.dat Files Virus (Jigsaw) - Remove It and Restore Data

.dat Files Virus (Jigsaw) – Remove It and Restore Data


This is an article that provides specific details on an iteration of Jigsaw ransomware dubbed .dat crypto virus as well as a step-by-step removal followed by alternative data recovery approaches.

An infection with the so-called .dat crypto virus leads to the corruption of valuable files stored on your PC. Once encrypted the files remain inaccessible until an efficient recovery solution is applied. In fact, the name of this ransomware is a derivative of the specific extension it uses to mark encrypted files – .dat. Yet another trait of an infection with this ransomware is a ransom message that attempts to blackmail you into paying hackers a predefined ransom. Since there is a chance to restore .dat files with the help of alternative methods we advise you to refrain from paying the ransom no matter of its amount.

Threat Summary

Name.dat Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA data locker ransomware that utilizes the strong cihper algorithm AES to encrypt valuable files stored on the computers it infects. Upon encryption it demands a ransom for decryption solution.
SymptomsThe access to important files is restricted while they are all renamed with the .dat extension. A ransom message blacmails you into paying hackers a ransom.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .dat Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .dat Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.dat Files Virus – Distribution

The infection code of .dat files virus could be spread with the help of various shady techniques like email spam messages, corrupted web pages, malvertising campaigns, software bundles, freeware packages and more.

In general attackers prefer to spread their malicious code via spam email messages. What they aim is to make you believe that the email is sent by a legitimate source and this way trick you to interact with a malicious component that triggers the infection process. The malware code is often embedded in documents, images, and PDFs. All these commonly used files are then spread via massive email spam campaigns in the form of email attachments. The campaigns may be targeting users worldwide. Once you download the email attachment and open it on your PC you unintentionally trigger the ransomware payload.

If you want to keep your system secure against devastating threats like .dat files virus in future we advise you to open all files that seem dubious on your PC only after you scan them with a free online extractor. The results of the scan will help you to understand whether the file contains malicious elements or not.

.dat Files Virus – Infection Overview

The infection with .dat crypto virus begins when its malicious payload is started on the system. With the help with only one executable file, the ransomware could either drop additional from its command and control server or create new ones directly on the system. What all malicious files are designed for is the corruption of various system settings which in turn enable the threat to evade detection and achieve persistence.

There are a few folders that are regularly detected to keep malicious ransomware files and they are:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %Roaming%

So it is possible that files associated with .dat crypto virus may be located in some of the above-mentioned folders. Another system component that is often plagued by crypto viruses like this Jigsaw ransomware iteration is the Registry Editor.

Registry Editor is a hierarchical database that stores low-level settings, options and values, all designed to manage the smooth performance of the operating system and installed apps. Most of the times ransomware manipulates the functionalities of Run and RunOnce subkeys as they cause the automatic execution of all necessary files on each system start. With their help .dat files virus becomes able to run its infection files whenever you power on the computer.

In addition, the crypto virus may add malicious values under these subkeys in order to display its ransom note. This usually happens after all target files are encrypted. This note is likely to inform you about the presence of the ransomware and reveal the devastating impact of the threat. Its primary purpose is to urge you to pay hackers a ransom for data decryption tool. The message could either urge you to contact hackers at a given email or blackmail you to transfer them a specified amount of money. The following image is also associated with .dat Jigsaw variant and may be dropped or displayed on your PC:

.dat files virus Jigsaw ransomware image

.dat Files Virus – Encryption Process

When the ransomware establishes its malicious files on the system it continues with the main stage of the infection process which is data encryption. Like its predecessors .dat crypto virus is likely to use the AES cipher algorithm to encrypt target files. Once the original code of target files is transformed with the help of AES cipher they remain inaccessible until an efficient recovery solution is put into use. As of corrupted types of files they could be all of the following:

→.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as.txt, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxf.c, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip

With such a long list of extensions, you may find all files that store valuable information corrupted by the ransomware. This includes your:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

How encrypted files could be recognized is by the specific extension .dat appended to their original names. This extension is one of the traits of infection with this Jigsaw ransomware version.

The crypto virus could be set to erase all Shadow Volume Copies from the Windows operating system as well. This way it eliminates one of the prominent ways to restore your data. The process happens with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

If a computer device was infected with this Jigsaw ransomware version and your files are locked, read on through to find out how you could potentially restore some files back to their normal state.

Remove .dat Files Virus and Restore Data

Below you could find how to remove .dat files virus step by step. To remove this ransomware manually you need to have a bit of technical experience and ability to recognize traits of malware files. Beware that ransomware is a threat with highly complex code that plagues not only your files but your whole system. So as recommended by security researchers you need to utilize an advanced anti-malware tool for its complete removal. Such a tool will keep your system protected against devastating threats like this iteration of Jigsaw and other kinds of malware that endanger your online security.

After you remove the ransomware make sure to check the “Restore Files” step listed in the guide below. But before you take any further actions, don’t forget to back up all encrypted files to an external drive in order to prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share