Dxh26wam ransomware - How to remove?

 
UAB DIGIMA

Dxh26wam crypto-virus targets people from all around the globe: from United States of America to China, Italy, France, Germany, Spain, Portugal and Netherlands as ransom notes can be customized in these languages. The randomly-looking title that this ransomware has actually derived from the payload that this infection contaminates devices with. Malware shows a window with instructions, almost identical to another one, belonging to CTB-Locker ransomware. According to researchers that analyzed Dxh26wam virus, it emerged at the end of March and its creators developed the function of file-encryption while using the Python programming language. Infection prevents users from fully accessing their devices: the screen-locker that Dxh26wam virus demonstrates is shown in the following section which will analyze this sample in more depth. In the recent months, there were some variants that attempted to copy CTB-Locker, but were determined to be unrelated with the original version in the end.

Summary of Dxh26wam ransomware

Dxh26wam ransomware can be detected with a number of anti-malware tools. Some of the findings that suggest Dxh26wam virus are the following: Python/Filecoder.P, Trojan.Python.Filecoder, Trojan.GenericKD.4674724, Ransom_PHYTOCRYP.A, Trojan.Generic.D4754A4. The ransomware encrypts files with a combination of two ciphers, AES and RSA. The first one will be focused on encrypting files from various folders and turning them into useless executables. Also, this ruined data will feature an additional extension: crypted. The RSA cryptography will be applied to the private decryption key which will be stored in servers, belonging to hackers.

Dxh26wam crypto-virus will insert HowDecryptMyFiles.lnk which will trigger a screen-locker to be displayed. UI.exe file will run and display the ransom note, featuring eight different languages. Crooks warn people that they should not turn off their devices, run an anti-malware tools or disable their connection to the Internet. Any of these actions are identified to lead to accidental damage of files. Approximately 4 days are given for users to purchase bitcoins and send them to a specific wallet.

Dxh26wam virus gives precise instructions for its victims: how should the payment be made and how the files are supposed to be decrypted. It takes about a half an hour for the crooks to become aware of the sent payment. Nevertheless, victims are not to carry out the steps that are enlisted in the instructions as that won’t bring any positive results. The ransom that the infection demands from the infected people is swinging from 0.2 to 0.3 BTC.

It is presumable that Dxh26wam virus will be introduced to users as a NSIS-installer that has a set Python package which will be responsible for file-encryption process. Ransomware will also require a connection to the Internet as it will have to contact a special C&C server and the virus will stay in a constant contact with the hackers. According to the research about this infection, there will be no way of for victims to restore files while using Shadow Volume Copies. Dxh26wam ransomware will initiate a command to delete them.

Alternative methods of restoring files

After the Dxh26wam virus displays its familiar lock-screen, victims will not be able to see their data. Before you can do anything, you have to try to help your system launch fully. You can attempt to start it in a Safe Mode. Then, you should copy all of the encrypted data and place it somewhere safe. Why? Because you have to remove the infection before moving onto decryption. During the deletion of ransomware, Dxh26wam virus might permanently delete all of the encoded data. After you carry out these three actions, you can try restoring files with universal file-recovery tools. Good news is that if users had managed to store their files in backup storages before the ransomware appeared, you will not problem in retrieving them from these facilities.

What can be the source of Dxh26wam ransomware?

Dxh26wam virus can be delivered to users via a number of deceptive tricks. First of all, email letters, featuring malicious attachments is one of the leading causes of ransomware. In addition to that, infectious content can be found in suspicious websites, advertisements. Trojans can also be posing as legitimate software applications, while in reality they will try to distribute malware. For the removal of Dxh26wam ransomware, you should take advantage of anti-malware tools. Reimage, Spyhunter or Hitman won’t encounter issues while detecting and removing this infection. Instructions for decryption/manual removal are included as well.


Automatic Dxh26wam ransomware removal tools

 

Other tools

 
  0   0
    Spyhunter
  0   0
    Malwarebytes Anti-Malware
 
Note: Reimage trial provides detection of parasites and assists in their removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.   We might be affiliated with some of these programs. Full information is available in disclosure

How to recover Dxh26wam ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Dxh26wam virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of PyCL ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Dxh26wam ransomware. You can check other tools here.


Step 3. Restore Dxh26wam virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually PyCL ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Dxh26wam ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

 

Dxh26wam ransomware screenshots

 
         
March 29, 2017 00:14, March 29, 2017 00:14
 

One thought on “Dxh26wam ransomware

1 Comment
  1. After a customer of mine was infected with this, I had the unhappy task of trying to get the data back. At this point in time (May 2017) there is NO decryption tool currently available that will work. But for anybody who has been a victim of this, here is what I did to get the data back…
    1. Run Malwarebytes and ADW Cleaner* (or any other good anti-malware solution). Run multiple times (including running in Safe Mode) until clear.
    2. When clear, roll back (System Restore) to before infection.
    3. After restore, run Malwarebytes/ADW Cleaner* again (just to be sure).
    4. Recover data using Shadow Copy (restore previous versions).
    This malware destroys shadow copies and stops the service from running, but it would appear that if Shadow Copies was running before infection, a System Restore gets it back. It won’t bring back your documents etc., but it will bring back their shadow copies.
    Can’t guarantee it will work for everyone, but I hope this helps someone.

    *Yes, I know ADW Cleaner is part of Malwarebytes, but I found that ADW Cleaner (the stand-alone program) would find things that Malwarebytes didn’t.

Leave a Reply

Your email address will not be published. Required fields are marked *