NCOV Ransomware

What is NCOV Ransomware?

You have to act fast if you have discovered NCOV Ransomware on your Windows operating system. You might be unable to salvage your personal files – which the threat encrypts – but your operating system will not be safe until this malware is fully removed. Just like Dewar Ransomware, Devos Ransomware, Dever Ransomware, and hundreds of clones alike, this threat was created by an unknown attacker (or group of attackers) who used a pre-built malware code. The first infections that were created using it were Crysis Ransomware and Dharma Ransomware, which is why these are the names that the NCOV variant might be recognized by malware scanners and security tools. Regardless of the name, if this is the threat that slithered in, you need to get rid of it as soon as possible. Do you know how to delete NCOV Ransomware? Do you know if you can salvage your files? Do you know how to protect your Windows operating system? If you want answers to these questions, continue reading the report.

How does NCOV Ransomware work?

NCOV Ransomware might have slithered into your operating system using unpatched vulnerabilities, or you could have executed it yourself by downloading a malicious file concealed as a harmless file. Cybercriminals often employ misleading email messages and bundled downloaders to conceal malware files. Once executed, the threat is hidden, unless there is a legitimate security tool guarding your system. If this is the case, you should have NCOV Ransomware removed automatically. If security software does not exist, the infection is free to do whatever it wants, and all it wants is to encrypt your files and deliver a message from the attackers. When files are encrypted, you are locked out, and you can no longer read them. Your files are not permanently destroyed, as a decryptor matching the encryptor should exist, but it is in the hands of cybercriminals, and they are unlikely to give it to you even if they promise you that they would. Such promises are delivered using a file named “Info.hta,” and you can use the guide below to delete all of its copies. Another file that you should delete is called “FILES ENCRYPTED.txt.”

The Info.hta file launches a window with an aggressive message. According to it, you have to contact the attackers behind NCOV Ransomware (coronavirus@qq.com) and then pay a ransom in return for a decryption tool. Communicating with cybercriminals is dangerous because they can push you into paying a huge ransom for a tool that you are unlikely to see with your own eyes. Also, they can use your email address or pass it on to others to expose you to new scams. As you know, NCOV Ransomware itself could have been spread via a clever spam email, and no one can stop the attackers from sending you new misleading messages. The “FILES ENCRYPTED.txt” file also pushes to send a message to the cyber attackers, and you are likely to find this file placed next to the personal files that were encrypted. You should find the “.id-********.[coronavirus@qq.com].ncov” extension appended to them. The main ransom message declares that you are supposed to pay an undisclosed amount of money in Bitcoins for a decryptor, but since you are unlikely to receive it, we do NOT recommend paying. Hopefully, you have backup copies of your personal files, and you can use them to replace the corrupted files after removal.

How to delete NCOV Ransomware

The instructions below were created to help you remove NCOV Ransomware manually. Unfortunately, we cannot guarantee that you will be able to follow them easily. First of all, the first step instructs to delete the launcher (.exe) file, but we cannot know its name or even the location. If you cannot get over this first hurdle, there is no point in taking on all other steps. Instead, you should install anti-malware software that could reliably delete all malicious threats at once and automatically. This is the method we recommend the most because besides performing full malware removal, it also can protect your system, which is extremely important. Hopefully, that will be enough to keep NCOV Ransomware and other threats away in the future, but remember that you also need to be cautious about what emails you open, what files you download, or what updates you skip or postpone.

Removal Instructions

1. Right-click and Delete the executable file that launched the ransomware.
2. Right-click and Delete the ransom note file named FILES ENCRYPTED.txt.
3. Launch File Explorer by tapping Win+E keys at the same time.
4. Move to the following folders/directories (enter into the quick access field one by one to access them) and right-click and Delete malicious Info.hta and {unknown name}.exefiles:
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
5. Launch Run by tapping Win+R keys at the same time and enter regedit into the box.
6. In Registry Editor, move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
7. Right-click and Delete all values with unique names that are linked to Info.hta, {unknown name}.exe files.
8. Empty Recycle Bin and then perform a complete system scan using a legit malware scanner. Download Removal Tool100% FREE spyware scan and
   tested removal of NCOV Ransomware*