CVC Ransomware

What is CVC Ransomware?

CVC Ransomware is an infection that was designed to take over your personal documents, pictures, and other files that you have either created yourself or acquired from external sources and parties. The point is to corrupt files that are considered unique. For example, system files are not unique because they can be replaced. Unique documents or photos might be impossible to replace, unless copies exist. If copies do not exist, the attackers behind the infection have a better chance of completing the attack. They encrypt files, which means that they are not completely destroyed or deleted. In theory, every encrypted file should be decryptable, and files are encrypted with the sole purpose of selling a decryptor. So, how does this malware work, and what can you do if your files were corrupted? We hope that you can find answers to these questions and learn how to remove CVC Ransomware by reading this report.

How does CVC Ransomware work?

Are you familiar with the Crysis/Dharma Ransomware? This is an infection that was created many years ago now. The code of this malware was made public (for a price), and thus came the avalanche of clones. CVC Ransomware is only one of the latest threats to join this family, and a few others that we have reviewed in the past include HCK Ransomware, CLUB Ransomware, LCK Ransomware, or 8800 Ransomware. You do not want to face any of these threats because they can corrupt all important personal files. To do that, they first need to invade your system, and, according to our research team, they are most likely to exploit spam emails and RDP vulnerabilities. If you are not careful, you could even be tricked into executing CVC Ransomware yourself. Once this malware is in place, it starts encrypting files immediately. Once that is done, they become unreadable, and you should find the “.id-{*}.[patrik008@tutanota.com].cvc” extensions attached to them as a marker. As you can see, the extension includes a unique ID code, an email address, and also the “.cvc” extension. If you discover this particular extension attached, there is no question which threat has attacked.

Although it is essential for CVC Ransomware to encrypt files, it might be most essential for this malware to introduce victims to a message from the attackers. There are two versions of this message. One of them is represented via a file named “FILES ENCRYPTED.txt,” and the other one is represented via the “Info.hta” file that launches a window titled “patrik008@tutanota.com.” This is the second time we see this email address. According to the messages, you need to email patrik008@tutanota.com or bank008800@cock.li if you want to have all files decrypted, but we do not recommend contacting the attackers. If you do, they could send you misleading and scary messages. Also, the first reason they want you to contact them is so that a ransom could be demanded. Whatever you do, do not pay for a decryptor because you will not get it. Of course, if you do not have copies of your personal files, you might feel stuck. If that is the case, try using the free Rakhni Decryptor first. It was created to assist those suffering the consequences of Crysis/Dharma malware.

How to remove CVC Ransomware

If you have no experience identifying and deleting malware components, you might find it more difficult to delete CVC Ransomware as well. Unfortunately, we cannot say where the launcher of this malware exists exactly, but hope that you can use the guide below to get rid of it successfully. That said, even if you are able to remove CVC Ransomware all by yourself, securing the entire Windows operating system is a much more complicated ordeal. If you want the responsibility off your shoulders, install anti-malware software. If you do that, you can forget about locating and erasing malware components manually because the software will take care of that automatically. What should you do after you erase the threat, secure your system, and, hopefully, restore/replace the corrupted files? It is imperative that you set up a reliable backup. Keep copies of all important files safe, and you will not need to fear ransomware ever again.

Removal Guide

1. Delete recently downloaded suspicious files.
2. Delete the ransom note file named FILES ENCRYPTED.txt (copies could exist).
3. Launch File Explorer by tapping keys Windows and E together.
4. Enter the following lines into the quick access field and Delete the Info.hta and {random name}.exefiles:
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
5. Launch Run by tapping keys Windows and R together.
6. Enter regedit into the dialog box to launch the Registry Editor.
7. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
8. Delete two values that are linked to the Info.hta and {random name}.exe files.
9. Once you Empty Recycle Bin, quickly install and run a legitimate malware scanner. Download Removal Tool100% FREE spyware scan and
   tested removal of CVC Ransomware*