Coverton targets Windows OS and, currently, the method of distribution is unknown. Once installed, it copies itself to %UserProfile%\userlog.exe and configures itself to automatically run when Windows starts. It then encrypts targeted files with AES-256 and creates a ransom note named “!!!-WARNING-!!!” in both .html and .txt formats. Encrypted files display the .coverton, .enigma, or .czvxce extensions. Coverton deletes Shadow Volume Copies to prevent file restoration. Some reports state that it leaves victims with corrupted files even if the ransom is paid and the decryption process has executed. Coverton demands a ransom payment of 1 Bitcoin.
- Bleeping Computer provides more information about Coverton here.
- The NJCCIC is not aware of any decryption tools available for Coverton.