Cvc Ransomware
The Cvc Ransomware is the latest malware threat to be spawned from the extremely prolific Dharma malware family. Indeed, it appears that despite its age, the Dharma Ransomware family is still as relevant among cybercriminals as ever, and new variants can be observed being unleashed in the wild almost daily.
The Cvc Ransomware is such a variant precisely, as it shows little deviation or improvement compared to the other ransomware threats belonging to the family. The only characteristics that distinguish it from the rest are the specific emails used as a communication channel with the hackers behind the threat and the file extension for the encrypted files.
When the Cvc Ransomware manages to compromise a computer, it proceeds to lock nearly all of the files stored on it with a powerful encryption algorithm effectively. MS Office files, PDFs, databases, photos, music, and video files will be rendered inaccessible and unusable. Every encrypted file will have its name modified significantly, a common behavior for the Dharma Ransomware variants. The Cvc Ransomware appends a unique ID string assigned to the specific victim, followed by the 'patrik008@tutanota.com' email address, and finally, '.cvc' as a new extension. Another typical Dharma aspect that the Cvc Ransomware retains is the delivery of the ransom note in two different forms - as text files named 'FILES ENCRYPTED.txt' and displayed in a pop-up window.
The message delivered in the text files is rather short and contains little details. Affected users are simply told to contact either the same email from the modified file names - 'patrik008@tutanota.com,' or an alternative address at 'bank008800@cock.li.' On the other hand, the ransom note from the pop-up window offers far more details, although most of them are warnings such as users not renaming the encrypted files or that the user of third-party decryption tools could cause irreversible damage to the locked files.
The full text of the Cvc Ransomware's pop-up note is:
'YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link: email patrik008@tutanota.com YOUR ID -
If you have not been answered via the link within 12 hours, write to us by email:bank008800@cock.li
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The brief message found in the 'FILES ENCRYPTED.txt' files is:
'all your data has been locked us
You want to return?
write email patrik008@tutanota.com or bank008800@cock.li.'
How Does CVC Ransomware Infect Computers?
Like other malware, CVC ransomware typically spreads through spam email messages, malicious advertising, infected websites, and infected software updates and installers. Most computer infections can be traced back to someone clicking on a link or attachment in a malicious email.
Spam emails are written to appear as if they come from a legitimate source. Emails could claim to have come from a shipping company or banking institution. The reality is that hackers sent the emails as part of a phishing scheme to deceive recipients. There are also cases of emails coming from genuine sources that were themselves affected by the CVC ransomware. The ransomware gets into email accounts and writes and sends emails to people in the owner’s contact list.
Another common infection point for CVC ransomware is installing pirated software. Many internet users turn to torrenting websites to access cracked software and games without paying for them. Hackers upload fake versions of these programs or program cracking software to install malware such as CVC on the side. There are many risks to downloading illicit software – risks that are not worth it.
How to Recover Files Affected by CVC Ransomware
The CVC ransomware gets to work immediately after infiltrating a computer. How the virus works can depend on the infection method. If the virus breached your computer via the trojan virus, for example, then the first step is downloading and installing the module from a remote server. Once the CVC ransomware gets up and running, it connects to a command-and-control server to receive further instructions. The virus sends information about the computer and receives the command to encrypt data and the public key needed to undo it.
CVC begins hunting files to encrypt as soon as it receives the public key. The virus looks for productivity documents and other things users would consider important. It uses complex encryption algorithms and techniques to lock the data away and prevent users from accessing it. CVC also applies a new file extension to infected files, including a unique ID for the victim, an email address for the attacker, and the virus’s name.
As far as file recovery goes, the attackers offer instructions on how to get the decryption key in the ransom message. Unfortunately, they aren’t lying when they say the only way to decrypt files is with their key. This doesn’t mean you should pay them, however. Paying the ransom is the worst thing you could do in this situation. There’s no guarantee that the hackers will give you a decryption key or that it will even work. Your best option is to use a data backup to restore your files. If you don’t have an external backup, you could try file recovery software. However, these programs generally rely on Shadow Volume Copies of data and aren’t always effective because ransomware like CVC erases those Shadow Volume Copies.
