A ransomware virus is known by the name DEDCryptor adding the .ded (grandpa in Russian) file extension to encrypted files. The encryptor then changes the wallpaper of users to a message notifying users their files are enciphered. The message features a vulgar photo of Santa Claus, making it all seem like a joke. However, DEDCryptor is no joke; it demands the sum of 2 BTC which is around 700 USD to restore access to the user. And what is worse, the ransomware uses a 32 character password randomly generated after it encrypts the files with Advanced Encryption Standard (AES) cipher.
|Short Description||The ransomware encrypts files with the AES-256 cipher and asks a ransom payment for decryption.|
|Symptoms||Files are enciphered and become inaccessible. A ransom note with instructions for paying the ransom shows as a wallpaper.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by DEDCrypt |
Malware Removal Tool
|User Experience||Join our forum to Discuss Locky Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Users infected with DEDCryptor should be advised that there is no breakthrough in decryption so far. However, it is recommended to NOT pay the ransom of 2 BTC and instead, remove this crypto-virus and attempt to restore your files using alternative methods such as the ones posted in this article.
DEDCryptor – Spreading Methods
So far it is unclear whether DEDCryptor uses only one method to infect users or if they are more than one. Either way, infected users report seeing malicious URLs which cause browser redirects to other web links which could contain the malware itself.
Users may see the malware featured in web links such as the one below:
In addition to that DEDCryptor may be spread anywhere else where such URLs can be posted – forums, comments, social media private messages, posts in groups, etc.
DEDCryptor In Depth
Once installed on the user PC, DEDCryptor situates its payload by masking it behind different names, sometimes randomly generated in different Windows directories, for example:
In addition to that, DEDCryptor crypto-virus takes advantage of different registry entries to change the wallpaper and make itself run on Windows startup:
After this, the ransomware begins to scan for different files to encrypt. malware researchers report affected files to be the following:
The encrypted files have the .ded file extension appended to them, for example:
New Text Document.txt.ded
The encryption algorithm being used by DEDCryptor ransomware has been reported to be AES-256, which generates a unique password and may send it over to the command and control (C&C) center of the cyber-criminals.
Researchers believe that this is what appears to be a variant of EDA2 ransomware, suggesting the virus could have been posted for sale in the deep web markets. This may generate additional profits for the creators of EDA2 ransomware and in addition to that spread the ransomware further and infect more users. Either way, experts strongly advise against paying any ransom to the cyber-criminals behind DEDCryptor because of several obvious reasons:
- There is no guarantee you will receive your files back.
- You support the cyber-criminals.
Remove DEDCryptor Ransomware and Try To Restore the Encrypted Files
To remove this ransomware, be advised that you should isolate the threat first. After this, it is recommended to check for any processes related to DEDCryptor which may be actively running on your computer. After this, the files can be deleted as long as the user has cleaned up the registries. The full instructions for this can be located in the manual below.
For maximum results, experts advise using an advanced anti-malware program which will surely take care of the threat and detect other malware as well If on your computer.
To restore your data, it is advisable to try using the alternatives in the instructions below. They do not have 100 percent guarantee but may restore at lease a small portion of your files.
Manually delete DEDCrypt from your computer
Note! Substantial notification about the DEDCrypt threat: Manual removal of DEDCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.