Dever Ransomware

Posted by Sarah Stewart on January 13, 2020

What is Dever Ransomware?

If you have valuable data on your computer, Dever Ransomware is a malicious application that you would like to avoid at all costs. The malware encrypts files to make them unusable, and then shows a ransom note that claims the enciphered files can only be restored if a victim pays for decryption tools. To see if your files were encrypted, you should check if they have the .id{random characters}.[lizethroyal@aol.com] extension, for example, picture.jpg.id[9AC7094B-3047].[lizethroyal@aol.com]. If you see such extension on your files and a notification mentioning the same email address is on your screen, your computer is most likely infected with Dever Ransomware. For more information on this infection, we invite you to read our full report and check the deletion instructions placed at the end of the text.testtest

Where does Dever Ransomware come from?

Threats such as Dever Ransomware can be distributed through unsecured RDP (Remote Desktop Protocol) connections as well as unreliable file-sharing websites or spam emails. This is why we advise taking care of computer’s weaknesses and staying away from files originating from untrustworthy sources if you wish to avoid malicious applications alike. Also, it is advisable to keep a legitimate antimalware tool installed on your computer so you could scan suspicious data from the Internet and that it could warn you about potential threats. Our researchers at Anti-spyware-101.com advise scanning even those files that do not look harmful to you, such as pictures or documents because appearances can be deceiving.

How does Dever Ransomware work?

After getting in, Dever Ransomware should start encrypting files it can find on the infected device. According to our specialists, the malware should stay away from data associated with the operating system and other program files, but it ought to encipher various types of documents, pictures, archives, and so on. Each encrypted files should receive the earlier mentioned second extension. Once this process is over, the malicious application is supposed to create a file called Info.hta and a text document named info.txt. The file that we mentioned first might be launched automatically by the malware to display its ransom note on your screen.

The message in Info.hta should start with: “All your files have been encrypted!All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail lizethroyal@aol.com.” Moreover, it should also mention that users need to pay for decryption tools and that the price depends on how fast they contact the malware’s creators. Of course, we advise not to rush and consider the offer carefully. There are no reassurances that the hackers will hold on to their end of the bargain. Even if they can prove that they have the promised decryption tools, it still does not guarantee that they will be delivered. Therefore, if you fear you could be tricked, you may want to concentrate on the Dever Ransomware’s removal.

How to erase Dever Ransomware?

It is important to explain that it is advisable to delete Dever Ransomware because if it stays, it can relaunch itself after each restart. This could be not only annoying, but also risky to your future data. Thus, if you do not want to take any risks, we advise removing Dever Ransomware. To erase it manually you could complete the steps provided below. For users who prefer using automatic features, we recommend scanning their system with a legitimate antimalware tool that should let them erase the threat after the scan.

Remove Dever Ransomware

  1. Press Ctrl+Alt+Delete.
  2. Choose Task Manager and click the Processes tab.
  3. Find a process belonging to the malware, select it and press End Task.
  4. Close Task Manager.
  5. Press Windows key+E.
  6. Go to your Desktop, Temporary Files, and Downloads directories.
  7. Find the file launched before the threat infected the computer, right-click this suspicious file, and click Delete.
  8. Navigate to these locations:
    %LOCALAPPDATA%
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  9. Identify malicious .exe files created by the infection, right-click them, and select Delete.
  10. Find these locations:
    %USERPROFILE%\Desktop
    %HOMEDRIVE%
  11. Locate files titled Info.hta, right-click them, and select Delete.
  12. Close File Explorer.
  13. Click Windows key+R.
  14. Type regedit and press Enter.
  15. Find the following paths:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  16. Search for value names belonging to the malicious application; their value data should point to C:\Users\User\AppData\Local\{random}.exe.
  17. Right-click malicious value names and press Delete.
  18. Close Registry Editor.
  19. Empty Recycle Bin.
  20. Reboot the system. 100% FREE spyware scan and
    tested removal of Dever Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *