.Dexter Virus (Troldesh Ransomware) Removal - Restore Files

.Dexter Virus (Troldesh Ransomware) Removal – Restore Files

This article will aid you in removing .Dexter File Virus in full. Follow the ransomware removal instructions provided at the end of this article.

The .dexter extension is appended as a secondary extension to files encrypted by a new variant of the Troldesh ransomware. After the payload of the cryptovirus is executed, your files will get encrypted and the virus will leave multiple copies of its ransom message with instructions for payment. Continue reading below to see how you could try to potentially restore some of your data.

Threat Summary

Name.Dexter Virus (Troldesh)
Short DescriptionThe ransomware virus encrypts files on your computer and leaves a note demanding you to contact the cybercriminals about the ransom price.
SymptomsThe ransomware will encrypt your files and then change their names, append two extensions – one that is 44 symbols in length and the other: .dexter.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by .Dexter Virus (Troldesh)


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Dexter Virus (Troldesh).
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Dexter Virus (Troldesh Ransomware) – Spread

The .Dexter file virus could spread its infection through different methods. A method that is observed to be quite common is with a payload file that launches the malicious script for the ransomware, which in turn infects your PC. Malware researchers have observed such payload files, and you can see the analysis of one, uploaded to VirusTotal, and more accurately – its detections from different AV vendors:

The .Dexter file virus could spread its payload file on social media sites and file-sharing networks. Freeware applications which are found on the Web could be presented as useful but at the same time could hide the malicious script for the cryptovirus. Avoid opening files right after you have downloaded them. Especially ones that came from sources such as suspicious emails or links. What you should do instead is to scan files before opening them with a security tool, while also checking their size and signatures for anything that seems unordinary. Also, you should read the ransomware prevention tips given in our forum.

.Dexter Virus (Troldesh Ransomware) – Details

The .Dexter file virus is a ransomware cryptovirus that appends the .dexter extension to all files that it encrypts. Malware researchers state that the ransomware is a variant of the Troldesh Ransomware Virus.

The .Dexter file virus could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System, and one such entry is shown right here:


The ransom note will appear in your computer after the encryption process is completed. The note is written in both Russian and English, but the virus could target speakers from other language groups, too. Inside, you will see instructions for what to do to allegedly get your files restored. The ransom note is copied multiple times, as known for previous Troldesh variants, ranging up to 10 files with a name: “README1.txt”, “README2.txt” etc.

The README1.txt file contains the following ransom note:

The ransom note states the following:

Ваши файлы были зашифрованы.
Чтобы расшuфроваmь их, Вам необходимо оmправиmь код:
0123456789АВСDЕF0123 | 0
на элеkmронный адрес [email protected]
Далее вы nолучиmе все необходимые инструkции.
Попытки расшифроваmь самостоятельно не приведут нu к чему, kроме безвозвратной nотери uнформацuи.
Если вы всё же хоmиmе nоnыmаться, mо nредварительно сделайте резервные kопиu файлов, uначе в случае
uх uзменения расшифровkа сmанет невозможной нu nри какuх условиях.
Если вы не nолучuлu оmвета по вышеуказанному адресу в mеченuе 48 часов (и тольkо в этом случае! ),
воспользуйmесь формой обраmной связи. Это можно сделать двумя способами:
1) Скачайmе u усmановиmе Tor Browser nо ссылkе: https://www.torproject.org/download/download-easy.html.en
В адресной строке Tor Browser-а введuте адрес:
и нажмuте Enter. Загрузuтся страница с формой обратной связи.
2) В любом браузере перейдите по одному uз адресов:

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
0123456789АВСDЕF0123 | 0
to e-mail address [email protected]
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
Install it and type the following address into the address bar :
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:

The makers of the Troldesh ransomware are using the TOR Network as a contact system, besides Gmail. The following addresses are provided as a way of communicating with them:

  • [email protected]
  • http://cryptsen7fo43rr6.onion/
  • http://cryptsen7fo43rr6.onion.to/
  • http://cryptsen7fo43rr6.onion.cab/

Instructions you read in the ransom note of the .Dexter file virus should not be followed. You should NOT under any circumstances come in to contact the cybercriminals. Nobody could give you a guarantee that your files will get restored if you pay the ransom. Furthermore, financially supporting cybercriminals is a bad idea. That may inspire the crooks to continue making ransomware viruses and get involved with more criminal activities.

