DXXD Ransomware - How To Remove?

 

DXXD ransomware was detected on the 26th of September, 2016. As you can see, it is a completely new ransomware threat released. Luckily, it has already been decrypted. The decryption tool is free and safe, and we will provide you with it at the end of the post. Just do not rush utilising it, before you know what you ought to do ahead of that, because you may step on glass.

About DXXD Ransomware

DXXD ransomware virus uses the commonly applied asymmetric encryption algorithm, generally referred to as AES, to encrypt the victim’s data. This crypto-malware aims at various file types, including text, audio and video files, images, such as JPEG, PDF, DOC, MP3 files, etc. It appends .dxxd extension to the filename extensions of the encrypted files. The curious thing about DXXD ransomware is that it does not use a dot before it. So, if you had Sceenery.jpg before this virus has infected your computer, after it has, you will have Sceenery.jpgdxxd. The text file which appears in the folders of encrypted files is called ReadMe.TxT. It contains the following message:

dxxd-ransomware-2-viruses

The contact e-mails are: shellexec@protonmail.com, as the primary one, and null_ptr@tutanota.de, as the secondary one. If you don’t get an answer from both the e-mails provided, you are advised to use Pidgin, the universal chat client, to get in touch with the so-called jabber. We recommend not to write to this cyber criminal and not to pay a single cent he demands you to, as there is a free decryptor for DXXD virus, developed by one of the cyber security experts, available. The link is awaiting you in the last section of the article.

How Has DXXD Ransomware Infected Your Computer?

DXXD file-encrypting virus spreads through fake security alerts. A potential victim receives a message, which is added to the login screen. This warning is supposedly sent by Microsoft Windows Security Center and it informs the user that his computer has become the target of the hackers (how ironical). The user is encouraged to contact those supposed-to-be Microsoft experts by the two e-mails, which are the same ones mentioned previously and are supposed to be used to contact the hackers of DXXD cryptomalware to pay the ransom fee. If you click the OK button present in this fake warning message, the payload of the DXXD ransomware is downloaded on your computer’s system and it starts encrypting your data.

dxxd-ransomware-2-2-viruses

How to Decrypt Files Encrypted by DXXD Ransomware?

The cyber security researcher Michael Gillespie of BleepingComputer, commonly known under his nickname Demonslay335, has released the decryptor for DXXD ransomware. The decrypter looks like this:

dxxd-ransomware-decryptor-2-viruses

It can be found following this link: https://download.bleepingcomputer.com/demonslay335/DXXDDecrypter.zip. But before dragging the pair of unencrypted and encrypted variants of the same file onto the decrypter to have the key for all encrypted files generated, there is a more serious business to do, even if you think differently. Yes, getting your data back is important and it is quite clear that it is your utmost concern at the moment, but if you leave DXXD virus running on your computer’s system, you can easily lose your data again. Thus, copy the infected drive or the bundle of infected data files, depending on the scope of the infection and remove DXXD malware with one of the following tools: Reimage, Spyhunter or Malwarebytes. These malware removal tools will remove the virus automatically, meaning you will not have to lift a finger. Moreover, the latter security software bears a very high degree of efficiency. The manual removal instructions come after the post. After you have removed the malware one way or another, you are free to use the decryptor provided and retrieve your precious data.

How to recover DXXD Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before DXXD Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of DXXD Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to DXXD Ransomware. You can check other tools here.


Step 3. Restore DXXD Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually DXXD Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover DXXD Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

     
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
September 28, 2016 03:39, July 18, 2017 08:28
 
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *