A ransomware virus has been detected by the name of “Dev-Nightmare”. The virus uses the .2xx9 file extension after it performs a successful attack on a compromised computer and encrypts t’s files. The files, besides having the abovementioned file extension added to them are encoded based on the mechanism from the HiddenTear ransomware project and luckily for infected user there may be a decryption solution for this virus. Keep reading this article for more information on how to remove this ransomware and try the HiddenTear decryptor to decode your files if they are enciphered by it.
|Short Description||The ransomware encrypts files with encryption algorithm and asks a ransom for decryption.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a READ_ME.txt file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
See If Your System Has Been Affected by Dev-Nightmare
Malware Removal Tool
|User Experience||Join our forum to Discuss Dev-Nightmare Ransomware.|
Dev-Nightmare – Distribution
To distribute those tools, the Dev-Nightmare ransomware may also take advantage of several different methods for replications, which mainly involve spamming malicious URL’s or files. This may be done on comments on forums, other websites and also via shady e-mails that trick users into opening it’s malicious file attachments.
Dev-Nightmare Ransomware – More Information
After it infects a system, Dev-Nightmare may connect remotely to the computer of the cyber-criminals that is controlling it and download the malicious payload of the virus that encrypts files. It primarily may locate it In the %AppData% folder, but similar to other HiddenTear viruses like EDA2, 8lock8 DEDCryptor or Strictor this virus may also target other Windows folders:
In addition to that, the virus may also create modified values strings in the Windows Registry Editor to make the malicious file that encrypts files run when you start your computer. The targeted keys for this are mainly the following:
After the encryptor of this virus runs, it may look for a wide variety of files to encipher, Such files may be videos, pictures, database files, Microsoft Office and Adobe Reader documents. Similar to other HiddenTear viruses like it, Dev-Nightmare may also look for the following file extensions to encrypt:
→ .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .dll, .lnk, .pdf Source: Symantec
After the files are encrypted the virus ads it’s own distinctive file extension to the enciphered files – 2xx9. The encrypted files look like the following:
Then the virus leaves a hateful ransom note written in extremely poor English message that aims to induce fear in users to pay money to get access back to their files.
Dev-Nightmare’s ransom note:
Your System is inficated with Dev-Nightmare 2xx9 Ransomware
Your All Files and database are encrypted.
If you want you files back contact me at firstname.lastname@example.org
Send me some money or bitcoins
And I hate fake peoples.
Dev-Nightmare – Remove It and Decrypt Your Files
However, since this is a HiddenTear variant, there has been a decryptor released for which’s usage we have provided instructions in step “2. Decrypt files encrypted by Dev-Nightmare” below. But before decrypting your files, we strongly suggest following methodologically the instructions to remove Dev-Nightmare ransomware and other infections that may currently be residing on your computer. Malware analysts also strongly advise scanning your computer with an anti-malware program initially to effectively secure your computer after infection with Dev-Nightmare and protect it in the future as well.
Manually delete Dev-Nightmare from your computer
Note! Substantial notification about the Dev-Nightmare threat: Manual removal of Dev-Nightmare requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.