.Dexter Virus (Troldesh Ransomware) – Encryption

In case the .Dexter file virus seeks to encrypt files with extensions similar to its previous variants, then those extensions would be the following:

→.3ds .3fr .3g2 .3gp .7z .accda .accdb .accdc .accde .accdt .accdw .adb .adp .ai .ai3 .ai4 .ai5 .ai6 .ai7 .ai8 .anim .arw .as .asa .asc .ascx .asm .asmx .asp .aspx .asr .asx .avi .avs .backup .bak .bay .bd .bin .bmp .bz2 .c .cdr .cer .cf .cfc .cfm .cfml .cfu .chm .cin .class .clx .config .cpp .cr2 .crt .crw .cs .css .csv .cub .dae .dat .db .dbf .dbx .dc3 .dcm .dcr .der .dib .dic .dif .divx .djvu .dng .doc .docm .docx .dot .dotm .dotx .dpx .dqy .dsn .dt .dtd .dwg .dwt .dx .dxf .edml .efd .elf .emf .emz .epf .eps .epsf .epsp .erf .exr .f4v .fido .flm .flv .frm .fxg .geo .gif .grs .gz .h .hdr .hpp .hta .htc .htm .html .icb .ics .iff .inc .indd .ini .iqy .j2c .j2k .java .jp2 .jpc .jpe .jpeg .jpf .jpg .jpx .js .jsf .json .jsp .kdc .kmz .kwm .lasso .lbi .lgf .lgp .log .m1v .m4a .m4v .max .md .mda .mdb .mde .mdf .mdw .mef .mft .mfw .mht .mhtml .mka .mkidx .mkv .mos .mov .mp3 .mp4 .mpeg .mpg .mpv .mrw .msg .mxl .myd .myi .nef .nrw .obj .odb .odc .odm .odp .ods .oft .one .onepkg .onetoc2 .opt .oqy .orf .p12 .p7b .p7c .pam .pbm .pct .pcx .pdd .pdf .pdp .pef .pem .pff .pfm .pfx .pgm .php .php3 .php4 .php5 .phtml .pict .pl .pls .pm .png .pnm .pot .potm .potx .ppa .ppam .ppm .pps .ppsm .ppt .pptm .pptx .prn .ps .psb .psd .pst .ptx .pub .pwm .pxr .py .qt .r3d .raf .rar .raw .rdf .rgbe .rle .rqy .rss .rtf .rw2 .rwl .safe .sct .sdpx .shtm .shtml .slk .sln .sql .sr2 .srf .srw .ssi .st .stm .svg .svgz .swf .tab .tar .tbb .tbi .tbk .tdi .tga .thmx .tif .tiff .tld .torrent .tpl .txt .u3d .udl .uxdc .vb .vbs .vcs .vda .vdr .vdw .vdx .vrp .vsd .vss .vst .vsw .vsx .vtm .vtml .vtx .wb2 .wav .wbm .wbmp .wim .wmf .wml .wmv .wpd .wps .x3f .xl .xla .xlam .xlk .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xps .xsd .xsf .xsl .xslt .xsn .xtp .xtp2 .xyze .xz .zip

Every file that gets encrypted will get a filename change resulting in a new 44 symbol name, followed by two extensions. The first extension is your ID (which here is 0123456789АВСDЕF0123) and the distinctive .dexter extension appended as a secondary extension to each of the encrypted files. The encryption algorithm is currently unknown, but suspected to be a high-bit RSA one.

The .Dexter file virus cryptovirus is very likely to delete the Shadow Volume Copies from the Windows Operating System. That will surely make the encryption process more viable since it will eliminate one of the file decryption ways. Keep reading to see what ways you can try out to potentially recover some of your data.

.Dexter Virus (Troldesh Ransomware) Removal. Restore Your Files

In case your computer got infected with the .Dexter file virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread deeper and infect more computer systems. You should remove this ransomware and follow the step-by-step instructions guide provided down below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share