Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove DEDCryptor Ransomware and Restore .ded Encrypted Files

ClACg6VWsAAdQkgA ransomware virus is known by the name DEDCryptor adding the .ded (grandpa in Russian) file extension to encrypted files. The encryptor then changes the wallpaper of users to a message notifying users their files are enciphered. The message features a vulgar photo of Santa Claus, making it all seem like a joke. However, DEDCryptor is no joke; it demands the sum of 2 BTC which is around 700 USD to restore access to the user. And what is worse, the ransomware uses a 32 character password randomly generated after it encrypts the files with Advanced Encryption Standard (AES) cipher.

Threat Summary

Name DEDCrypt
Type Ransomware
Short Description The ransomware encrypts files with the AES-256 cipher and asks a ransom payment for decryption.
Symptoms Files are enciphered and become inaccessible. A ransom note with instructions for paying the ransom shows as a wallpaper.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DEDCrypt

Download

Malware Removal Tool

User Experience Join our forum to Discuss Locky Ransomware.

Users infected with DEDCryptor should be advised that there is no breakthrough in decryption so far. However, it is recommended to NOT pay the ransom of 2 BTC and instead, remove this crypto-virus and attempt to restore your files using alternative methods such as the ones posted in this article.

DEDCryptor – Spreading Methods

So far it is unclear whether DEDCryptor uses only one method to infect users or if they are more than one. Either way, infected users report seeing malicious URLs which cause browser redirects to other web links which could contain the malware itself.

Users may see the malware featured in web links such as the one below:

spam-email-sensorstechforum

In addition to that DEDCryptor may be spread anywhere else where such URLs can be posted – forums, comments, social media private messages, posts in groups, etc.

DEDCryptor In Depth

Once installed on the user PC, DEDCryptor situates its payload by masking it behind different names, sometimes randomly generated in different Windows directories, for example:

commonly-used-file-names-and-folders

In addition to that, DEDCryptor crypto-virus takes advantage of different registry entries to change the wallpaper and make itself run on Windows startup:

HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After this, the ransomware begins to scan for different files to encrypt. malware researchers report affected files to be the following:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .dll, .lnk, .pdf Source: Symantec

The encrypted files have the .ded file extension appended to them, for example:

New Text Document.txt.ded

The encryption algorithm being used by DEDCryptor ransomware has been reported to be AES-256, which generates a unique password and may send it over to the command and control (C&C) center of the cyber-criminals.

Researchers believe that this is what appears to be a variant of EDA2 ransomware, suggesting the virus could have been posted for sale in the deep web markets. This may generate additional profits for the creators of EDA2 ransomware and in addition to that spread the ransomware further and infect more users. Either way, experts strongly advise against paying any ransom to the cyber-criminals behind DEDCryptor because of several obvious reasons:

  • There is no guarantee you will receive your files back.
  • You support the cyber-criminals.

Remove DEDCryptor Ransomware and Try To Restore the Encrypted Files

To remove this ransomware, be advised that you should isolate the threat first. After this, it is recommended to check for any processes related to DEDCryptor which may be actively running on your computer. After this, the files can be deleted as long as the user has cleaned up the registries. The full instructions for this can be located in the manual below.

For maximum results, experts advise using an advanced anti-malware program which will surely take care of the threat and detect other malware as well If on your computer.

To restore your data, it is advisable to try using the alternatives in the instructions below. They do not have 100 percent guarantee but may restore at lease a small portion of your files.

Manually delete DEDCrypt from your computer

Note! Substantial notification about the DEDCrypt threat: Manual removal of DEDCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove DEDCrypt files and objects
2.Find malicious files created by DEDCrypt on your PC
3.Fix registry entries created by DEDCrypt on your PC

Automatically remove DEDCrypt by downloading an advanced anti-malware program

1. Remove DEDCrypt with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by DEDCrypt in the future
3. Restore files encrypted by DEDCrypt
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.