.DREAM File Virus – Remove It and Restore Files

.DREAM File Virus – Remove It and Restore Files

.DREAM virus how_to_back_files.html ransom note

This article provides instructions on how to remove .DREAM file virus and presents alternative data recovery methods.

The name .DREAM file virus belongs to a newly discovered variant of GlobeImposter ransomware. The threat aims to encode files carriers of important information. Its name is associated with the specific extension it appends to each encrypted file .DREAM. After encryption the ransomware drops a ransom note on the compromised device. The note blackmails victims into contacting hackers by using a given email address – dream_dealer@aol(.)com. Hackers demand a ransom in exchange for .DREAM files decryption tool.

Threat Summary

NameDREAM file virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware virus encrypts files on your PC and drops a ransom note that demands payment for the decryption of .DREAM files.
SymptomsThis ransomware will encrypt your files and then append the extension .DREAM on every encrypted file.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by DREAM file virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss DREAM file virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.DREAM File Virus – Distribution

The malicious script that infects the system with .DREAM file virus could be spread across the net via various techniques. Hackers may try to trick you into infecting your system with the ransomware by sending you a spam email message which contains the malicious payload. Such emails may pose as representatives of popular services, websites or even governmental institutions. The emails usually attempt to provoke a sense of urgency and make you more prone to infect yourself with .DREAM ransomware.

Usually, the ransomware payload is hidden in an attached file or in the code of a web page link to which is presented in the text message. So if you download and open the infected file attachment or load the compromised web page in your web browser you will unintentionally trigger the ransomware payload on your system.

Social media and file-sharing sites may also be used for the delivery of .DREAM virus payload.

.DREAM File Virus – Infection Flow

The analyses conducted by security researchers reveal that .DREAM crypto virus is an infection that belongs to the GlobeImposter ransomware family. The threat has been released in active attack campaigns against online users worldwide.

.DREAM file virus is a complex threat that can compromise your operating system along with your important data. Once its payload is started on your PC it initiates a sequence of malicious actions. At first, it needs to create additional malicious files that support the completion of the attack. To do this, the ransomware may connect to its command and control server and drop some additional files on the computer. Those malicious files may be located in some important Windows folders like:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Common%
  • %System32%

The ransomware may then access the Registry Editor to add malicious values under some specific sub-keys. It is likely that the threat is designed to corrupt the Run and RunOnce sub-keys as they manage the automatic execution of main system processes and startup programs on each system start. By adding malicious values under these keys .DREAM crypto virus ensures its persistent presence on the system.

Afterward, the threat drops a ransom note file How_to_back_files.html on the system. The text in this file does not provide information about the amount of the demanded ransom. There is only an option of contacting hackers at the email address dream_dealer@aol.com. You can send hackers one encrypted file and test their decryption tool. To obtain their decryption tool you should pay crooks a ransom fee.

Here is the text of their ransom message:





To recover data you need decryptor.
To get the decryptor you should:

Send 1 crypted test image or text file or document to dream_dealer@aol.com
(Or alternate mail dream_dealer@india.com)
In the letter include your personal ID (look at the beginning of this document).
We will give you the decrypted file and assign the price for decryption all files

After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and
instructions We can decrypt one file in quality the evidence that we have the decoder.

Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except greenpeace_wtf@aol.com, will decrypt your files.

Only dream_dealer@aol.com can decrypt your files
Do not trust anyone besides dream_dealer@aol.com
Antivirus programs can delete this document and you can not contact us later.
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user‘s unique encryption key

.DREAM virus how_to_back_files.html ransom note

Treat hackers’ promises with caution because there is no guarantee that their decryptor is able to decrypt your .DREAM files. Thus, it is recommended to avoid paying the ransom and try to deal with the problem with the help of some reliable and secure means.

.DREAM File Virus – Data Encryption

The .DREAM file virus utilizes strong cipher algorithm to encrypt predefined file types. First, the ransomware scans the system for files that are likely to store valuable information such as documents, videos, pictures, text files, databases, projects and other. Then it transforms their code and renders them unusable.

As the crypto virus modifies the original code of target files they become completely out of order after encryption. All encrypted files receive the specific extension .DREAM at the end of their names. Corrupted files remain unusable until a proper solution is applied for their recovery.

To prevent one of the available data recovery options, .DREAM ransomware deletes all Shadow Volume Copies stored in the Windows Operating System.

Remove Ransomware – Restore .DREAM Files

.DREAM file virus is a nasty infection that should be removed from the infected machine as soon as possible. Otherwise, it will keep obstructing regular access to valuable information. Only after the complete removal of all files and objects associated with .DREAM ransomware, the device can be used regularly again.

Тo remove .DREAM crypto virus just follow the step-by-step removal guide below which provides both manual and automatic approaches. Due to the complexity of ransomware code, security researchers recommend the help of advanced anti-malware tool.

Once you complete the removal, you could navigate to the alternative data recovery approaches presented in the guide. They may be useful for the restore of some .DREAM files. Be advised to back up all encrypted files to an external drive before you proceed with the recovery process.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share