Remove DEDCryptor Ransomware and Restore .ded Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove DEDCryptor Ransomware and Restore .ded Encrypted Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by DEDCrypt and other threats.
Threats such as DEDCrypt may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

ClACg6VWsAAdQkgA ransomware virus is known by the name DEDCryptor adding the .ded (grandpa in Russian) file extension to encrypted files. The encryptor then changes the wallpaper of users to a message notifying users their files are enciphered. The message features a vulgar photo of Santa Claus, making it all seem like a joke. However, DEDCryptor is no joke; it demands the sum of 2 BTC which is around 700 USD to restore access to the user. And what is worse, the ransomware uses a 32 character password randomly generated after it encrypts the files with Advanced Encryption Standard (AES) cipher.

Threat Summary

NameDEDCrypt
TypeRansomware
Short DescriptionThe ransomware encrypts files with the AES-256 cipher and asks a ransom payment for decryption.
SymptomsFiles are enciphered and become inaccessible. A ransom note with instructions for paying the ransom shows as a wallpaper.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DEDCrypt

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Users infected with DEDCryptor should be advised that there is no breakthrough in decryption so far. However, it is recommended to NOT pay the ransom of 2 BTC and instead, remove this crypto-virus and attempt to restore your files using alternative methods such as the ones posted in this article.

DEDCryptor – Spreading Methods

So far it is unclear whether DEDCryptor uses only one method to infect users or if they are more than one. Either way, infected users report seeing malicious URLs which cause browser redirects to other web links which could contain the malware itself.

Users may see the malware featured in web links such as the one below:

spam-email-sensorstechforum

In addition to that DEDCryptor may be spread anywhere else where such URLs can be posted – forums, comments, social media private messages, posts in groups, etc.

DEDCryptor In Depth

Once installed on the user PC, DEDCryptor situates its payload by masking it behind different names, sometimes randomly generated in different Windows directories, for example:

commonly-used-file-names-and-folders

In addition to that, DEDCryptor crypto-virus takes advantage of different registry entries to change the wallpaper and make itself run on Windows startup:

HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After this, the ransomware begins to scan for different files to encrypt. malware researchers report affected files to be the following:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .dll, .lnk, .pdf Source: Symantec

The encrypted files have the .ded file extension appended to them, for example:

New Text Document.txt.ded

The encryption algorithm being used by DEDCryptor ransomware has been reported to be AES-256, which generates a unique password and may send it over to the command and control (C&C) center of the cyber-criminals.

Researchers believe that this is what appears to be a variant of EDA2 ransomware, suggesting the virus could have been posted for sale in the deep web markets. This may generate additional profits for the creators of EDA2 ransomware and in addition to that spread the ransomware further and infect more users. Either way, experts strongly advise against paying any ransom to the cyber-criminals behind DEDCryptor because of several obvious reasons:

  • There is no guarantee you will receive your files back.
  • You support the cyber-criminals.

Remove DEDCryptor Ransomware and Try To Restore the Encrypted Files

To remove this ransomware, be advised that you should isolate the threat first. After this, it is recommended to check for any processes related to DEDCryptor which may be actively running on your computer. After this, the files can be deleted as long as the user has cleaned up the registries. The full instructions for this can be located in the manual below.

For maximum results, experts advise using an advanced anti-malware program which will surely take care of the threat and detect other malware as well If on your computer.

To restore your data, it is advisable to try using the alternatives in the instructions below. They do not have 100 percent guarantee but may restore at lease a small portion of your files.

Note! Your computer system may be affected by DEDCrypt and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as DEDCrypt.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove DEDCrypt follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove DEDCrypt files and objects
2. Find files created by DEDCrypt on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by DEDCrypt

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...