Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


DagaCrypt Virus (Restore Files)

This article aims to help you remove the DagaCrypt Mobef ransomware variant from your computer and restore files encrypted by it.

A ransomware virus believed to be a part of the Mobef ransomware viruses, has been reported to add a blue lockscreen message in which it demands a hefty payoff in Bitcoin to restore files encrypted by it. The virus also performs multiple other modifications on the infected computer such as apply the encryption via RSA and AES encryption algorithms. In case you have been infected by this ransomware virus, we strongly suggest you read the below mentioned material.

Threat Summary

NameDagaCrypt
TypeRansomware
Short DescriptionThe ransomware encrypts files with the RSA algorithm and AES-128 ciphers and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DagaCrypt

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Mobef Ransomware.

DagaCrypt Ransomware – How Is It Spread

In order to infect users on a massive scale, the DagaCrypt ransomware virus may be spread via multiple different techniques, the main of which is via spammed e-mail messages which contain either malicious e-mail attachments or malicious web links uploaded online. These both may be accompanied by deceitful e-mails, like the ones below:

In addition to this there are other methods by which one can become a victim of DagaCrypt ransomware. One of those tools is via fake installers or programs which are uploaded on shady websites.

DagaCrypt Ransomware – Malicious Activity

As soon as infection has commenced, DagaCrypt may drop multiple different files on the infected computer. They may have the following names:

  • 44.tmp.exe
  • Ransom.Daga.exe
  • Tmp.exe

After these files are dropped on the infected computer, the ransomware may begin to interfere with the Windows Registry Editor, meaning that It may modify values or add new strings within the Windows registry editor. The usually targeted Registry sub-key may be the following:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

DagaCrypt Ransomware – Encryption Process

For the encryption process of DagaCrypt ransomware to be successful, the virus may use a combination of AES and RSA encryption algorithms, similar to other Mobef variants. DagaCrypt may be pre-configured to target the following Windows file types for encryption.

→ .3ds .4db .4dd .7z .7zip .accdb .accdt .aep .aes .ai .alk .arj .axx .bak .bpw .cdr .cer .crp .crt .csv .db .dbf .dbx .der .doc .docm .docx .dot .dotm .dotx .drc .dwfx .dwg .dwk .dxf .eml .enz .fdb .flk .flka .flkb .flkw .flwa .gdb .gho .gpg .gxk .hid .hid2 .idx .ifx .iso .k2p .kdb .kdbx .key .ksd .max .mdb .mdf .mpd .mpp .myo .nba .nbf .nsf .nv2 .odb .odp .ods .odt .ofx .ost .p12 .pdb .pdf .pfx .pgp .ppj .pps .ppsx .ppt .pptx .prproj .psd .pst .psw .qba .qbb .qbo .qbw .qfx .qif .rar .raw .rfp .rpt .rsa .rtf .saj .sdc .sdf .sef .sko .sql .sqlite .sxc .tar .tax .tbl .tc .tib .txt .wdb .xbrl .xls .xlsm .xlsx .xml .zip

After the encryption process is complete the files become no longer openable and DagaCrypt adds a custom image with it’s ransom note, which has the following content:

What happened to your files ?
All of your files were protected by a strong encryption.
For more specific instructions, please send us an Bitmessage
you can download here – https//bitmessage.org
on this address BM-NBZnSfSEioDnWmVBGGYiSsqijoBTfAhi
m WARNING m
PLEASE DON’T DELETE THIS FILE IF YOU WANT RECOVER YOUR FILES: C:\Windows\62348433.log

Remove DagaCrypt and Restore Files Encrypted by It

Before removing DagaCrypt from your computer, it is strongly advisable to backup the encrypted files prior to the removal. Then, we recommend you to follow the removal instructions below. In case manual removal is not an option, experts always advise using an advanced anti-malware program to automatically take care of DagaCrypt ransomware.

In case you want to restore files encrypted by this virus, we strongly suggest following the instructions in step “2. Restore files encrypted by DagaCrypt below”.

Manually delete DagaCrypt from your computer

Note! Substantial notification about the DagaCrypt threat: Manual removal of DagaCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove DagaCrypt files and objects.
2. Find malicious files created by DagaCrypt on your PC.
3. Fix registry entries created by DagaCrypt on your PC.

Automatically remove DagaCrypt by downloading an advanced anti-malware program

1. Remove DagaCrypt with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by DagaCrypt in the future

After you have removed Philadelphia ransomware, you might as well begin decrypting files. To do this follow the below-mentioned steps:

Step 1: Download Stampado Decrypter. Being a variant of the Stampado viruses, Philadelphia can be decrypted with EmsiSoft’s Stampado Decrypter. To download it for free, click on the button below and save it:

Download

Stampado Decrypter

1-stampado-philadelphia-ransomware-decrypt-save-as-sensorstechforum

Step 2: Open the decrypter and choose which files to be decrypted. This can happen by either choosing the volumes on your hard drive (C:\; D:\) or by clicking on the Add Folder button to add your important folders so that the process is faster.

philadelphia-stampado-ransomware-decrypt-sensorstechforum

3-philadelphia-stampado-e-mail-id-sensorstechforum

Step 3: Click on Decrypt and enter the e-mail address and your Identification number from your ransomware virus to help the decrypter set the variant and the decryption key for Philadelphia ransomware. After this is done, go back to the “Decrypter” tab and repeat the same process to start decrypting files.

Be patient, decryption may take some time. After every file is decrypted, you should see information about it on the decrypter.

Philadelphia Decryptor – Conclusion

After decrypting your files make sure you save them on an external drive and make more than one backup. For more professional approach on how to store your data safely, please check the following article:

Related Article: Safely Store Your Important Files and Protect Them From Malware

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.