What is Revon file extension
.Revon file extension is a file extension that is used by the latest variant of Phobos ransomware. ‘Revon’ variant is very similar in its characteristics to other variants of this ransomware. It also encrypts files, and then renames them, giving them a new filename consisting of their old and ‘.id[user-id].[EMAIL].revon’ appended at the end. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data.
What is Revon ransomware
Revon ransomware is one of the variants of the Phobos ransomware. It appends the ‘.Revon’ extension to each file that it encrypts using a complex encryption mechanism. As its previous variants, it can use the same distribution methods (spam emails, adware, cracks, key generators and so on). Upon execution, Revon starts working in the background immediately. First of all, the virus configures the Windows so that it starts automatically every time the computer is turned on. Revon ransomware uses this mechanism to continue encrypting files if it was interrupted by turning off or restarting the computer. Further, the ransomware contacts its control server to send information about the infected computer and receive additional commands.
After all the preparatory steps are completed, Revon proceeds to the main thing, it begins to encrypt files. All files will be encrypted, regardless of where they are located, on the local disk or on a network-connected disk. That is, the contents of the following common file types can be encrypted:
.raf, .xlsx, .qdf, .ptx, .sr2, .pptm, .r3d, .raw, .wmd, .sql, .srf, .mdb, .pem, .w3x, .wmv, .wmf, .kdb, .ai, .epk, .zi, .m2, .wps, .wotreplay, .ysp, .lrf, .crt, .xpm, .cfr, .xlsb, .mdbackup, .1, .m4a, .wbz, .xlsx, .xar, .rwl, .sis, .dwg, .docx, .wdb, .menu, .mrwref, .wri, .docm, .wdp, .cdr, .webdoc, .dba, .xlgc, .wire, .rw2, .mp4, .litemod, .der, .wsc, .pak, .vdf, .3ds, .hkdb, .mov, .vcf, .xyw, .odt, .rb, .zip, .wpb, .tor, .3dm, .xy3, .xlsm, .pdf, .icxs, .d3dbsp, .itl, .wm, .xlk, .wma, .vpp_pc, .txt, .bkp, .wpw, .t13, .sidd, .gdb, .wp4, .wpe, .xbplate, .sidn, .ods, .zdc, .indd, .wbd, .lbf, .odm, .odc, .cer, .fsh, .3fr, .bar, .z3d, .pst, .wpd, .wbk, .mdf, .csv, .mddata, .x3f, .sid, .1st, .zdb, .fos, .bsa, .xmmap, .map, .psd, .pef, .x3d, .qic, .xxx, .lvl, .ppt, .wgz, .doc, .xld, .wmo, .xdl, .eps, .z, .xx, .wpa, .ntl, .blob, .wbm, .webp, .dmp, .layout, .pptx, .cr2, .accdb, .dcr, .tax, .fpk, .hkx, .bkf, .jpg, .re4, .kf, .xls, .pfx, .sav, .odb, .bik, .iwd, .7z, .wbmp, .rar, .avi, .psk, .dbf, .ncf, .pdd, .xwp, .pkpass, .upk, .hvpl, .forge, .vtf, .xyp, .das, .xdb, .bc6, .gho, .p12, .png, .wpg, .m3u, .dazip, .wp, .orf, .wcf, wallet, .wot, .2bp, .syncdb, .rofl, .p7b, .hplg, .cas, .bay, .wmv, .yal, .xbdoc, .ibank, .p7c, .x, .xlsm, .flv, .y, .wsd, .vfs0, .0, .rtf, .wpl, .mcmeta, .odp, .ybk, .arch00, .wps, .xll, .vpk, .wpt, .xls, .sie, .svg, .nrw, .xf, .mef, .zif, .sb, .sum, .dxg, .bc7, .mpqge, .wp6, .arw
When a file is encrypted, the ‘.id[user-id].[EMAIL].revon’ extension is added at the end of its name, that is, if you had a file called ‘document.docx’, then a file with the name ‘document.docx.id[18A191C0-1517].[werichbin@protonmail.com].revon’ will appear in its place. If you change the file name, just delete the added extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.
Perhaps you found on your computer or its desktop new files called ‘info.txt’ and ‘info.hta’ that for some reason are not encrypted. Examples of such files are given below.
The full text of ‘info.txt’:
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: werichbin@protonmail.com.
If we don’t answer in 24h., send e-mail to this address: werichbin@cock.li
The full text of ‘info.hta’:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail werichbin@protonmail.com
Write this ID in the title of your message 18A191C0-1517
In case of no answer in 24 hours write us to this e-mail:werichbin@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Criminals use the files to demand ransom from the Revon ransomware victims. The ransom demand message said that the victim’s files are encrypted. The authors of the ransomware demand a ransom in exchange for a key and a decryptor. Attackers offer to decrypt 5 files for free, but these files should not contain any valuable information. Of course, decryption of 5 files cannot guarantee that, after paying the ransom, the victim will be able to recover files affected with the ransomware.
