The .dewar is a Phobos ransomware that is currently set against target end users on a global scale. There is no information available about the hacking group behind it. It is believed to be a new iteration of the famous ransomware family. This is one of the reasons why we believe that the hackers are experienced.
Once the .dewar has started it will execute its built-in sequence of dangerous commands. Depending on local conditions or the specific hacker instructions various actions will take place. The file encryption will begin after them — the encrypting component will use a built-in list of target file type extensions. In the end the victim files will be renamed with the .dewar extension.
|Short Description||The ransomware encrypts files on your computer machine and demands a ransom to be paid to allegedly restore them.|
|Symptoms||The ransomware will blackmail the victims to pay them a decryption fee. Sensitive user data may be encrypted by the ransomware code.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by .dewar virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .dewar virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Security specialists have discovered a new version of the Phobos virus family which is called the .dewar virus as this is the extension the processed files will receive. It is very possible that the attacks are planned by an unknown hacking collective which is not related to the previous attacks. This is evident from the fact that the code of the Phobos ransomware appears to be available on the underground forums.
The .dewar virus can easily be spread to the victim users by phishing campaigns — they are organized by sending out email messages and hosting phishing sites which are designed to impersonate companies and service landing pages. They can also carry infected files — they can be macro-infected documents or setup files of famous software. When they are started by the users the built-in code will lead to the .dewar virus infection.
Other ways through which the ransomware infection can spread is by uploading the necessary files to file-sharing networks that include BitTorrent where a lot of popular legitimate and pirate files are often distributed. The criminals may also use fake names and other methods in order to spread the files further.
As soon as the .dewar virus is installed on a given system the main engine will immediately start to execute its built-in commands. They may differentiate according to the local conditions or the hacker configuration. Most of them will start the sequence with an information gathering module — it will actively search for information about the victims and/or their machines. This is used to generate report of the installed hardware parts, any personal information collected about the users can be used for various financial fraud scenarios. Other common actions instituted by the virus engine is to modify the system, some of them will include the following:
- Persistent Installation — The .dewar virus can be installed in a way which will automatically start the infection when the computer is powered on. This action can also block access to the recovery boot options.
- Windows Registry Changes — The main engine can be programmed to edit out the values stored in the Windows Registry. This may lead to data loss, unexpected errors and the inability to start certain programs.
- Additional Virus Infections — The .dewar virus can be used to install other malware to the target computers. This is very dangerous as potential infections are used to deliver threats such as cryptocurrency miners, browser hijackers and Trojans.
- Data Gathering — The virus can be programmed to harvest sensitive information about the users and their machines. This is very useful as an report of the installed hardware components will be made. It can be processed by another module resulting in the generation of an unique ID — a string of characters which the hackers can use to identify the individual machines.
Phobos ransomware like the .dewar virus will start to encrypt target user data when all prior modules have finished running. The engine will target the most popular files according to a built-in list , possible victims can be the following: databases, documents, multimedia files, backups, archives and etc. All of them will receive the .dewar extension as a mark that they are encrypted and inaccessible to the users. The victim users will then be blackmailed by a ransom note which will be presented to them. Using social engineering tactics and blackmail messages they will be manipulated into paying a ransom fee — this is done usually in cryptocurrency form.
Remove .dewar Virus
If your computer system got infected with the .dewar Files ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.