Dxh26wam Ransomware – Remove It and Restore .crypted Files

Dxh26wam Ransomware – Remove It and Restore .crypted Files

This article will help you remove Dxh26wam ransomware totally. Follow the ransomware removal instructions at the bottom of the article.

Dxh26wam is the name given to a new ransomware cryptovirus. The name comes from an executable file that contains the malicious script for the ransomware and infects users upon its execution. Your files will become encrypted and the Dxh26wam cryptovirus will leave a ransom note with demands for payment. Proceed to read below and see how you could try to potentially restore some of your files.

Threat Summary

Short DescriptionThe ransomware virus encrypts files on your computer and demands payment for unlocking them.
SymptomsThe ransomware will encrypt your files while placing the extension .crypted after it completes its encryption process.
Distribution MethodSpam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by Dxh26wam


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Dxh26wam.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dxh26wam Ransomware – Infection

Dxh26wam ransomware could spread its infection via different methods. The payload file that initiates the malicious script for this ransomware, which in turn infects your computer machine, is circling the Internet and a malware sample has been found by malware researchers. You can see the VirusTotal detections for different security programs of that sample by checking the screenshot below:

Dxh26wam ransomware might also distribute its payload file on social media websites and networks for file-sharing. Freeware that is found on the Web could be presented as useful but at the same time could hide the malicious script for the cryptovirus. Refrain from opening files just as you have downloaded them, especially if they come from suspicious sources such as links or e-mails. Instead, you should scan them beforehand with a security tool, while also checking the size and signatures of these files for anything that seems out of the ordinary. You should read the ransomware preventing tips thread in the forum.

Dxh26wam Ransomware – In-Depth

Dxh26wam ransomware is dubbed that way, due to the main file, which is responsible for infecting computers, called Dxh26wam.exe. That file is considered the payload dropper and the one associated with hundreds of processes on your PC, after it becomes infected. Files will get encrypted with the .crypted extension. Malware researchers have discovered that the encryption for the virus has been written in Python, while the GUI interface is coded with the Delphi programming language.

Dxh26wam ransomware could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System, such as the example given right below:


The ransom note will show up after the encryption process is complete. The note is written in English, as well as seven other languages. Inside, you will find very detailed instructions on where to buy cryptocurrency, what the demanded ransom is, how and where to pay that ransom, along with more instructions on what to do for file restoration. The note is contained in a few messages under the name How_Decrypt_My_Files. You can view the main message here:

That ransom note reads the following:

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
1. Pay amount BTC (about of USD) to address:
2. Transaction will take about 15-30 minutes to confirm.
Decryption will start automatically. Do not: power off computer, run antivirus program, disable internet connection. Failures during key recovery and file decryption may lead to accidental damage on files.

Here is another part of the long set of instructions:

The ransom note and any instructions from the Dxh26wam ransomware should not be followed. Those messages state that to get your files you have to pay the ransom sum. You should NOT in any circumstance pay those cybercriminals. Your files may not get restored, and nobody could give you a guarantee for that. Moreover, giving money to these criminals will likely motivate them to create more ransomware or do other criminal activities.

Dxh26wam Ransomware – Encryption Process

A list with file extensions that the Dxh26wam ransomware seeks to encrypt isn’t available for the moment. However, the article will get duly updated if such one is discovered. The extensions which are most likely to get encrypted are the following:

→.7z, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .xls, .xlsx, .zip

Every file that gets encrypted will receive the same extension appended to each one of them, and that is the .crypted extension. The algorithms AES and RSA are being used for the encryption process.

The Dxh26wam cryptovirus has been reported to erase the Shadow Volume Copies from the Windows operating system by utilizing the following command:

→vssadmin.exe delete shadows /all /Quiet

That command makes the encryption process more efficient, as it eliminates one of the key ways of restoring your files.

Keep reading and see what kinds of ways you can try out to potentially restore some of your file data.

Remove Dxh26wam Ransomware and Restore .crypted Files

If your computer got infected with the Dxh26wam ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share