Threat Summary
| Name | Revon |
| Type | Ransomware, Crypto virus, Crypto malware, File locker, Filecoder |
| Encrypted files extension | .revon |
| Ransom note | info.hta, info.txt |
| Contact | werichbin@protonmail.com, werichbin@cock.li |
| Ransom amount | $500-$1500 in Bitcoins |
| Detection Names | Trojan/Win32.Occamy, TR/Crypt.XPACK.Gen, Gen:NN.ZexaF.34106.duW@aSFkxzo, Ransom.Phobos.S11618290, Win.Ransomware.Ulise-7594403-0, W32/Ransom.NA.gen!Eldorado, W32/Ransom.NA.gen!Eldorado, W32/Phobos.8B03!tr.ransom, Trojan-Ransom.Phobos, Ransom.Phobos, Trojan.Malware.300983.susgen, Ransom:Win32/Phobos.V!MTB, Ransom.Win32.CRYSIS.SMA |
| Symptoms | Your photos, documents and music fail to open. Your personal files have different extension appended at the end of the file name. Files named such as ‘FILES ENCRYPTED.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. Ransom note displayed on your desktop. |
| Distribution ways | Phishing Emails that is carefully created to trick a victim into opening an attachment or clicking on a link that contains a harmful file. Drive-by downloading (when a user unknowingly visits an infected web-page and then malware is installed without the user’s knowledge). Social media posts (they can be used to force users to download malicious software with a built-in ransomware downloader or click a suspicious link). USB flash drives containing malware. |
| Removal | Revon ransomware removal guide |
| Recovery | Revon File Recovery Guide |
As we have already said, Revon ransomware is not the first in its series. The fact that to date, antivirus companies have not created a way to decrypt the encrypted files, and just have not found a 100% way to protect the user’s computers (otherwise how would you be on our site), indicates the complexity of the ransomware virus and the method that it uses to encrypt files. Nevertheless, you do not need to despair. There are several ways to find and remove Revon ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove Revon ransomware, Restore .Revon files
If you encounter the malicious actions of Revon ransomware, and your files have been encrypted with ‘.Revon’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to say that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove Revon ransomware virus
- How to decrypt .revon files
- How to restore .revon files
- How to protect your computer from Revon ransomware
How to remove Revon ransomware virus
There are not many good and free malware removal tools with high detection ratio. The effectiveness of malware removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malware. We suggest to run several programs, not just one. These programs that listed below will allow you remove all components of the Revon crypto virus from your disk and Windows registry.
Remove Revon ransomware with Zemana
Zemana Free can find all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Revon ransomware virus, you can easily and quickly uninstall it.
Visit the page linked below to download the latest version of Zemana Free for Microsoft Windows. Save it on your Microsoft Windows desktop.
164029 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once downloading is done, close all apps and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup similar to the one below.
When the install begins, you will see the “Setup wizard” that will help you install Zemana Anti Malware (ZAM) on your PC system.
Once setup is finished, you will see window as shown below.
Now click the “Scan” button to begin scanning your PC for the Revon ransomware virus, other malicious software, worms and trojans. This task can take some time, so please be patient.
When Zemana AntiMalware (ZAM) has finished scanning, it will open the Scan Results. You may remove threats (move to Quarantine) by simply click “Next” button.
The Zemana will start to uninstall Revon crypto malware and other security threats.
Remove Revon virus with MalwareBytes Free
Manual Revon virus removal requires some computer skills. Some files and registry entries that created by the crypto virus may be not fully removed. We suggest that run the MalwareBytes that are completely clean your personal computer of ransomware. Moreover, this free program will allow you to delete malware, PUPs, adware and toolbars that your computer may be infected too.
Visit the page linked below to download MalwareBytes AntiMalware (MBAM). Save it on your Desktop.
326382 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When downloading is done, close all programs and windows on your system. Double-click the setup file called mb3-setup. If the “User Account Control” dialog box pops up such as the one below, click the “Yes” button.
It will open the “Setup wizard” that will help you set up MalwareBytes Anti-Malware (MBAM) on your system. Follow the prompts and do not make any changes to default settings.
Once setup is done successfully, click Finish button. MalwareBytes will automatically start and you can see its main screen as shown in the following example.
Now click the “Scan Now” button to begin scanning your system for the Revon crypto virus, other malicious software, worms and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your PC.
After the scanning is finished, you will be displayed the list of all found items on your machine. Make sure all threats have ‘checkmark’ and press “Quarantine Selected” button. The MalwareBytes Anti Malware will start to remove Revon ransomware virus related folders,files and registry keys. Once that process is done, you may be prompted to restart the PC.
We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes Free to delete adware, hijacker and other malicious software.
Run KVRT to remove Revon
If MalwareBytes anti-malware or Zemana antimalware cannot remove this ransomware virus, then we recommends to use Kaspersky virus removal tool (KVRT). KVRT is a free removal tool for ransomware, worms, spyware, trojans, adware, potentially unwanted apps and other malicious software.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you will see the Kaspersky virus removal tool screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan for the Revon ransomware virus and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your computer. While the KVRT is checking, you can see how many objects it has identified either as being malicious software.
When KVRT is finished scanning your personal computer, it will show the Scan Results as on the image below.
Review the results once the utility has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to start a cleaning procedure.
How to decrypt .revon files
Files with the extension ‘.revon’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. Unfortunately, today there is no way to decrypt files encrypted by Revon ransomware virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Nevertheless, everyone has to remember that paying the developers of the Revon ransomware virus who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the makers of the Revon ransomware) in order to decrypt locked personal files. There still are some ways to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .revon files
If all your files are encrypted with .revon file extension, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Use ShadowExplorer to restore .revon files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by Revon ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
438663 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Launch the ShadowExplorer utility and then choose the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the Revon crypto virus as displayed in the figure below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and press ‘Export’ button as shown in the figure below.
Restore .revon files with PhotoRec
There is another way to recover the contents of the encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec on your Windows Desktop from the link below.
When the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as displayed on the screen below.
Choose a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music like below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, click Browse button to select where restored personal files should be written, then press Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents similar to the one below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from Revon ransomware
Most antivirus apps already have built-in protection system against the crypto malware. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro.Alert can be downloaded from the following link. Save it directly to your MS Windows Desktop.
When the downloading process is complete, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is launched, you’ll be shown a window where you can choose a level of protection, as shown in the figure below.
Now press the Install button to activate the protection.
To sum up
This guide was created to help all victims of Revon ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .Revon files; how to recover the encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Revon virus related issues, go to here.
