DEcovid19 Ransomware - How to remove

DEcovid19 ransomware is a malicious program that attacks Windows devices and breaks files. It’s part of an extortion scheme where its victims are told to pay money if they want their files to be fixed.

You can recognize DEcovid19 ransomware by file extensions “locked”, “covid19, and others. DEcovid19 uses these extensions to mark the files that it has encrypted.

About DEcovid19:

Threat type	Ransomware, trojan.
How DEcovid19 ransomware infects computers	It encrypts user files and changes their names, it creates ransom notes with the contact details of the extortionists.
How to restore your files	Recover data from backups, recover deleted files, wait for a decryption solution.
How to delete DEcovid19	Find and remove malware with antivirus programs, such as Spyhunter and others.

How DEcovid19 ransomware works

DEcovid19 encrypts files

Ransomware is a type of malicious software. It is used in extortion schemes.

DEcovid19 and other ransomware programs encrypt user files. Encrypted files can’t be opened and read – they may as well be corrupted. This is because their internal data is scrambled.

Encryption is a useful tool to keep information safe. For example, you can password-protect files and archives so that people who don’t have the password can’t read them.

But DEcovid19 ransomware uses cryptography to break files and extort victims of money.

Once DEcovid19 is done encrypting files, its operators ask their victims to send them money. Supposedly, the extortionists will fix the encrypted files if they just get paid.

DEcovid19 ransomware symptoms

DEcovid19 ransomware emerged in January of 2021. It seems to attack Windows servers. It may spread through hacked RDP accounts (How ransomware spreads).

You can recognize DEcovid19 by its ransom notes and by the encrypted file names:

• When DEcovid19 encrypts files, it gives their names a suffix “bitchlock”, “covid19” or “locked” (although, a lot of ransomware programs use “locked” to label encrypted files).
• It also creates ransom notes called “ATTENTION!!!.txt” or “!DECRYPT_FILES.txt”.
• The ransom notes provide contact details, such as “t.me/decovid19bot”.

DEcovid19’s ransom note also jokes about it being related to Covid19:

I am the second wave of COVID19, now we infect even PCs. But unlike the human virus, there is a vaccine, but you have to buy it! =)

DEcovid19 is not the first ransomware that uses Covid19 in its name – there was also CovidLock for Android and Corona-lock/CovidWorldCry.

Can you get your files back?

If you have a backup of your files, then all you need to do is delete DEcovid19, delete the encrypted data, and restore the backups. Just, before doing anything, make sure that your backup data is safe (Ransomware victims thought their backups were safe. They were wrong).

But what if you don’t have backups? There are a few options.

First, it’s not recommended to contact the people behind DEcovid19. If you pay them the ransom, that does not mean that they’ll help you fix your files. More likely, they’ll ask for a second payment (as extortionists often do). Even if DEcovid19’s operators do try and keep their promise, technical problems are almost guaranteed to get in the way of file recovery.

You could try data recovery programs. Programs like EaseUS can recover some deleted files. This might help you restore some valuable data.

Finally, you can put the data encrypted by DEcovid19 on a backup and wait for a solution. It’s possible, although unlikely, that the criminals will release master decryption keys. Or maybe law enforcement could catch these cybercriminals. Check Nomoreransom.org – this site lists free ransom decryption tools as they become available.

How to remove DEcovid19 ransomware

Use antivirus programs to scan your computer and remove malicious items. Use Spyhunter or another good quality antivirus program, find and delete DEcovid19 and any other malicious files that might be present on your computer.

The encrypted files are not dangerous and don’t need to be deleted.

Automatic Malware removal tools

How to recover DEcovid19 Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Decovid19 Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of DEcovid19 Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Decovid19 Ransomware. You can check other tools here.  

Step 3. Restore DEcovid19 Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Decovid19 Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover DEcovid19 Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.