DCRTR-WDM virus - How to remove

DCRTR-WDM ransomware

Earlier this November 2018, cyber researchers noticed a new cryptovirus variant spreading in the virtual world, compromising English speaking user computers and trading the decryptor for a ransom. This ransomware is called WDM or DCRTR-WDM virus because it’s an updated version of another crypto-demanding infection – DCRTR. The new cyber threat uses AES cipher to lock victim’s data, .crypt name extension, text format ransom note and Bitcoins (0,19BTC or $1270 USD) as a payment method, all usual for these kinds of viruses. 

Though, there is something about this ransomware virus, that makes it more unique. It’s the payment website to which DCRTR-WDM cryptovirus’ victims are lead after following the Tor link mentioned in the ransom note. This website seems like a copy of GandCrab virus so it raised a bit of commotion amongst the affected users, which thought that they caught the actual notorious .Crab ransomware. That is not true and DCRTR-WDM ransom demanding infection seems to be developed by hackers, that just based this virus on the samples, which can be found online. 

In this article, we’ll explain more about how DCRTR-WDM virus operates, why it is the way it is, how to get rid of it and probably restore locked data. So, please, don’t interact with hackers before you read this.

How does DCRTR-WDM cryptovirus work

DCRTR-WDM is a ransomware, meaning that the main goal of developers is to encrypt victim’s files (all except for the System data so computer would still work), making valuable digital information and memories unreachable without a special decryption key, and offering to buy it for a certain amount of money. In this situation, DCRTR-WDM actors are using the AES algorithm to perform the encryption and asking for $1270 or 0,19BTC as a ransom. You can easily see which files are affected by the ‘.crypt’ extension appended at the end of their names. Eg. ‘HolidaysInBali.jpg’ become ‘HolidaysInBali.jpg.crypt’. 

DCRTR-WDM ransomware payment page thor link

Although the processes of the Infection and encryption are silent, in the end, DCRTR-WDM ransomware has to present itself to the victim and do it in a scary manner to influence making the payment. This technique of cyber crimes is dying off and is replaced by crypto miners, scams and adware, but the infection rate is still significant.

The borrowed scareware features, that DCRTR-WDM virus implements into its performance, are file marking with the appendix and the ransom note, explaining everything. ‘HOW TO DECRYPT FILES.txt’ note is dropped on the desktop with a content saying: 

***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS*****

Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .CRYPT
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
—————————————————————————————-
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser:  http://crypt443sgtkyz4l.onion/942a6d15e7378b***
| 4. Follow the instructions on this page
—————————————————————————————-   On our page you will see the payment instructions and will be able to decrypt 1 file for free with the extension “.exe”.
Attention!
TO PREVENT DATA CORRUPTION:
– do not modify files with extension.crypt
– do not run anti-virus programs, they may remove information to contact us
– do not download third-party file descriptors, only we can decrypt files!

When you leave the text file and follow the Tor link, you end up on a page that is almost identical to the GandCrab’s site.

We are sorry, but your files have been encrypted!
Don’t worry, we can help you to return all of your files!
Files decryptor’s price is 1270 USD
Every day the price increases by $ 50 !
What the matter?
Your computer has been infected with Ransomware. Your files have been encrypted and you can’t decrypt it by yourself.
In the network, you can probably find and third-party software, but it won’t help you, it only can make your files undecryptable
What can I do to get my files back?
You should buy Decryptor. This software will help you to decrypt all of your encrypted files and remove Ransomware from your PC.
Current price: 1270 USD. As payment, you need cryptocurrency Bitcoin
What is cryptocurrency and how can I purchase Decryptor?
You can read more details about cryptocurrency at Google or here.
As payment, you have to buy Bitcoin using a credit card, and send coins to our address.
How can I pay to you?
You have to buy Bitcoin using a credit card. Links to services where you can do it: Bitcoin exchanges list
After it, go to our payment page Buy Decryptor, choose your payment method and follow the instructions

At the moment the Average ransom is around a 1000$, so DCRTR-WDM cryptovirus is asking for a reasonable amount, yet, don’t rush to pay anything, because we might help you not only save these 1270USD, but possibly restore the affected files, just you keep reading further.  

How does DCRTR-WDM ransomware spread

DCRTR-WDM cryptovirus, just like other ransomware, such as SnowPicnicM@r1a or CommonRansom, disseminates through malspam. Crooks send out thousands of emails, which can be randomly generated, stolen from some databases or bought on the Deep Web. These bogus messages are very short and convincing, asking for an immediate attention to the attachment which is either .pdf or .docx file. That file, unfortunately, contains DCRTR-WDM ransomware installer and once Macros are enabled the infection is started. 

DCRTR-WDM ransomware virustotal.com scan

These hacker emails can look like a Resume, invoice, complaint, hospital data confirmation email and etc. Crooks use their best Social engineering skills to develop a message that would be suitable for you and environment so that you’d open the document and accidentally install malware. Macros are legitimate programs in MS Word, that is why your antivirus does not detect anything prior. Only after you click on the fateful ‘Enable Macros’ button inside that .docx file, then the security tools will react, but it will be too late because it takes only a couple seconds for the DCRTR-WDM ransomware to install and lock all the file. 

How to remove DCRTR-WDM ransomware from Windows and restore files

The best technique for DCRTR-WDM virus removal is a trustworthy malware eliminating program like SpyHunter, Malwarebytes There are many security tools which help to delete all kinds of virtual threats from the PC, yet the ones we’ve just mentioned are for sure tested, reliable and sophisticated, unlike some other rogue antivirus. The best part is that the software does everything for you and deletes malicious DCRTR-WDM ransomware files even from the directories that are not accessible for the regular user.

Once the PC is fully clean, then you can try getting your locked files back. There are a few possible ways to do so. Right now, a special decryption tool is not released yet, but don’t be discouraged and keep checking the Nomoreransom.org page for updates. Possibly, DCRTR-WDM ransomware did not delete your Shadow Volume Copies and some files could be restored from them by following our guide at the end of the article or with certain programs listed there as well. Lastly, if above-mentioned methods did not seem to work, store the encrypted and .crypt marked files somewhere in the PC and wait a bit until the official decryptor comes out. 

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to recover your PC from DCRTR-WDM virus infection

Users who spend their precious time or put efforts to set an automatic backup program are the lucky ones in case of DCRTR-WDM virus infection because then they can restore their Windows back to normal without any special program by following our guide below. You should select the restore point right before the infection to recover most of the encrypted files.

For those who do not have their system backed up, manual removal is not the best option and it’s better to go with an antispyware tool. If the automatic method is out of the question, such users can only perform the full System Restore, which will wipe out Windows from DCRTR-WDM ransomware but then all the stored information will be lost too.


How to recover DCRTR-WDM virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before DCRTR-WDM virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of DCRTR-WDM virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to DCRTR-WDM virus. You can check other tools here.  

Step 3. Restore DCRTR-WDM virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually DCRTR-WDM virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover DCRTR-WDM virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *