Remove DEDCryptor Ransomware and Restore .ded Encrypted Files - How to, Technology and PC Security Forum |

Remove DEDCryptor Ransomware and Restore .ded Encrypted Files

ClACg6VWsAAdQkgA ransomware virus is known by the name DEDCryptor adding the .ded (grandpa in Russian) file extension to encrypted files. The encryptor then changes the wallpaper of users to a message notifying users their files are enciphered. The message features a vulgar photo of Santa Claus, making it all seem like a joke. However, DEDCryptor is no joke; it demands the sum of 2 BTC which is around 700 USD to restore access to the user. And what is worse, the ransomware uses a 32 character password randomly generated after it encrypts the files with Advanced Encryption Standard (AES) cipher.

Threat Summary

Short DescriptionThe ransomware encrypts files with the AES-256 cipher and asks a ransom payment for decryption.
SymptomsFiles are enciphered and become inaccessible. A ransom note with instructions for paying the ransom shows as a wallpaper.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DEDCrypt


Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Users infected with DEDCryptor should be advised that there is no breakthrough in decryption so far. However, it is recommended to NOT pay the ransom of 2 BTC and instead, remove this crypto-virus and attempt to restore your files using alternative methods such as the ones posted in this article.

DEDCryptor – Spreading Methods

So far it is unclear whether DEDCryptor uses only one method to infect users or if they are more than one. Either way, infected users report seeing malicious URLs which cause browser redirects to other web links which could contain the malware itself.

Users may see the malware featured in web links such as the one below:


In addition to that DEDCryptor may be spread anywhere else where such URLs can be posted – forums, comments, social media private messages, posts in groups, etc.

DEDCryptor In Depth

Once installed on the user PC, DEDCryptor situates its payload by masking it behind different names, sometimes randomly generated in different Windows directories, for example:


In addition to that, DEDCryptor crypto-virus takes advantage of different registry entries to change the wallpaper and make itself run on Windows startup:

HKEY_CURRENT_USER\Control Panel\Desktop

After this, the ransomware begins to scan for different files to encrypt. malware researchers report affected files to be the following:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .dll, .lnk, .pdf Source: Symantec

The encrypted files have the .ded file extension appended to them, for example:

New Text Document.txt.ded

The encryption algorithm being used by DEDCryptor ransomware has been reported to be AES-256, which generates a unique password and may send it over to the command and control (C&C) center of the cyber-criminals.

Researchers believe that this is what appears to be a variant of EDA2 ransomware, suggesting the virus could have been posted for sale in the deep web markets. This may generate additional profits for the creators of EDA2 ransomware and in addition to that spread the ransomware further and infect more users. Either way, experts strongly advise against paying any ransom to the cyber-criminals behind DEDCryptor because of several obvious reasons:

  • There is no guarantee you will receive your files back.
  • You support the cyber-criminals.

Remove DEDCryptor Ransomware and Try To Restore the Encrypted Files

To remove this ransomware, be advised that you should isolate the threat first. After this, it is recommended to check for any processes related to DEDCryptor which may be actively running on your computer. After this, the files can be deleted as long as the user has cleaned up the registries. The full instructions for this can be located in the manual below.

For maximum results, experts advise using an advanced anti-malware program which will surely take care of the threat and detect other malware as well If on your computer.

To restore your data, it is advisable to try using the alternatives in the instructions below. They do not have 100 percent guarantee but may restore at lease a small portion of your files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share