Dablio ransomware - How to remove

Dablio virus is a recent ransom-demanding malware discovery, which has been actively threatening users since the first week of December 2018. This ransomware works just like any other cryptovirus – encrypts victim’s files and asks for a payment in exchange for the unique decrypting key.

However, there is a unique feature that Dablio ransomware differs from other viruses – it is written in Python. Even though there have been a few malware variants that were made using this programming language, e.g. HolyCrypt, Striked, Fatboy, it is still not an often found characteristic amongst crypto viruses, but that does not mean that Dablio virus is not decryptable.

On the contrary, if your system has been compromised with Dablio cryptovirus, do not rush into contacting the crooks and paying the expensive ransom. According to the cybersecurity experts, this new ransomware can be unlocked for free, restoring all your unavailable data. Therefore, keep reading this article to find out what can you do if Dablio ransomware sneaks into your system.

How to recognize Dablio virus

First of all, Dablio virus was first found and reported by malware researcher Karsten Hahn on Twitter. Threat expert noted that this ransomware is written in Python and that it is widely detected by antivirus programs on VirusTotal.com. Other cybersecurity enthusiasts also soon figured that Dablio cryptovirus uses the fastest AES algorithm to encrypt files, [email protected] contact email and prefix ‘(encrypted)’ which marks all affected files.

Bottom line up front, Dablio ransomware is a type of threat, such as FilesLocker, Ghost, Lolita, that will hardly get mistaken with some other virus. The reason behind it is various Scareware features, which help this crypto infection to convince victims paying the crooks to get their files back. Ransom is the only way ransomware developers earn their money so they make sure that the infected users are completely aware that their files got locked by the virus and will not be accessible if the payment will not be made.

For the scaring effect, Dablio virus uses ‘(encrypted)’ extension string that is added in front of the locked file’s name. For example, ‘familypicture.jpg’ after Dablio encryption becomes ‘(encrypted) familypicture.jpg’. This is already a unique characteristic for a ransomware because other variants add their specific appendix at the end of the name. The virus compromises the most precious personal files like pictures, videos, documents and etc., which have the biggest value to the victim, which pushes users to take action and save their virtual memories, no matter how much it costs.

Another really good factor, that will give away Dablio virus is the ransom note lock-screen, which will appear after the threat settles in. It says:

#DABLIO

Good Morning. Good afternoon. Good evening.

I’m sorry to inform you that your computer was ENCRYPTED.
ALL YOUR FILES WERE COMMITED.
PAY TO HAVE YOUR FILES IN NORMAL CONDITION.
DO NOT WORRY! EVERYTHING WILL BE BACK.
ACCESS THE WEBSITE WWW.LOCALBITCOIN.COM AND MAKE THE PURCHASE OF
THE BITCOINAND TRANSFER OF THE BITCOIN TO MY WALLET.
AFTER WE SEND UNLOCK CODE OF YOUR FILES.
THANKS;

Email: [email protected]
Cry Now. Laugh Later.
Enter Key for Unlocked your Computer and Files!

As you can see, there will be no problems identifying this malware and hackers will use a few ways to tell you about the infection. As you may also notice from Dablio’s ransom note, the payment amount is unclear and can be different for each individual. Typically ransom payments range from a couple hundred to several thousand dollars, the Average now is $1000 USD. Yet, no matter, if you have a spare thousand in your bank account or not, interacting with crooks, is never a good idea, because very often even after the transaction ransomware victims don’t receive any answer from developers. In such situation, it is best if you follow 2-viruses.com team recommended instructions for the Dablio virus removal and free data recovery.

How to delete Dablio virus and unlock files

The goal when dealing with ransomware like Dablio virus is to first remove the malware and all malicious data and then restore encrypted information. The reason why crypto viruses are considered to be the most notorious is that even after the complete removal of the infectious agent, the consequences won’t disappear and a victim will not be able to access their data without a unique key, which only the hackers know.

In order to complete the first step, you should get a special malware removal tool like Spyhunter, which will be able to take care of the Dablio ransomware infection right away. After the full system scan, these anti-spyware programs will discover the harmful threat will other suspicious software and guide you through a very easy removal. Only when your system is perfectly clean, you can begin unlocking your data.

Luckily, Dablio virus is decryptable and for free but while the official tool is still yet to be released on Nomoreransom.org, you can contact the same malware expert K.Hahn on Twitter for the help unlocking your precious data. It is known that this crypto infection deletes shadow copies, therefore there isn’t much use from the manual recovery, except for the restoring from backups.

Automatic Malware removal tools

How to fix Dablio ransomware infection manually

Responsible computer owners will find manual Dablio virus removal and file restore instructions below, which they will find useful if followed correctly. Mind you, this type of recovery is only suitable for those who have proper system restore points, if not, and you have important files to recover then, please, follow the automatic Dablio ransomware elimination guide above. Lastly, if you don’t care about the files, a fresh start after full System Restore is the best option for you.

How to recover Dablio ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Dablio ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Dablio ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Dablio ransomware. You can check other tools here.  

Step 3. Restore Dablio ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Dablio ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Dablio ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.