What is Desu ransomware? And how does it execute its attack?
Desu ransomware is a dangerous file-encrypting virus discovered recently that does not only encrypt files but also modifies the MBR or Master Boot Record file of the infected computer. It uses the .desu extension in marking its encrypted files and demands $200 from its victims.
Once it infects a computer, it drops a malicious payload used to establish a connection between the infected computer and a remote server controlled by the attackers. From this remote server, several malicious components are then downloaded and placed in the system folders. They are used to help Desu ransomware in executing its attack. It also modifies some entries and sub-keys in the Windows Registry which allows it to run on every system boot. After all these changes are made, it scans the computer for files with the following extensions:
.pdf, .db, .doc, .docx
Once it finds the files it’s looking for, Desu ransomware will begin encrypting them. According to a security expert named Michael Gillespie, this crypto-malware may be using the “Tiny Encryption Algorithm (TEA)” or the “Extended Tiny Encryption Algorithm (XTEA)”. After the encryption, it appends the .desu extension to each one of the encrypted files and opens the following ransom message:
“==============================# desu ransomware #==============================
SORRY! Your files are encrypted.
File contents are encrypted with a random key.
we STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get the private key.
In order to get private key, right here:
And send me your id: [redacted]!!
And pay 200$ on 1ARDXRQsvnsYiM5jZczFagtCrAzSFC1Qmy wallet
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
==============================# desu ransomware #==============================”
How does Desu ransomware spread online?
Desu ransomware may spread online using the most common distribution method used by ransomware developers which is malicious spam email campaigns. Crooks usually attach an infected file with malicious scripts used to launch the crypto-malware in the computer. Thus, you need to be extra careful in opening emails and downloading attachments as it could contain the malicious payload of dangerous ransomware threats like Desu ransomware.
Follow the removal instructions prepared below to eliminate Desu ransomware from your PC.
Step 1: Restart your PC and boot into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Step 2: Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 3: After loading the Command Prompt type cd restore and hit Enter.
Step 4: After cd restore, type in rstrui.exe and hit Enter.
Step 5: A new window will appear, and then click Next.
Step 6: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the Desu Ransomware. A dialog box will appear and then click Yes.
Step 7: After System Restore has been completed, try to enable the disabled Windows services.
- Press Win + R keys to launch Run.
- Type in gpedit.msc in the box and press Enter to open Group Policy.
- Under Group Policy, navigate to:
- User Configuration\Administrative Templates\System
- After that, open Prevent access to the command prompt.
- Select Disable to enable cmd
- Click the OK button
- After that, go to:
- Configuration\Administrative Templates\System
- Double click on the Prevent Access to registry editing tools.
- Choose Disabled and click OK.
- Navigate to :
- User Configuration\Administrative Templates\System>Ctrl+Alt+Del Options
- Double click on Remove Task Manager.
- And then set its value to Disabled.
Step 8: Open Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for the malicious processes of Desu ransomware such as “random.exe” and “explorer.exe” then end them all.
Step 9: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK to open the list of installed programs. From there, look for Desu ransomware or any malicious program and then Uninstall it.
Step 10: Tap Windows + E keys to open the File Explorer then navigate to the following directories and delete the malicious files created by Desu ransomware such as [random].exe.
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the paths listed below and delete all the registry values added by Desu ransomware.
- HKEY_CURRENT_USER\Control Panel\International
- HKEY_CURRENT_USER\Keyboard Layout\Preload
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Step 14: Close the Registry Editor and empty your Recycle Bin.
You have to continue the Desu ransomware removal process using a reliable program like [product-name] once you’re done with the steps given above. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now”button.