A ransomware virus believed to be a part of the Mobef ransomware viruses, has been reported to add a blue lockscreen message in which it demands a hefty payoff in Bitcoin to restore files encrypted by it. The virus also performs multiple other modifications on the infected computer such as apply the encryption via RSA and AES encryption algorithms. In case you have been infected by this ransomware virus, we strongly suggest you read the below mentioned material.
|Short Description||The ransomware encrypts files with the RSA algorithm and AES-128 ciphers and asks a ransom for decryption.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by DagaCrypt |
Malware Removal Tool
|User Experience||Join our forum to Discuss Mobef Ransomware.|
DagaCrypt Ransomware – How Is It Spread
In order to infect users on a massive scale, the DagaCrypt ransomware virus may be spread via multiple different techniques, the main of which is via spammed e-mail messages which contain either malicious e-mail attachments or malicious web links uploaded online. These both may be accompanied by deceitful e-mails, like the ones below:
In addition to this there are other methods by which one can become a victim of DagaCrypt ransomware. One of those tools is via fake installers or programs which are uploaded on shady websites.
DagaCrypt Ransomware – Malicious Activity
As soon as infection has commenced, DagaCrypt may drop multiple different files on the infected computer. They may have the following names:
After these files are dropped on the infected computer, the ransomware may begin to interfere with the Windows Registry Editor, meaning that It may modify values or add new strings within the Windows registry editor. The usually targeted Registry sub-key may be the following:
DagaCrypt Ransomware – Encryption Process
For the encryption process of DagaCrypt ransomware to be successful, the virus may use a combination of AES and RSA encryption algorithms, similar to other Mobef variants. DagaCrypt may be pre-configured to target the following Windows file types for encryption.
→ .3ds .4db .4dd .7z .7zip .accdb .accdt .aep .aes .ai .alk .arj .axx .bak .bpw .cdr .cer .crp .crt .csv .db .dbf .dbx .der .doc .docm .docx .dot .dotm .dotx .drc .dwfx .dwg .dwk .dxf .eml .enz .fdb .flk .flka .flkb .flkw .flwa .gdb .gho .gpg .gxk .hid .hid2 .idx .ifx .iso .k2p .kdb .kdbx .key .ksd .max .mdb .mdf .mpd .mpp .myo .nba .nbf .nsf .nv2 .odb .odp .ods .odt .ofx .ost .p12 .pdb .pdf .pfx .pgp .ppj .pps .ppsx .ppt .pptx .prproj .psd .pst .psw .qba .qbb .qbo .qbw .qfx .qif .rar .raw .rfp .rpt .rsa .rtf .saj .sdc .sdf .sef .sko .sql .sqlite .sxc .tar .tax .tbl .tc .tib .txt .wdb .xbrl .xls .xlsm .xlsx .xml .zip
After the encryption process is complete the files become no longer openable and DagaCrypt adds a custom image with it’s ransom note, which has the following content:
What happened to your files ?
All of your files were protected by a strong encryption.
For more specific instructions, please send us an Bitmessage
you can download here – https//bitmessage.org
on this address BM-NBZnSfSEioDnWmVBGGYiSsqijoBTfAhi
m WARNING m
PLEASE DON’T DELETE THIS FILE IF YOU WANT RECOVER YOUR FILES: C:\Windows\62348433.log
Remove DagaCrypt and Restore Files Encrypted by It
Before removing DagaCrypt from your computer, it is strongly advisable to backup the encrypted files prior to the removal. Then, we recommend you to follow the removal instructions below. In case manual removal is not an option, experts always advise using an advanced anti-malware program to automatically take care of DagaCrypt ransomware.
In case you want to restore files encrypted by this virus, we strongly suggest following the instructions in step “2. Restore files encrypted by DagaCrypt below”.
Manually delete DagaCrypt from your computer
Note! Substantial notification about the DagaCrypt threat: Manual removal of DagaCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
Automatically remove DagaCrypt by downloading an advanced anti-malware program
After you have removed Philadelphia ransomware, you might as well begin decrypting files. To do this follow the below-mentioned steps:
Step 1: Download Stampado Decrypter. Being a variant of the Stampado viruses, Philadelphia can be decrypted with EmsiSoft’s Stampado Decrypter. To download it for free, click on the button below and save it:
Step 2: Open the decrypter and choose which files to be decrypted. This can happen by either choosing the volumes on your hard drive (C:\; D:\) or by clicking on the Add Folder button to add your important folders so that the process is faster.
Step 3: Click on Decrypt and enter the e-mail address and your Identification number from your ransomware virus to help the decrypter set the variant and the decryption key for Philadelphia ransomware. After this is done, go back to the “Decrypter” tab and repeat the same process to start decrypting files.
Be patient, decryption may take some time. After every file is decrypted, you should see information about it on the decrypter.
Philadelphia Decryptor – Conclusion
After decrypting your files make sure you save them on an external drive and make more than one backup. For more professional approach on how to store your data safely, please check the following article: