Dewar Ransomware

It looks like Dewar Ransomware is a new variant of Phobos Ransomware that comes from the Crysis/Dharma Ransomware family. Same as the other threats from this family, it targets various files that could be valuable to victims and then encrypts them to make them unusable. While it is possible to reverse what the malware does to victims’ files, it might be impossible to obtain the software that is necessary for such a task. That is because the malicious application developers might be the only ones who could have the needed decryptor. These people could promise to deliver it for a particular amount of money, but there is always a risk that they might not hold on to their end of the deal. Naturally, we advise not to trust the malware’s developers and pay no attention to their ransom note if you have no intention to fund them. To find more about Dewar Ransomware, we invite you to read the rest of this article.

The first thing that the malware ought to do after it infects a system is to create a few files that would allow it to auto-start with Windows. You can find the list of the locations where the malware should place its data in the deletion steps placed below this article. After settling in, Dewar Ransomware should look for data that it could encrypt. Our researchers say that the threat should look for personal files, for example, photos, text documents, and so on. Also, all of the malicious application’s encrypted files can be recognized just by looking at them because they ought to have a specific extension, for example, picture.jpg.id[2A9Q041A-1630].[kryzikrut@airmail.cc].dewar. The characters in the square brackets should be random, but unique to each victim.

Next, Dewar Ransomware should create a couple of ransom notes. The one placed in a text document (info.txt) should have a short message that tells what happened to a victim’s data and how to contact the hackers who could restore it. The second ransom note available on a file called Info.hta should be much longer. It not only explains that the victim’s files were encrypted and how to contact the threat’s developers to receive decryption tools but also offers free decryption services. Plus, the longer note says that a user would have to pay to receive decryption software and that the price will be decided based on how fast he gets in touch with the Dewar Ransomware’s creators.

Needless to say that we do not recommend rushing anywhere. Before you decide whether you should pay or not, you should ask yourself if your files would be worth the money you spend. Besides, Dewar Ransomware’s victims ought to know that even if hackers say that they can guarantee that they will get the promised decryption software, in reality, there are no reassurances. After paying a ransom, you would have to wait for the promised decryption tools, and there is a possibility that Dewar Ransomware’s developer may not bother sending them or could ask you for even more money. This is why we advise you not to rush into anything and consider the hackers’ proposal carefully.

Besides knowing what the malicious application does, we also think it is essential to understand how it could infect a computer. Such knowledge could help you avoid threats similar to Dewar Ransomware in the future. Our researchers say that the malware could enter a system with unreliable data downloaded or received from the Internet. For example, the malware’s installer could come as an email attachment, or you could be tricked into thinking that it is a software installer or an update on some untrustworthy file-sharing site. Therefore, we always advise keeping away from any data if you do not know that it is harmless for sure. To find out, you could scan files obtained from doubtful sources with a reputable antimalware tool.

No matter what you decide to do about the hackers’ proposal to purchase decryption tools from them, we advise deleting Dewar Ransomware. That is because if you restart your system, the malware might auto-start, and if it does, it could encrypt new data. If you want to try to remove the malicious application manually, we can offer our deletion steps placed at the end of this article. You can also eliminate Dewar Ransomware with a chosen antimalware tool, just make sure that the tool is legitimate and capable of dealing with such a threat.

Erase Dewar Ransomware

1. Click Ctrl+Alt+Delete.
2. Choose Task Manager and select Processes.
3. Find a process belonging to the threat.
4. Mark it and click End Task.
5. Exit Task Manager.
6. Click Win+E.
7. Find these paths:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
8. Locate the malicious application’s launcher (some suspicious file downloaded before the infection appeared).
9. Right-click it and select Delete.
10. Find these locations:
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    %WINDIR%\System32
    %APPDATA%
11. Locate files called Info.hta, right-click them and select Delete.
12. Find these specific Startup directories:
    %WINDIR%\System32
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
13. Find suspicious executable files, for example, file.exe; right-click them and choose Delete.
14. Exit File Explorer.
15. Press Win+R.
16. Insert Regedit and click Enter.
17. Find the given directory: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
18. Search for value names dropped by the threat, e.g., {random title}.exe, right-click them, and select Delete.
19. Exit Registry Editor.
20. Empty Recycle Bin.
21. Restart the computer.