The Mr. Dec virus has been discovered in a small attack campaign. While the initial strains do not feature advanced code it is expected that future versions will be much more dangerous. The affected files are renamed with random extensions, read more about the threat in our removal guide.
SIDENOTE: This post was originally published in May 2018. But we gave it an update in August 2019.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .[random-extension] extensions and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Mr. Dec |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Mr. Dec.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Mr. Dec Virus — Update August 2019
A recent attack wave using the Mr. Dec ransomware has been detected. However instead of the nae attributed to the ransomware the majority of user complaints are for “you are unlucky the terrible virus”. It is very possible that the original hackers or another criminal group have taken on the threat and created a new version taking on this name.
Given the fact that in this month this version has been used in an attack campaign we assume that possibly new functionality or changes to the behavior pattern have been made. The ransomware note or lockscreen may read warning messages that are designed in a different way than before, possibly with the message you are unlucky the terrible virus has captured your files.
Mr. Dec Virus – Distribution Ways
The Mr. Dec virus has been identified in a very small attack campaign that does not give out the primary distribution tactics. As such we expect that the most common methods are going to be used.
Future Mr. Dec virus campaigns can utilize SPAM email messages that rely on social engineering tactics. They use text and graphics that have been hijacked from legitimate sites, products and services in order to blackmail the recipients into infecting themselves. This is done by either attaching the file directly to the messages or hyperlinking the relevant in the body contents. In connection with this payloads can be spread using them. Two of the most popular examples include the following:
- Software Installers — The criminals behind the threat can embed the relevant virus code in application installers. Usually the most popular ones are used: creativity suites, system utilities, productivity apps, office programs and even computer games.
- Infected Documents — Using similar mechanisms the hackers may embed scripts that lead to the Mr. Dec infection. Practically all document types can be affected: text files, presentations, databases or spreadsheets. Once they are opened by the victims a notification message will appear asking the users to enable the built-in macros. If they do this then the infection will begin.
Another possibility would be the use of browser hijackers. They represent malicious web browser plugins that are made for the most popular applications: Mozilla Firefox, Google Chrome, Internet Explorer, Opera, Safari and Microsoft Edge. Their main goal is to redirect the victims to a hacker-controlled site by changing the browser’s default settings — home page, search engine and new tabs page. Afterwards the Mr. Dec virus infection follows. These strains are usually found on the relevant web browser plugin repositories. The hackers typically make use of fake developer credentials and user reviews along with an elaborate description with the promise of adding new useful features or otherwise changing the browsing experience.
Other delivery methods include the use of web scripts that come in various forms and can even affect legitiamte and well-known sites through compromised ad and affiliate networks. The most common forms are all manners of pop-ups, redirects, in-body hyperlinks and other scripts.
Mr. Dec Virus – In-Depth Analysis
The Mr. Dec virus appears to be a newly created ransomare that does not originate from any of the well-known malware families. This means that either the threat has been created by by its operators or it has been bought from the underground markets. Whatever its origins it appears that the captured samples are test versions or the initial builds. This means that many of the essential virus features are not yet integrated. If the first attacks are successful then future versions will likely be developed.
The initial infection can begin with an information gathering engine. It is programmed to harvest various types of strings in advance. The harvested campaign metrics can be used to optimize the attacks by registering the installed hardware components and certain operating system strings. The same engine can be used to harvest personally-identifiable about the victims that can expose their identity. Example strings include their name, address, telephone number, geographic location, interests, passwords and account credentials.
The information can be processed by the stealth protection module which protects the malicious executable from any applications or services that can interfere with its correct execution. Examples include anti-virus products, sandbox environments and virtual machine hosts.
The Mr. Dec virus can be programmed into modifying the Windows Registry entries related either to the user-installed applications or the operating system itself. When the virus modifies application entries certain services or functions can be rendered non-working. Windows-related entries can lead to overall performance issues.
This is also used to set the Mr. Dec virus as a persistent threat. This means that the virus will start automatically once the computer boots and access to certain menu options will be blocked. This includes the recovery boot menu. In such cases the only way to recover the infected machines is by using a quality anti-spyware solution, read our removal instructions for further information. To make recovery more difficult the threat can also be configured to delete the Shadow Volume Copies of the affected data. This means that data recovery is possible with the use of a professional application.
Advanced versions of the Mr. Dec virus can also be used with a malware network connection to the hacker-controlled servers. It is used in order to harvest the acquired personal data, as well as spy upon the victims in real time. Such methods are widely used in a Trojan-like manner that allow the controllers to overtake control of the machines. They are also among that main methods that are used to deploy additional threats.
We remind our readers that many of the updated ransomware threats at some point add browser hijacker like code that can interact with web browsers and other user-installed applications. This includes the likes of tracking cookies, plugins and other malicious software without the victim’s consent and knowledge.
Mr. Dec Virus – Encryption Process
The associated ransomware engine with the Mr. Dec virus is fully functional even with the test versions that were captured by the analysts. Like other popular ransomware threats it uses a strong cipher (AES) that is used to encrypt sensitive user data. It uses a built-in list that affects the following data:
Instead of using a generic rename template the Mr. Dec virus processes the affected data with a random extension which follows the following formula: .[ID]
A ransomware note is crafted in a file called Decoding help.hta that contains the following message:
You are unlucky! The terrible virus has captured your files! For decoding please contact by email email@example.com or firstname.lastname@example.org
ID ***** ID
1. In the subject line, write your ID.
2. Attach 1-2 infected files that do not contain important information (less than 2 mb)
3. Attach the file with the location c:\Windows\DECODE KEY.KEY
are required to generate the decoder and restore the test file.
Hurry up! Time is limited!
At the end of this time, the private key for generating the decoder will be destroyed. Files will not be restored!
Remove Mr. Dec Virus and Restore .[random-extension] Files
If your computer system got infected with the Mr. Dec ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.