What is DBGer ransomware? And how does it carry out its attack?
DBGer ransomware is a file-encrypting virus which turns out to be a new variant of Satan ransomware which was launched as a RaaS (Ransomware-as-a-Service). Security experts first spotted this crypto-malware on June 14, 2018. There are several changes in this new variant not only in its name and modus operandi as it now incorporates Mimikatz – an open source password-dumping utility. Its purpose for incorporating Mimikatz is for lateral movement inside compromised networks.
Once it carries out its attack, it may modify the Windows Registry to achieve persistence. It then begins encrypting files that are mostly user-generated using the AES cipher and appends the .dbger extension to each one of the encrypted files. After the encryption, it releases a ransom note in a file named “_How_to_decrypt_files.txt” which contains the following message:
“Some files have been encrypted
Please send ( 1 ) bitcoins to my wallet address
If you paid, send the machine code to my email
I will give you key
If there is no payment within three days,
we will no longer support decryption
If you exceed the payment time, your data will be open to the public download
We support decrypting the test file.
send three small than 3 MB files to the email address
发送 ( 1 ) 个比特币到我的钱包
发送三个小于 3 MB的文件到邮件
일부 파일이 암호화되었습니다
내 지갑 주소로 ( 1 ) 비트 동전을 보내주세요
이미 지불 한 경우 ,하드웨어 를 내 이메일로 보내주십시오
내가 너에게 비밀 번호를 줄 것이다
3 일 이내에 지불이 완료되지 않으면
더 이상 암호 해독을 지원하지 않습니다
지불 시간을 초과하면 데이터는 일반인에게 공개됩니다
테스트 파일의 암호 해독을 지원합니다
이메일 주소에 3MB 미만의 파일 세 개를 보냅니다
BTC Wallet :3EbN7FP8f8x9FPQQoJKXvyoHJgSkKmAHPY
Your HardWareID: EL889RQ0IFPK0CM5NOGV80WXSO7X13VJX”
How does DBGer ransomware proliferate?
DBGer ransomware proliferates by using the EternalBlue SMB Exploit kit and the Mimikatz exploit as pointed out earlier. That’s why it’s recommended to always keep both your antivirus programs and operating systems updated to fight these exploits.
Use the following removal instructions to obliterate DBGer ransomware from your infected system effectively.
Step 1: Restart your PC and boot into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Step 2: Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 3: After loading the Command Prompt type cd restore and hit Enter.
Step 4: After cd restore, type in rstrui.exe and hit Enter.
Step 5: A new window will appear, and then click Next.
Step 6: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the DBGer Ransomware. A dialog box will appear and then click Yes.
Step 7: After System Restore has been completed, try to enable the disabled Windows services.
⦁ Press Win + R keys to launch Run.
⦁ Type in gpedit.msc in the box and press Enter to open Group Policy.
⦁ Under Group Policy, navigate to:
⦁ User Configuration\Administrative Templates\System
⦁ After that, open Prevent access to the command prompt.
⦁ Select Disable to enable cmd
⦁ Click the OK button
⦁ After that, go to:
⦁ Configuration\Administrative Templates\System
⦁ Double click on the Prevent Access to registry editing tools.
⦁ Choose Disabled and click OK.
⦁ Navigate to :
⦁ User Configuration\Administrative Templates\System>Ctrl+Alt+Del Options
⦁ Double click on Remove Task Manager.
⦁ And then set its value to Disabled.
Step 8: Open Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for the malicious processes of DBGer ransomware such as “SF.exe”, “TR.exe” or “BLACKROUTER.exe” and end them all.
Step 9: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK to open the list of installed programs. From there, look for DBGer ransomware or any malicious program and then Uninstall it.
Step 10: Tap Windows + E keys to open the File Explorer then navigate to the following directories and delete the malicious files created by DBGer ransomware such as “_How_to_decrypt_files.txt”.
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the paths listed below and delete all the registry values added by DBGer ransomware.
⦁ HKEY_CURRENT_USER\Control Panel\Desktop\
⦁ HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 14: Close the Registry Editor and empty your Recycle Bin.
You have to continue the DBGer ransomware removal process using a reliable program like [product-name] once you’re done with the steps given above. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
⦁ Turn on your computer. If it’s already on, you have to reboot it.
⦁ After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
⦁ To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit Enter.
⦁ Windows will now load the Safe Mode with Networking.
⦁ Press and hold both R key and Windows key.
⦁ If done correctly, the Windows Run Box will show up.
⦁ Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
⦁ After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
⦁ Once the installation process is completed, run [product-code] to perform a full system scan.
⦁ After the scan is completed click the “Fix, Clean & Optimize Now” button.