What is DCRTR ransomware? And how does it execute its attack?
DCRTR ransomware is a file-encrypting virus that appends the .dcrtr extension to its targeted files. The moment it enters a system, this crypto-malware performs a series of unwanted activities which could result in the malware getting administrative privileges to read and write files in the infected computer. It also modifies the Windows Registry so it can achieve persistence that will make its removal a tad bit harder. After that, it quickly scans the entire drive of the affected PC for various file types such as:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
DCRTR ransomware utilizes a combination of AES, SHA and RSA encryption algorithms in encoding the targeted files and then adds the .dcrtr extension on each one of the encrypted files. Following the encryption, the crypto-malware drops its ransom note in the form of a text file named ReadMe_Decryptor.txt where it states:
“All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
In case of no answer in 24 hours write us to these e-mails:
You have to pay for decryption of Bitcoins. The price depends on how fast you write to us. After payment, we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (now archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also, you can find other places to buy Bitcoins and beginners guide here:
To prove that they really have the DCRTR decryptor and to lure users into paying the ransom, developers of DCRTR ransomware even offers to decrypt 5 files for free. Based on its ransom note, victims should get a response with the number of Bitcoins they have to use the decryptor. But if they do not receive a letter within 24 hours, they are encouraged to send another email to the email address provided by the crooks. If you’re one of the victims of this ransomware, know that even if they offer to decrypt 5 files without any charge that does not mean that they can be trusted. The best way to deal with this crypto-malware is by removing it immediately and to try recovering the files using other free alternatives.
How does DCRTR ransomware disseminate its malicious file(s)?
DCRTR ransomware might disseminate its malicious files using spam emails. This is the primary distribution method for this kind of threat so it’s no surprise that DCRTR ransomware is also using this in spreading its payload. The malicious file may be an executable file (.exe), a PDF file or a document pretending to be sent out by a well-known company or group. So if you catch sight of any suspicious-looking or too-good-to-be-true emails, delete them right away especially if it’s only full of grammatical errors.
Refer to the removal guide provided below to terminate DCRTR ransomware and all the malicious files it created.
Step 1: Restart your PC into Safe Mode with Networking.
Step 2: Once your computer is done rebooting, tap Ctrl + Shift + Esc to pull up Windows Task Manager and look for DCRTR ransomware’s malicious process and end it.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for DCRTR ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for DCRTR ransomware’s malicious components such as [random].exe as well as its ransom note named ReadMe_Decryptor.txt and then delete all of them.
- %ALLUSERPROFILE%\Start Menu\Programs
- %APPDATA%\Microsoft\Windows\Start Menu\Programs
- %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
- HKCU\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
Step 10: Delete the registry keys created by DCRTR ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
Wiping out DCRTR ransomware and its malicious processes is not enough – you have to ensure that all its related files are removed from your computer. To do that, you must follow the advanced removal guide below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.