A new emerging threat has been detected to infect computer users. It’s is called Dxh26wam ransomware, and it looks like it is named after the executable file that triggers the attack. Dxh26wam is a new crypto ransomware that encrypts target data using a combination of AES and RSA algorithms. The malicious extension .crypted appended at the end of the original filename proves the file is encrypted. Another file bound up with the Dxh26wam is How_Decrypt_My_Files. It is the ransom note dropped by the hackers that serves to inform victims what has just happened with their files and how to proceed further with the ransom payment.
In this article, we will reveal more information about the Dxh26wam ransomware and provide you consistent removal and decryption steps.
Dxh26wam Ransomware Details
Dxh26wam.exe is the file that starts the infection process once it is running on the computer. The data locker ransomware threats like Dxh26wam are usually designed to scan all PC drives for particular file types that are part of their target data lists. They utilize powerful encipher algorithms each time a goal file is detected. The analysis of Dxh26wam ransomware samples unveils the usage of two encipher algorithms by the threat. A combination of AES and RSA is utilized by Dxh26wam ransomware for encryption of essential user data like documents (Microsoft Office, TXT, and PDF), photos, databases, archives, videos, projects, etc. At the end of the encryption phase, all corrupted files have the malicious suffix .crypted appended as a new file extension.
Dxh26wam crypto virus is also designed to spawn several system processes among which is the critical process vssadmin.exe. It allows an administrator user account to manage the Shadow Volume Copies created and stored on the computer. Volume Shadow Copy Service in Windows allows taking automatic or manual backup copies or snapshots of computer files and volumes, even when they are currently in use. By using the command line
%WINDIR%\system32\vssadmin.exe delete shadows /all /quiet
Dxh26wam removes all shadow volume copies, so victims are no longer able to restore their corrupted data to previous versions.
Before the last infection stage, the threat implements several Windows registries modifications that allow it to read the current computer name and executes some files automatically.
HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Finally, Dxh26wam drops its ransom note on the computer and displays it on victim’s screen. The file that contains the ransom message is called How_Decrypt_My_Files and depicts the following text:
YOUR PERSONAL FILES ARE ENCRYPTED
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
1. Pay amount BTC (about of USD) to address:
2. Transaction will take about 15-30 minutes to confirm.
Decryption will start automatically. Do not: power off computer, run antivirus program, disable internet connection. Failures during key recovery and file decryption may lead to accidental damage on files.
YOUR FILES WILL BE LOST WITHOUT PAYMENT THROUGH: 3 Days 23 Hours 58 Minutes 04 Seconds
Cyber criminals demand to pay them a ransom in order to send back the private decryption key. Furthermore, they require to send them the Bitcoins within a specified period, or all files will be lost.
The text of the ransom message is translated into eight languages. Victims could translate the text by clicking on one of the displayed flags. All languages are Dutch, Italian, French, German, Portuguese, Spanish, Chinese and English. Users who are speaking one of these languages are likely to be targeted by Dxh26wam ransomware.
How Could Dxh26wam.Exe Land on the System?
The malicious Dxh26wam payloads may land on the computer via an attached file to a spam email. Crooks like this trick mainly because they may pose as legitimate sources in order to influence your emotions and convince you to interact with the presented content.
Dxh26wam.exe may also be injected into a corrupted web page that triggers a drive-by attack once you land on it. In this case, hackers are likely to present you a link and make you click on it. The link may be again part of a spam email, post or message on social media channels like Facebook and Twitter, malvertising campaign, etc.
Another way of distribution may be installation packs of free software. The malicious code may come bundled with freeware that you install on the computer.
Remove Dxh26wam Ransomware and Recover .Crypted Files
As long as the malicious Dxh26wam ransomware files and objects are on your computer, you won’t be able to use it in a secure manner and may lose additional data. For the sake of your cyber and PC security, it is better to avoid any negotiations with ransomware dealers and proceed further with the removal process of the threat. Considering the variety of damages that Dxh26wam causes on the computer the best removal results are obtainable with the help of a professional anti-malware tool.
Currently, there is no available working decryption tool for Dxh26wam. However, it is possible to be developed and released by security researchers at some point. So back up all encrypted files and keep them on an external drive. The good news is that some .crypted files may be restored with alternative data recovery software that you could find in the last paragraph of the article that is a consistent removal guide.
Summary of .Crypted File Virus
Name |
Dxh26wam Ransomware |
File Extension |
.crypted |
Ransom |
Varies |
Easy Solution |
You can skip all steps and remove Dxh26wam ransomware with the help of an anti-malware tool. |
Manual Solution |
Dxh26wam ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below. |
Distribution |
Spam emails, malicious URLs, malicious attacments, exploit kits, freeware. |
Dxh26wam Ransomware Removal
STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.
-
1) Hit WIN Key + R
- 2) A Run window will appear. In it, write “msconfig” and then press Enter
3) A Configuration box shall appear. In it Choose the tab named “Boot”
4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
5) Apply -> OK
Or check our video guide – “How to start PC in Safe Mode with Networking”
STEP II: Show Hidden Files
-
1) Open My Computer/This PC
2) Windows 7
-
– Click on “Organize” button
– Select “Folder and search options”
– Select the “View” tab
– Go under “Hidden files and folders” and mark “Show hidden files and folders” option
3) Windows 8/ 10
-
– Open “View” tab
– Mark “Hidden items” option
4) Click “Apply” and then “OK” button
STEP III: Enter Windows Task Manager and Stop Malicious Processes
-
1) Hit the following key combination: CTRL+SHIFT+ESC
2) Get over to “Processes”
3) When you find suspicious process right click on it and select “Open File Location”
4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process”
5) Next you should go folder where the malicious file is located and delete it
STEP IV: Remove Completely Dxh26wam Ransomware Using SpyHunter Anti-Malware Tool
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
STEP V: Repair Windows Registry
-
1) Again type simultaneously the Windows Button + R key combination
2) In the box, write “regedit”(without the inverted commas) and hit Enter
3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
Further help for Windows Registry repair
STEP VI: Recover Encrypted Files
- 1) Use present backups
- 2) Use professional data recovery software
-
– Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
- 3) Using System Restore Point
-
– Hit WIN Key
– Select “Open System Restore” and follow the steps
- 4) Restore your personal files using File History
-
– Hit WIN Key
– Type “restore your files” in the search box
– Select “Restore your files with File History”
– Choose a folder or type the name of the file in the search bar
- – Hit the “Restore” button
STEP VII: Preventive Security Measures
-
1) Enable and properly configure your Firewall.
2) Install and maintain reliable anti-malware software.
3) Secure your web browser.
4) Check regularly for available software updates and apply them.
5) Disable macros in Office documents.
6) Use strong passwords.
7) Don’t open attachments or click on links unless you’re certain they’re safe.
8) Backup regularly your data.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter