.doubleoffset Files Virus – How to Remove and Restore Files

.doubleoffset Files Virus – How to Remove and Restore Files

This article has been created in order to help you by explaining how to remove the .doubleoffset files virus from your PC and how to restore encrypted files.

A new version of the notorious Cryakl ransomware has been detected in the wild. The version is v1.5.1.0 and aims to encrypt the files on the victimized computers. In addition to this, the .doubleoffset file extension is also added to the encrypted files along with possibly a ransom note which demands from victims to pay a hefty ransom fee in order to decrypt the encrypted files. In case you computer is among the ones infected by the .doubleoffset files virus, recommendations are to read the following article and focus on removing this malware from your computer and restoring your files.

Threat Summary

Name.doubleoffset Virus
TypeRansomware, Cryptovirus
Short DescriptionA variant of the Cryakl Ransomware family. Aims to encrypt the files on your computer and ask for a hefty ransom payoff in order to restore them.
SymptomsThe files on the infected computer are encrypted with an extension, pointing to the e-mail dorispackman@tuta.io and .doubleoffset suffix is added to them.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .doubleoffset Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .doubleoffset Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.doubleoffset Files Virus — April 2019 Update

In April 2019 a new outbreak of the .doubleoffset ransomware has been detected using a new ransomware note. This means that it is very likely that a different hacking collective is likely to be behind them. The reason for this is probably that the Cryakl ransomware code has been released in the dark underground markets and available for customization. Hacking collectives can offer their services for this or the hackers can create the new samples by themselves.

As soon as the included modules have finished running the ransomware operations will commence thus encrypting the files with the .doubleoffset extension.

.doubleoffset Ransomware – Distribution Methods

The Cryakl ransomware infection is the type of malware that can slither into your PC via a multitude of ways. For starters, the virus may use obfuscation methods which can help it to remain undetected by antivirus engines. In addition to this, the ransomware infection also may use other forms of infection files which enter your computer via a Remote Desktop Protocols, a malicious infection kit and exploits for Windows vulnerabilities. The infection process may be conducted by sending you an e-mail which may contain a malicious e-mail attachment (the infection file) pretending to be a:

  • Receipt.
  • An invoice.
  • Order receipt.
  • Fake banking statement.

If you receive the file via an e-mail, the file may be a JavaScript type, a .vbs type of a script or even a disguised .docm type of file for Microsoft Word which can infect your computer via malicious macros. In addition to this, the cyber-criminals can also imitate the e-mail is coming from a large company to increase the trust in victims, for example:

In addition to via e-mail, this variant of Cryakl may also be uploaded online, imitating a legitimate type of programs, like:

  • Setups of software or games.
  • Game or program patches, cracks, key generators or other forms of license activators.

.doubleoffset Files Virus – More Information

As soon as infection has been performed, the variant of Cryakl drops it’s malicious files on the compromised computer, similar to what other variants of this virus do. During this process, the computer of victims may stagger and even freeze for a brief moment. The malicious files of the .doubleoffset files virus may be dropped in the following Windows folders under different filenames:

As soon as the .doubleoffset files virus has completed the file dropping process, the ransomware may begin to perform malicious tasks on the victim’s computer, among which may be the following:

  • Create mutexes.
  • Touch important Windows files.
  • Interfere with the Windows Registry Editor.

The virus may target the Run and RunOnce Windows Registry sub-keys in order to add registry values with their corresponding data which makes it possible for the malicious files of the .doubleoffset ransomware to run automatically on system boot. The locaton of the sub-keys in most Windows Versions is the following and in them you may find the value strings with random names:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to interfering with the Windows Registry sub-keys, the ransomware may also perform other activities on the compromised computer, such as disable the Windows recovery services and delete the shadow volume copies within the infected PC in order to sabotage file recovery via those methods. The virus may do this by executing the following administrator commands in Windows Command Prompt:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

.doubleoffset Files Virus – Encryption Procedure

The Cryakl .doubleoffset ransomware aims to perform different activities prior to encrypting files. Firstly, the virus checks if it’s running on a virtual drive of some sort and if this is not the case, the malware immediately deletes itself. If not, the .doubleoffset ransomware may scan for and encrypt the following types of files on your computer:

  • Audio files.
  • Videos.
  • Pictures.
  • Archives.
  • Microsoft Office and other document file types.

The virus may also have a whitelist of Windows system folders on which it does not encrypt files at all, such as %Windows% and other types of folders.

After the Cryakl ransomware has attacked your computer and encrypted the files on it, it may leave them with a rather long file extension and an e-mail, like the picture below shows:

As visible from the picture above, the virus aims to get the victims to open it’s README.txt file, containing what appears to be instructions on what to do to get your files back. Researchers, strongly recommend not to pay the ransom and to remove this ransomware virus and try to restore your files via other methods as well.

Remove Cryakl Ransomware and Restore .doubleoffset Files

In order to eliminate this ransomware infection completely from your computer system, recommendations are to follow the removal instructions underneath this article. They are specifically created in order to help you delete the virus files either manually or automatically, based on how much experience you have in removing malware. If you lack such experience or do not feel confident that you have removed this ransomware completely, experts always outline that using an anti-malware software to remove this ransomware automatically is the best method to go for.

If you want to restore .doubleoffset encrypted files on your PC, do not panic, because there is more than one method to do so. You can try the alternative methods underneath this article in step “2. Restore files, encrypted by .doubleoffset Virus” down belw. They may not be a 100% solution to recovering your data, but may help you restore as many encrypted files as possible.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share