. Delete the files named Info.hta and info.txt.
7. Enter the following lines into the Explorer’s field:
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %LOCALAPPDATA%
8. If you find a malicious .exe file (for name check, see steps 11-14), Delete it.
9. Launch Run by tapping Win+R keys.
10. Enter regedit and click OK to launch Registry Editor.
11. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
12. Delete the value that is linked to the malicious .exe file in step 8.
13. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
14. Delete the value that is linked to the malicious .exe file in step 8.
15. Exit Registry Editor and then Empty Recycle Bin.
16. Install a genuine malware scanner to examine your system for leftovers.