Remove Dev-Nightmare Virus and Decrypt .2xx9 Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Dev-Nightmare Virus and Decrypt .2xx9 Encrypted Files

shutterstock_152253701A ransomware virus has been detected by the name of “Dev-Nightmare”. The virus uses the .2xx9 file extension after it performs a successful attack on a compromised computer and encrypts t’s files. The files, besides having the abovementioned file extension added to them are encoded based on the mechanism from the HiddenTear ransomware project and luckily for infected user there may be a decryption solution for this virus. Keep reading this article for more information on how to remove this ransomware and try the HiddenTear decryptor to decode your files if they are enciphered by it.

Threat Summary

NameDev-Nightmare
TypeRansomware
Short DescriptionThe ransomware encrypts files with encryption algorithm and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a READ_ME.txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Dev-Nightmare

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Dev-Nightmare Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dev-Nightmare – Distribution

To be spread rapidly, Dev-Nightmare may use several malicious practices. For instance it may use other malware that connects to its command and control servers and download the virus files themselves. Dev-Nightmare may also use an exploit kit that take advantage of malicious exploits In Windows to infect the user and run as a legitimate service while it encrypts the files. Another way it may infect you is by a malicious JavaScript that may be used with the one and only purpose to cause the encryption without having to create any files on your computer.

To distribute those tools, the Dev-Nightmare ransomware may also take advantage of several different methods for replications, which mainly involve spamming malicious URL’s or files. This may be done on comments on forums, other websites and also via shady e-mails that trick users into opening it’s malicious file attachments.

Dev-Nightmare Ransomware – More Information

After it infects a system, Dev-Nightmare may connect remotely to the computer of the cyber-criminals that is controlling it and download the malicious payload of the virus that encrypts files. It primarily may locate it In the %AppData% folder, but similar to other HiddenTear viruses like EDA2, 8lock8 DEDCryptor or Strictor this virus may also target other Windows folders:

commonly used file names and folders

In addition to that, the virus may also create modified values strings in the Windows Registry Editor to make the malicious file that encrypts files run when you start your computer. The targeted keys for this are mainly the following:

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After the encryptor of this virus runs, it may look for a wide variety of files to encipher, Such files may be videos, pictures, database files, Microsoft Office and Adobe Reader documents. Similar to other HiddenTear viruses like it, Dev-Nightmare may also look for the following file extensions to encrypt:

→ .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .dll, .lnk, .pdf Source: Symantec

After the files are encrypted the virus ads it’s own distinctive file extension to the enciphered files – 2xx9. The encrypted files look like the following:

encrypted-file-2xx9-ransomware-dev-nightmare-sensorstechforum

Then the virus leaves a hateful ransom note written in extremely poor English message that aims to induce fear in users to pay money to get access back to their files.

Dev-Nightmare’s ransom note:

→Congratulations!!!…
Your System is inficated with Dev-Nightmare 2xx9 Ransomware
Your All Files and database are encrypted.
If you want you files back contact me at [email protected]
Send me some money or bitcoins
And I hate fake peoples.

Dev-Nightmare – Remove It and Decrypt Your Files

However, since this is a HiddenTear variant, there has been a decryptor released for which’s usage we have provided instructions in step “2. Decrypt files encrypted by Dev-Nightmare” below. But before decrypting your files, we strongly suggest following methodologically the instructions to remove Dev-Nightmare ransomware and other infections that may currently be residing on your computer. Malware analysts also strongly advise scanning your computer with an anti-malware program initially to effectively secure your computer after infection with Dev-Nightmare and protect it in the future as well.

Manually delete Dev-Nightmare from your computer

Note! Substantial notification about the Dev-Nightmare threat: Manual removal of Dev-Nightmare requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Dev-Nightmare files and objects
2.Find malicious files created by Dev-Nightmare on your PC

Automatically remove Dev-Nightmare by downloading an advanced anti-malware program

1. Remove Dev-Nightmare with SpyHunter Anti-Malware Tool and back up your data
2. Decrypt files encrypted by Dev-Nightmare
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.