What is DCRTR .Crypt ransomware? And how does it implement its attack?
DCRTR .Crypt ransomware is a crypto-virus that was discovered in the first week of November 2018. This crypto-malware is a variant of DCRTR ransomware, hence the name. The crooks behind this ransomware uses AES encryption algorithm and demands $1,270 in BTC in exchange for file recovery.
The instant its malicious payload is dropped in the system, DCRTR .Crypt ransomware will establish a connection to a remote Command and Control server where it downloads several other components. These components are then placed on system folders and are used to launch and repress system processes. This means that the crypto-malware has complete control in the system. Moreover, DCRTR .Crypt ransomware also employs a data gathering module used to obtain data in the system. The data obtained is then used for another module called stealth protection. In this module, the crypto-malware prevents any security programs in the system from interfering with its attack. It also modifies the Windows Registry making its attack persistent.
Following all the system alterations, DCRTR .Crypt ransomware will begin encrypting its targeted files using the AES cryptography. After the encryption, it adds the .crypt suffix to every affected file and drops several files in the system like the text file named “HOW TO DECRYPT FILES.txt” which contains the following message:
“***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .CRYPT
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
—————————————————————————————-
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://crypt443sgtkyz4l.onion/942a6d15e7378b***
| 4. Follow the instructions on this page
—————————————————————————————- On our page you will see the payment instructions and will be able to decrypt 1 file for free with the extension “.exe”.
Attention!
TO PREVENT DATA CORRUPTION:
– do not modify files with extension.crypt
– do not run anti-virus programs, they may remove information to contact us
– do not download third-party file descriptors, only we can decrypt files!”
How does DCRTR .Crypt ransomware spread over the web?
DCRTR .Crypt ransomware spreads the web in the guise of a Windows Defender update. This update is actually fake and can mostly be found on suspicious sites that offer not just fake software update but also software. Thus, you must be careful in what you download online and make sure that when you update your computer or any programs, do so using a legitimate and trusted source.
Refer to the removal guide provided below to terminate DCRTR .Crypt ransomware and all the malicious files it created.
Step 1: Restart your computer into Safe Mode with Networking.
Step 2: Once your computer is done rebooting, tap Ctrl + Shift + Esc to pull up Windows Task Manager and look for the malicious process of DCRTR .Crypt and end it.
Step 3: Open the Programs and Features section in Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for DCRTR .Crypt ransomware or any suspicious program and then Uninstall it/them.
Step 5: Close Control Panel and tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for DCRTR .Crypt ransomware’s malicious components such as wdm.exe, HOW TO DECRYPT FILES.txt, [random].exe, FileCryptor.pdb and then delete all of them.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Desktop
- %USERPROFILE%\Downloads
- %ALLUSERPROFILE%\Start Menu\Programs
- %APPDATA%\Microsoft\Windows\Start Menu\Programs
- %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\
- HKLM\SOFTWARE\Microsoft\Tracing\
Step 10: Delete the registry keys created by DCRTR .Crypt ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
For File Recovery, this is what you have to do:
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if DCRTR .Crypt ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Obliterating DCRTR .Crypt ransomware and its malicious processes is not enough – you have to ensure that all its related files are removed from your computer. To do that, you must follow the advanced removal guide below.
- Turn on your computer. If it’s already on, you have to reboot it.
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now” button.
