Dewar Ransomware

Posted by Max Lehmann on February 20, 2020

What is Dewar Ransomware?

Dewar Ransomware could have invaded your operating system because of your own fault. You could have been tricked into executing the infection by a misleading email message with the launcher introduced to you as a harmless document or photo attachment. In a different scenario, you could have executed an unreliable downloader that offered a free version of something attractive, and the ransomware could have been concealed seamlessly. Perhaps you failed to install recent security updates, and the exposed vulnerabilities made it possible to execute the infection without your input at all? Whatever the case might be, if you have discovered the malicious threat, one thing is clear: your operating system lacks reliable protection. First, you might want to focus on the removal of Dewar Ransomware, but once you have the threat deleted, you need to rethink your overall virtual security as well. If you are interested to learn more, continue reading, and note that the comments section is open to the public.testtest

How does Dewar Ransomware work?

It is important to note that Dewar Ransomware is not an original infection. It is a clone of Devos Ransomware, Dever Ransomware, and several other infections that were preceded by Phobos Ransomware. This is the original threat, and even it was created based on the CrySIS/Dharma Ransomware code. All of these infections are extremely dangerous because all of them focus on encrypting personal files. They are silent when they slither in, and if security software does not exist to catch and delete it in time, you are unlikely to notice when exactly all of your personal files get corrupted. After the fact, you should discover the “.id[#].[kryzikrut@airmail.cc].dewar” extension appended to their names. The last part of this extension has predetermined the name of the infection, and the extension also includes one of the email addresses of the attackers, as well as a number that is unique for every victim. Some people waste time removing this added extension, in the hopes of getting their files restored, but things are not so simple. To make your personal files readable again, you need a decryptor that could decipher the attackers’ encryptor.

It is easy for Dewar Ransomware to encrypt files, and once that part of the attack is complete, the threat launches into the second stage. Two files named “Info.hta” and “info.txt” are dropped to deliver a message. The first file launches a window entitled “encrypted,” and the message inside informs the victim about what has happened with the files. It also informs that files can be decrypted but only if the victim contacts the attackers via email (kryzikrut@airmail.cc and/or kokux@tutanota.com), Telegram (@hpdec), or Jabber (decrypt_here@xmpp.jp) and then pays an undisclosed sum of money as a ransom. Do you have a clue as to what might happen if you contact the attackers behind Dewar Ransomware? According to our Anti-Spyware-101.com malware experts, cybercriminals are likely to push you into paying money for a decryptor that you are unlikely to see with your own eyes. Furthermore, you might enable them to scam you further. Since you are unlikely to obtain a decryptor and get the chance to restore your files anyway, we do not recommend taking the risk of contacting the attackers at all.

How to remove Dewar Ransomware

Sadly, Dewar Ransomware is not decryptable by any of the decryption tools available right now. Is it possible that malware researchers will come up with such a tool? That could happen, but we would not bet on it. The existence of this kind of malware is exactly why creating backups is important. Some people rely on cloud storage, others use external drivers, and there are also Windows users who enjoy internal backups best. Unfortunately, internal backups are not invincible, and so we do not recommend relying on them. Luckily, Dewar does not delete shadow copies, and so you are fine if you want to use a preset restore point. In the future, figure out a better way to save copies of your personal files. If you have copies to replace your files, do that after you delete Dewar Ransomware. The instructions below are meant to assist with manual removal, but only if the victim can find the launcher on their own. Otherwise, we advise installing a trusted anti-malware program. Note that if you care about your virtual security as well, this is the program you need to install regardless of which method of removal you go with in the end.

Removal Guide

  1. Locate the ransomware .exe launcher file and Delete it.
  2. Delete the file named info.txt (could be placed on the Desktop).
  3. Tap Win+R keys to launch Run and enter regedit into the dialog box.
  4. In Registry Editor, move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  5. Delete the [random name].exe that belongs to the ransomware (check the value data to check the location of the file and to confirm if or not it belongs to ransomware).
  6. Tap Win+E keys to launch File Explorer.
  7. Enter the following paths into the field at the top and Delete a malicious [random name].exefile:
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %LOCALAPPDATA%
  8. Enter the following paths into the field at the top and Delete the file named Info.hta:
    • %HOMEDRIVE%
    • %USERPROFILE%\Desktop\
  9. Empty Recycle Bin and then scan your operating system with a legitimate malware scanner. 100% FREE spyware scan and
    tested removal of Dewar Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *