Remove DiskDoctor (Scarab) Ransomware and Restore Files

Remove DiskDoctor (Scarab) Ransomware and Restore Files

Remove DiskDoctor ransomware restore .DiskDoctor files sensorstechforum com

This article provides information about DiskDoctor ransomware that belongs to the Scarab malware famaily. The threat encrypts important files and demands a ransom payment. By reaching the end of the article, you will know how to remove this ransomware and how to restore .DiskDoctor files.

DiskDoctor ransomware has been spotted to harass computer users around the globe. It is classified as data locker ransomware due to its main purpose to locate target files and encrypt them. Following encryption DiskDoctor drops a ransom note that extorts a ransom payment for a specific key that decrypts .DiskDoctor files.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionA data locker ransomware that utilizes AES cihper algorithm to encrypt target files stored on the infected computer. Then it demands a ransom for a specific decryption solution.
SymptomsImportant files are locked and renamed with .DiskDoctor extension. The access to the information they store remains restricted. Hackers demand a ransom for decryption solution.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by DiskDoctor


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss DiskDoctor.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

DiskDoctor Ransomware – Distribution

The payload file that triggers DiskDoctor ransomware infection could be spread with the help of shady techniques that trick users into infecting their systems. Mainly are used deceptive email attachments and compromised web pages.

Email attachments that deliver the payload on target computer systems usually are part of emails with spoofed sender and address. A common practice of cybercriminals is the creation of email campaigns that impersonate representatives of a well-known institution or business services including PayPal, DHL, FedEx, and Amazon. This way they attempt to trick users into opening malicious email attachments on their PCs. Such an action leads to an infection with DiskDoctor ransomware.

Some of the emails used for the spread of DiskDoctor’s payload may lack file attachments but present in-text links instead. In this case a click on the link opens a compromised web page that may be set to cause an unnoticed download of malicious scripts on the device. With the help of these scripts the ransomware infection code sneaks into the system and becomes able to plague it.

Your system has been infected with the help of another technique? Leave a comment and share with us what happened.

DiskDoctor Ransomware – Overview

DiskDoctor ransomware is mainly meant to encrypt files that store valuable information. But before the encryption process, it needs to establish its malicious files on the system and perform several system modifications.

Malicious files and objects associated with this new Scarab ransomware version dubbed DiskDoctor may be dropped or created in the following system folders:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %Windows%

Some of the files may be self-deleting executables that stay on the system only during the infection process. Others are likely to remain steadily on it so they can start the ransomware on each system start. In order to set its malicious files to auto-execute on each system start, DiskDoctor exploits the functionalities of Run and RunOnce registry sub-keys.

A specific trait of DiskDoctor crypto virus is the ransom note it uses to instruct infected users how to act further if they want to obtain the decryption key. The note is contained in a TXT file called HOW TO RECOVER ENCRYPTED FILES.TXT that could appear on the PC screen at the end of the attack. And here is the message it reads:

Warning all your files are encrypted !!!
To receive the decoder, you must send an email to the email address with your personal ID:
In response you will receive further instructions.
* Do not attempt to uninstall the program or run antivirus software.
* Attempts to self-decrypt files will result in the loss of your data.
* Decoders of other users are incompatible with your data, as each user has a unique encryption key.
Your personal identifier:

HOW TO RECOVER ENCRYPTED FILES.TXT DiskDoctor ransomware ransom note sensorstechforum com

Beware! Contacting hackers could lead to additional misuses of sensitive data. Furthermore, there is no guarantee that they could provide a working decryption solution. They can try to scam you and make you a victim of their malicious intentions once again.

DiskDoctor Ransomware – Encryption Process

All initial system modifications primarily support the completion of the encryption stage. DiskDoctor is a threat that mainly aims to corrupt specific files stored on the compromised host. The encryption cipher used by DiskDoctor is known to be AES. With the help of this cipher the ransomware changes completely the code of target data. So an infection with DiskDoctor you could find all files listed below encrypted:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

After encryption, all corrupted files have the extension .DiskDoctor appended to their names. The access to the information stored by .DiskDoctor files is restricted and hackers demand a ransom payment for a specific decryption key.

The DiskDoctor may also erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

The above-stated command eliminates one of the prominent ways for .DiskDoctor files recovery. Luckily, for the recovery process could be utilized some alternative solutions. In the guide that follows you could find out how to use some of them and potentially restore a few to all .DiskDoctor files.

Remove DiskDoctor Ransomware and Restore Files

The removal of DiskDoctor ransomware demands a bit of technical experience and ability to recognize traits of malware files. And there is no doubt that you should remove this nasty threat from the infected PC as soon as you detect it. Otherwise, it has the chance to spread its infection files among the whole network. Below you could find how to remove it step by step. Beware that ransomware has highly complex code that could plague not only your files but your whole system. So as recommended by security researchers you need to utilize an advanced anti-malware tool for its complete removal. Such tool will keep your system protected against devastating threats like DiskDoctor and other kinds of malware that endanger your online security.

After you remove the ransomware make sure to check the “Restore Files” step listed in the guide below. But before you take any further actions, don’t forget to back up all encrypted files to an external drive in order to prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share