CoronaVirus Ransomware - How to remove

CoronaVirus ransomware, also known as coronaVi2022, has been spread disguised as a PC optimizer. Once downloaded, it renames files to “[email protected]” and encrypts them, so that the files won’t open. Then CoronaVirus ransomware asks for $50 as ransom.

CoronaVirus ransomware is bundled with a data-stealing trojan Kpot, so if you got infected, clean your computer and change your passwords.

About CoronaVirus ransomware:

Type of threat	Ransomware, trojan, spyware.
How CoronaVirus ransomware spreads	Disguised as a PC optimizer.
How to restore the “[email protected]” files	Use file backups, use shadow volume copies, use data recovery software.
How to remove CoronaVirus ransomware	Delete malware (Spyhunter, other antivirus programs), change passwords, protect your data from being abused by criminals.

What is CoronaVirus ransomware

CoronaVirus ransomware was found to be offered on Wisecleaner.best, pretending to be a WiseCleaner installer. You can be sure that this site has nothing to do with the real WiseCleaner, and antivirus programs have already added it to their blacklists. Fake sites are often used in scams, like the various Congratulations device user sites.

CoronaVirus ransomware locks files and then renames them to [email protected]. It keeps the old file extension, which is unusual for ransomware. Most ransomware viruses, such as Phobos, keep file names but change extensions. They also tend to ask way more than $50. But this is not normal ransomware.

CoronaVirus ransomware does not encrypt all of your files. It locks a few types of images (jpg, png, bmp, gif, jpe, tif), other commonly used file types (doc, odt, xls, ppt, vsd), text files, PDFs, archives (rar, zip), backup and older versions of files, database files, etc. Some people will be affected more severely than others.

After infecting your computer, CoronaVirus ransomware leaves a few ransom notes called CoronaVirus.txt that all include this text:

CORONAVIRUS is there
All your file are crypted.
Your computer is temporarily blocked on several levels.
Applying strong military secret encryption algorithm.

The same text is displayed after you reboot your computer. It stays there for an hour.

It would be a good idea to disconnect the internet connection here, as CoronaVirus ransomware is suspected to be a cover for the Kpot data stealer.

What is Kpot

Kpot is an info stealer. It’s as dangerous as any other spyware infection:

• takes screenshots of your computer,
• reads your files,
• reads the login data saved in your web browsers,
• reads your emails,
• steals cryptocurrency wallet data.

It can be very dangerous, allowing criminals to hack your accounts, steal your payment data, etc. Over the internet, this data is sent by Kpot to the criminals who will try to use it to steal money or perform later, more targeted scams.

How to remove CoronaVirus ransomware

Like the guide below this article says, you should start your PC in safe mode. This mode stops unnecessary programs from running and this applies to most malware. Then, you can scan your device with an anti-malware tool that you trust, such as Spyhunter.

CoronaVirus ransomware text is shown on your screen upon starting your computer because of an executable file placed in the C:\Users\User\AppData\Local\Temp folder (where “User” is your name on your computer). Some of these folders are hidden, so to navigate there and delete the executable, you may need to change your settings to show hidden files. Open your file explorer, the fourth (rightmost) tab in the top ribbon, and put a checkmark in the box next to “Hidden files”.

As for recovering your files, you must have made backups to recover them from. If you did not, you can save the locked “[email protected]” files (they’re not dangerous) on your computer and wait for news on CoronaVirus ransomware. Nomoreransom.org collects free decrypters for ransomware, so check there, too. It’s possible that some analysts will come up with a way to break the CoronaVirus ransomware encryption. Or it’s possible that CoronaVirus ransomware just scrambles your data with no possibility of decryption. Do not pay the ransom, at least not without clear proof from the criminals that they can fix your files. And don’t reveal any personal data to the criminals, or they will take advantage of it.

At the end of the day, the Kpot data stealer is the real danger of this infection. Criminals may share, use, or sell your data, so be careful. After you clean your computer, or by using a clean device, change your passwords and make sure that 2-step verification is turned on where possible. Keep a close eye on your PayPal, your credit card account, and dispute any unauthorized charges. If you get emails about signing up for stuff, dispute those, too. At worst, you may need to contact your bank and tell them what happened. Targeted phishing attacks are something you need to watch out for, too.

Automatic Malware removal tools

How to recover CoronaVirus Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before CoronaVirus Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of CoronaVirus Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to CoronaVirus Ransomware. You can check other tools here.  

Step 3. Restore CoronaVirus Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually CoronaVirus Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover CoronaVirus Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.