Also known as: Fileless-KOVTER, Trojan.Kotver, Trojan.Poweliks, Kovter Police Ransomware, Ransom:Win32/Kovter, Ransom:Win64/Kovter.A,Trojan:Win32/Kovter, Trojan:Win64/Kovter, Trojan.Win32.Kovter, Trojan.Win64.Kovter
Variants: Kovter.C, Kovter.R, Kovter.A/B, TROJ_KOVTER.[variant letter], Trojan.Kovter.A, Trojan.Kovter!gen4, Trojan:JS/Kovter.A, Trojan:Win32/Kovter.C, Trojan:Win32/Kovter.I, Trojan.Kovter.Generic, Trojan.Win32.Kovter.sm, Trojan:Win32/Kovter.F!lnk, Trojan:Win32/Kovter.H, Trojan:Win32/Kovter.M, Trojan.Kovter.xi, Trojan:Win32/Kovter.RPT!MTB, Win32/Kovter.gen!A, Trojan:Win32/Kovter.E, Trojan.Kovter.1.
Damage potential: Steals personal data, destroys files, demands ransom for locked system access, downloads additional malicious payloads, uses the infected devices for click fraud, hides itself in the computer’s memory or registry to avoid detection.
Kovter is fileless malware notorious for its evolving tactics. It initially emerged as ransomware, displaying fake police warnings, claiming that the user has viewed illegal content and must pay a fine. However, its later versions turned into more sophisticated malware that cybercriminals use to commit ad fraud. Kovter is particularly successful at it because detecting and removing it is extremely difficult due to its fileless nature.
When Kovter was a new threat, you would know your device got infected when you saw a ransom note instead of your files when you logged in to your computer. Today, it’s much more subtle and difficult to detect. However, you can look out for the following signs:
- Unexpected system slowdowns.
- Unknown processes running in the Task Manager.
- Excessive network activity.
- Random pop-ups, ads, and even blocked websites that appear while browsing.
- Changes in the Windows registry.
- The “PowerShell has stopped working” error appears.
Sources of the infection
Kovter usually ends up on devices through email attachments — most commonly, compromised Microsoft Office files that contain macro scripts. Once the user clicks on them, the malware creates a command that’s stored in the computer’s registry. When that’s done, Kovter deletes itself, leaving only a PowerShell command behind — and no file for your antivirus to detect.
Opening innocent-looking Microsoft Office attachments from phishing emails.
Visiting a compromised or malicious website that automatically downloads and installs NanoCore through a drive-by download.
Installing unknown browser extensions.
Clicking on a malicious ad.
Using infected portable external storage devices.
Installing software bundles without checking what’s in them.
Kovter is typically distributed through spam mail as a malicious attachment, so a good way to protect your devices from it is to educate yourself on how to recognize fake emails. Some are obviously spam, while others can be more sophisticated and tailored to a specific person. Therefore, staying vigilant is key. Here are some more things you can do:
Here are some more things you can do to avoid NanoCore:
Install security updates as soon as they become available.
Disable the PowerShell execution policy — it will ensure Kovter won’t be able to carry out its malicious commands.
The best way to avoid dealing with infected devices is to make sure malware never gets that far. Try NordVPN’s Threat Protection — it will protect you from accidentally downloading malicious files from the internet and keep you away from malware-ridden websites and ads.
To remove Kovter, use trustworthy and updated antivirus software to scan, detect, and delete the malware.
Due to its fileless nature, manual removal of Kovter is virtually impossible. The best you can do on your own is to perform a full system reset. Understandably, that’s not something most people want or know how to do — besides, you would lose all the files that are stored on the device.