Remove Domino Ransomware and Restore .domino Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Domino Ransomware and Restore .domino Files

domino-ransomware-ascii-cow-sensorstechforumThe HiddenTear project has been the reason for yet another virus that encrypts user files adding the .domino file extension. Dubbed Domino ransomware, this crypto-virus spreads primarily via several different techniques, the main of which is via fake installers and cracks. The virus is particularly dangerous because the people behind this virus threaten to destroy the decryption key for the files in 72 hours if the victim does not pay the sum of approximately 1 BTC. Everyone who has been infected by the Domino ransomware is advised to not pay any ransom money and immediately focus on removing this virus and restoring the encrypted files using the information in this article.

UPDATE! A decryptor has been released for the hidden tear ransomware variants. We have created instructions on how to decrypt your files for free. You can read them by clicking on the following link.

Threat Summary

NameDomino Ransomware
TypeRemote Access Trojan with file encryption capability.
Short DescriptionThe ransomware encrypts files with a strong AES cipher asking 1 BTC for decryption.
SymptomsFiles are encrypted with the .domino file extension and become inaccessible. A ransom note with instructions for paying the ransom may show as a wallpaper. Threatens to destroy the decryption key in 72 hours.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Domino Ransomware

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Domino Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Domino Ransomware – How Does It Infect

Unlike other ransomware viruses that use massive spam campaigns with malicious attachments in them, this virus uses another technique – modified installers. One particular installer used by it is a Windows activation program, called KMSPico. The program Is essentially a crack that can activate Windows with a ghost license for free. What happens is that the KMSPico installer runs and the program does activate Windows but also slithers Domino ransomware as a bonus to the free activation. And what is worse is that if the user does not have appropriate anti-malware protection, their files immediately become encrypted. It is not yet confirmed, but malware researchers also believe that it may replicate via other fake setups as well.

kmspico-domino-ransomware-install-sensorstechforum

Domino Ransomware – More Information

After Domino ransomware has infected the victim’s computer, the virus may drop files in several key Windows folders, including the %Startup% folder where they automatically run when Windows boots up. Besides the fact that the malicious executable may have different names, it may also drop malicious files in the following Windows locations:

commonly-used-file-names-and-folders

After dropping it’s files the Domino ransomware may delete the volume shadow copies of the compromised device by executing a malicious .bat (batch) file that uses the administrative vssadmin command in “/quiet” mode so that the user may not notice the files are deleted.

Upon system restart, the Domino ransomware virus may begin to encrypt user files. The files this virus may scan for and encode are widely used types of files. The Domino virus attacks the following file extensions:

→ .3fr, .7z, .accdb, .ai, .apk, .arch00, .arw, .asp, .aspx, .asset, .avi, .bak, .bar, .bay, .bc6, .bc7, .big, .bik, .bkf, .bkp, .blob, .bsa, .c, .cas, .cdr, .cer, .cfm, .cfr, .class, .cpp, .cr2, .crt, .crw, .cs, .csr, .css, .csv, .d3dbsp, .das, .DayZProfile, .dazip, .db0, .dba, .dbf, .dbfv, .dcr, .der, .desc, .dmp, .dng, .doc, .docm, .docx, .dtd, .dwg, .dxg, .epk, .eps, .erf, .esm, .ff, .fla, .flv, .forge, .fos, .fpk, .fsh, .gdb, .gho, .h, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .indd, .itdb, .itl, .itm, .iwd, .iwi, .java, .jpe, .jpeg, .jpg, .js, .jsp, .kdb, .kdc, .kf, .layout, .lbf, .litemod, .lrf, .ltx, .lua, .lvl, .m, .m2, .m3u, .m4a, .map, .mcgame, .mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mlx, .mov, .mp4, .mpqge, .mrwref, .ncf, .nrw, .ntl, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pak, .pdd, .pdf, .pef, .pem, .pfx, .php, .pkpass, .pl, .png, .ppt, .pptm, .pptx, .psd, .psk, .pst, .ptx, .py, .qdf, .qic, .r3d, .raf, .rar, .raw, .rb, .re4, .rgss3a, .rim, .rofl, .rss, .rtf, .rw2, .rwl, .sav, .sb, .sc2save, .sh, .sid, .sidd, .sidn, .sie, .sis, .slm, .sln, .snx, .sql, .sr2, .srf, .srw, .sum, .svg, .swift, .syncdb, .t12, .t13, .tax, .tor, .txt, .unity3d, .upk, .vb, .vcf, .vcxproj, .vdf, .vfs0, .vpk, .vpp_pc, .vtf, .w3x, .wallet, .wb2, .wma, .wmo, .wmv, .wotreplay, .wpd, .wps, .x3f, .xcodeproj, .xf, .xhtml, .xlk, .xls, .xlsb, .xlsm, .xlsx, .xxx, .zip, .ztmp

After encryption, the Domino ransomware may ad it’s distinctive .domino file extension to the encrypted files, for example:

domino-ransowmare-encrypted-files-sensorstechforum

In addition to those, the Domino virus also adds a README_TO_RECURE_YOUR_FILES.txt that interestingly enough has an ASCII cow(http://instinct.org/cows/ascii-cows1.html) art at the end of it. The message in it is the following:

→ “Your file had been enc rypted with AES 1024 bit key!!
How to decr ypt your files:
1. Send me 1 bitcoin to: {cyber-criminals’ bitcoin address}
2. After sending Bitc oin, send me your (computer name + user name + bitcoin address) to email [email protected] to get pass the word!
3. Using your p assword to decrypt your files!
If you didn’t do this, your pa ssword to decrypt your file would be destroyed after 72 hours.
Winter Is Coming!
How to buy bitcoin:
https://www.coinbase.com/buy-bitcoin?locale=en
https://localbitcoins.com/guides/how-to-buy-bitcoins
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
(….Domino..)”

After the ransom message has been delivered, the virus may self-delete after sending the decryption key to cyber-criminals command and control (C&C) center.

Domino Ransomware – Removal and File Decryption Information

In case you want to remove Domino ransomware, we have provided removal instructions by which you can guide yourself. They are posted after this article, and they are separated on “Manual” and “Automatic”. In case you are not a tech savvy user and do not feel convinced that you will fully remove this virus without damaging your files, we advise you to follow the automatic removal instructions.

For best results, however, malware researchers strongly advise downloading an advanced anti-malware program which will ensure the full removal and future protection for your computer against malware such as Domino ransomware.

Regarding file, decryption, there is no direct decryptor released for any of the HiddenTear variants. So far, it remains a mystery whether or not the cyber-criminals have used an AES-1024 bit encryption algorithm because such strength may be challenging to develop and implement without any bugs in it. This is why the most often AES ciphers met are 128 and 256-bit encryption. In any case, it is strongly inadvisable to pay any ransom money. Instead, you can wait for a decryptor which we will post in this article as an update as soon as security engineers develop such. In the meantime, you may want to check the file restoration alternatives in step “3.Restore files encrypted by Domino Ransomware” below.

Manually delete Domino Ransomware from your computer

Note! Substantial notification about the Domino Ransomware threat: Manual removal of Domino Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Domino Ransomware files and objects
2.Find malicious files created by Domino Ransomware on your PC
3.Fix registry entries created by Domino Ransomware on your PC

Automatically remove Domino Ransomware by downloading an advanced anti-malware program

1. Remove Domino Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Domino Ransomware in the future
3. Restore files encrypted by Domino Ransomware
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.