A ransomware virus has been detected by the name of “Dev-Nightmare”. The virus uses the .2xx9 file extension after it performs a successful attack on a compromised computer and encrypts t’s files. The files, besides having the abovementioned file extension added to them are encoded based on the mechanism from the HiddenTear ransomware project and luckily for infected user there may be a decryption solution for this virus. Keep reading this article for more information on how to remove this ransomware and try the HiddenTear decryptor to decode your files if they are enciphered by it.
|Short Description||The ransomware encrypts files with encryption algorithm and asks a ransom for decryption.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a READ_ME.txt file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by Dev-Nightmare |
Malware Removal Tool
|User Experience||Join our forum to Discuss Dev-Nightmare Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Dev-Nightmare – Distribution
To distribute those tools, the Dev-Nightmare ransomware may also take advantage of several different methods for replications, which mainly involve spamming malicious URL’s or files. This may be done on comments on forums, other websites and also via shady e-mails that trick users into opening it’s malicious file attachments.
Dev-Nightmare Ransomware – More Information
After it infects a system, Dev-Nightmare may connect remotely to the computer of the cyber-criminals that is controlling it and download the malicious payload of the virus that encrypts files. It primarily may locate it In the %AppData% folder, but similar to other HiddenTear viruses like EDA2, 8lock8 DEDCryptor or Strictor this virus may also target other Windows folders:
In addition to that, the virus may also create modified values strings in the Windows Registry Editor to make the malicious file that encrypts files run when you start your computer. The targeted keys for this are mainly the following:
After the encryptor of this virus runs, it may look for a wide variety of files to encipher, Such files may be videos, pictures, database files, Microsoft Office and Adobe Reader documents. Similar to other HiddenTear viruses like it, Dev-Nightmare may also look for the following file extensions to encrypt:
→ .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .dll, .lnk, .pdf Source: Symantec
After the files are encrypted the virus ads it’s own distinctive file extension to the enciphered files – 2xx9. The encrypted files look like the following:
Then the virus leaves a hateful ransom note written in extremely poor English message that aims to induce fear in users to pay money to get access back to their files.
Dev-Nightmare’s ransom note:
Your System is inficated with Dev-Nightmare 2xx9 Ransomware
Your All Files and database are encrypted.
If you want you files back contact me at [email protected]
Send me some money or bitcoins
And I hate fake peoples.
Dev-Nightmare – Remove It and Decrypt Your Files
However, since this is a HiddenTear variant, there has been a decryptor released for which’s usage we have provided instructions in step “2. Decrypt files encrypted by Dev-Nightmare” below. But before decrypting your files, we strongly suggest following methodologically the instructions to remove Dev-Nightmare ransomware and other infections that may currently be residing on your computer. Malware analysts also strongly advise scanning your computer with an anti-malware program initially to effectively secure your computer after infection with Dev-Nightmare and protect it in the future as well.