Mr.Dec Ransomware

Posted by Lisa Blanc on June 4, 2018

What is Mr.Dec Ransomware?

Mr.Dec Ransomware is yet another ransomware infection that was created to bully individual and corporate users into paying their money for decryption keys that probably do not even work. If you became a victim of this malware infection, you should look for ways to remove Mr.Dec Ransomware the infection and restore at least part of your data. Please do not even think of paying the ransom fee because there is no guarantee that these criminals would issue the decryption key. They are only interested in snatching your money, and your files do not concern them at all. You are the only one who cares about it.testtest

Where does Mr.Dec Ransomware come from?

It is not clear how exactly this ransomware infection travels around. Our research team suggests that it probably spreads through spam emails or corrupted Remote Desktop Protocol. These distribution methods allow us to assume that Mr.Dec Ransomware often targets businesses as well. After all, when business computers are connected into one network, it is a lot easier to infect the entire system once one computer connection to that system has been compromised. Hence, ransomware infections through Remote Desktop client applications are prevalent these days. If one computer on the network receives the malware installer file and the user opens it, eventually the infection spreads through all computers on the network like a plague.

Another possible way to get infected with Mr.Dec Ransomware is through spam email. Spam email messages often carry multiple attachments, and some of them could be part of the ransomware distribution network. If you receive messages with attachments, and the messages urges you to open the attached file, perhaps you should think twice about it. It would be for the better to scan the attached file with a security tool before opening it. It is always better to be safe than sorry.

What does Mr.Dec Ransomware do?

But now that this ransomware program already entered your system, what does it do? The answer is pretty blatant: It encrypts your files, just like most of the ransomware programs out there nowadays.

Our research has shown that this program uses the AES encryption algorithm to encrypt target files. It also adds an extension to all the affected files. The extension is random, and every single infected user will receive a unique extension. For instance, a file.jpg may end up having a file.jpg.zAxVDIIP8JN3Jajg extension. With this, you will know that something happened to your files. And of course, you will not be able to open them anymore.

Mr.Dec Ransomware encrypts most of the personal files, especially if you keep them in the default folders, like Documents, Pictures, and so on. We do know, however, that the infection does not encrypt system files and Internet Explorer. It means that it still needs the Internet browser to work because it expects you to wire the criminals behind this infection the ransom. Once again, we would like to reiterate that paying the ransom would not solve your problems, although the ransom note Decoding help.hta is very explicit, and the program drops it into every folder that gets affected by the encryption. Here is what the note says:

You are unlucky! The terrible virus has captured your files! For decoding please contact by email shine2@protonmail.com or shine1@tutanota.com

You will also see the ransom note on your desktop, and it will look that you cannot close it, but you can actually close the ransom Window by pressing Alf+F4. Also, if you restart your computer the ransom note will pop up on your desktop again because Mr.Dec Ransomware auto-starts with Windows. So it is clear that the program is extremely annoying, and you must get rid of it.

How do I remove Mr.Dec Ransomware?

You can find the manual removal instructions for this intruder below our description. However, if you feel that you cannot do it on your own; you are always free to invest in a legitimate security application that will help you delete Mr.Dec Ransomware from your system once and for all.

Please note that removing the ransomware program does not automatically restore your files. You may have to delete the encrypted files and replace them with the healthy copies of your data that you may have stored in an external hard drive, your mobile device or your cloud drive. Whichever it might be, please make sure that you do not get infected with the likes of Mr.Dec Ransomware again.

Manual Mr.Dec Ransomware Removal

  1. Press Win+R and type regedit. Click OK.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  3. On the right pane, right-click the search value with the value data c:\Windows\wincmd.exe.
  4. Delete the value.
  5. Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  6. Right-click the unlock value with value data c:\Decoding help.hta on the right.
  7. Delete the value and exit Registry Editor.
  8. Press Win+R again and type %WINDIR%. Click OK.
  9. Delete the wincmd.exe and DECODE KEY.KEY files.
  10. Press Win+R and type %HOMEDRIVE%. Click OK.
  11. Delete the Decoding help.hta file. 100% FREE spyware scan and
    tested removal of Mr.Dec Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *