Diablo6 ransomware / virus (Removal Guide) - Decryption Methods Included

by Gabriel E. Hall - - 2017-08-14 | Type: Ransomware

Diablo6 virus Removal Guide

Description Quick solution Instructions Prevention

What is Diablo6 ransomware virus?

Diablo6 virus rolls out its another malspam campaign

Diablo6 ransomware virus

Diablo6 virus operates as the latest version of the notorious Locky ransomware^[1]. It encodes data on victim’s computer using a combination of RSA-2048 and AES-128 cryptography ciphers and attaches .diablo6 file extension to every file. Once the procedure is finished, the data becomes unreadable. Finally, the malware creates a ransom note called diablo6.htm and replaces desktop’s background with a diablo6.bmp image. Note that this malicious crypto-ransomware is not related to Diablo game in any way even though the authors seem to be its fans.

The virtual threat arrives in the form of an .ZIP email attachment that contains a VBS downloader. It hen connects to one of the malicious domains, downloads and executes the Locky Diablo6 ransomware.

During the encryption, Locky virus renames each file by swapping its original name with a set of characters. The new file name is created using such pattern: [8 first characters of the victim's ID]-[next 4 characters of the ID]-next 4 characters of the ID]-[4 random characters]-[12 random characters].diablo6.

Once data encryption is complete, the virus immediately launches the ransom note using victim’s default browser. The ransom note starts with a straightforward explanation of what happened:

!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.

The virus urges the victim to install Tor browser and visit a provided .onion website to access Locky Decryptor page. The price of Diablo6 decryption tool is 0.5 Bitcoin, which is approximately 1642 US dollars.

At the moment, there are no ways to decrypt files encrypted by this dangerous virus. Speaking of its sophistication, it is very similar to Cerber. Despite that, it doesn’t mean that you have to pay the ransom. Paying the ransom doesn’t guarantee efficient data recovery, either. The possibility of getting scammed is high, besides, obeying extortionists’ demands simply motivates them to create even more malware^[2].

If your files were corrupted by the latest Locky ransomware variant, remove Diablo6 using FortectIntego or Malwarebytes. Your computer must be in a Safe Mode with Networking in order to complete the removal successfully.

After completing Diablo6 removal, use your data backup to restore damaged files. Many people do not have data backups, so if you are one of them, it might be impossible to restore your records. Try to think of ways where you could find intact data copies (USBs, CDs, email or elsewhere) and transfer them to your computer after deleting the virus. You can find alternative data recovery options below the article.

Diablo6 is the new version of Locky ransomware that appends .diablo6 extension to encrypted files. The virus demands a ransom of 0.5 Bitcoin.

The ransomware now switches to .docm files

The Locky Diablo6 variant is distributed via malspam campaign that delivers emails with subject lines similar to E [date] (random numbers).docx. The malware-laden email contains an attachment that is named E [date] (random numbers).zip. The message body lacks any explanation and contains three words only:

—
Files attached. Thanks

The ZIP file contains a VBS script that uses victim’s Internet connection to download malware from a compromised domain. The script may include several domains to connect to in case one of them won’t respond. The script is designed to download Diablo6 ransomware to %TEMP% folder and launch it immediately. Note that the dates of the report might be earlier. It only implies that Locky authors have diligently working on the new campaign.

The current analysis reveals that the threat now diverts to its old habit of fishing for users via .docm files. As its predecessor variation, which attempted to persuade unsuspecting users to open the infected .doc file and enable macros, Diablo6 functions the same. However, this case it employs .docm file as bait. This time, there is no message content except the subject line, the infected .docm is disguised within

This time, there is no message content except the subject line, the infected .docm is disguised within IMG_[4 digits].pdf.^[3] If you enable the macros of the file, you will face the severe consequences of the malware.

The perpetrators indeed polish their malware distribution campaigns which now looks more sophisticated. However, despite how elaborate such emails may look, note that you should not give in to curiosity and not to open any attachments received from unknown recipients.

On the other hand, if your friend gets infected with a computer worm, he or she might send the corrupted link unwillingly. In that case, contact them directly. If you scan the file, note that malware authors apply various “cloaking” techniques to prevent the anti-virus from detecting the infection.

To protect yourself from Locky Diablo, follow the provided tips:

Never open email attachments that were sent to you by someone you don’t know. If the message looks vague or shady, never click on links or files attached to it;
Secure your computer system with anti-malware software. Keep it running at all times;
Dedicate some time to create a data backup. It is the only efficient tool that helps to restore crippled files after a ransomware attack;
Enable automatic software updates to always have the latest and most secure software versions on your PC.

According to experts, the first wave of ransomware hit Germany and US. If you are a German-speaking PC user, consider visiting DieViren.de for help^[4].

Eliminate Locky Diablo6 virus

Your computer will be secure only if you remove Diablo6 virus professionally. Let us remind you that you are dealing with one of the most destructive ransomware-type programs which might be perceived inferior to another ransomware – Cerber.

It continuously changes its attack vectors and its own structure, so better assign Diablo6 removal for a professional anti-malware program developed by malware analysts. Do not forget that you must update the security program to the latest version of it in order to eliminate the ransomware fully. After deleting the virus, start testing available data decryption techniques.

Offer

do it now!

Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee

Compatible with Microsoft Windows Compatible with macOS

What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.

Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.

Download SpyHunter 5 Review »

Malwarebytes

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Download Combo Cleaner Review »

Getting rid of Diablo6 virus. Follow these steps

Manual removal using Safe Mode

Steps to remove Diablo6 ransomware virus:

Reboot your computer in Safe Mode with Networking;
Download or update anti-malware software;
Run a full system scan to find malicious files and eliminate them all at once.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment.

Windows 7 / Vista / XP

Click Start > Shutdown > Restart > OK.
When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

Right-click on Start button and select Settings.
Scroll down to pick Update & Security.
On the left side of the window, pick Recovery.
Now scroll down to find Advanced Startup section.
Click Restart now.
Select Troubleshoot.
Go to Advanced options.
Select Startup Settings.
Press Restart.
Now press 5 or click 5) Enable Safe Mode with Networking.

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Click on More details.
Scroll down to Background processes section, and look for anything suspicious.
Right-click and select Open file location.
Go back to the process, right-click and pick End Task.
Delete the contents of the malicious folder.

Step 3. Check program Startup

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Go to Startup tab.
Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

Type in Disk Cleanup in Windows search and press Enter.
Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
Scroll through the Files to delete list and select the following:

Temporary Internet Files
Downloads
Recycle Bin
Temporary files
Pick Clean up system files.
You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

After you are finished, reboot the PC in normal mode.

Remove Diablo6 using System Restore

If the method 1 didn't help you to remove the ransomware, try the second option.

Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Command Prompt from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
1. Once the Command Prompt window shows up, enter cd restore and click Enter.
2. Now type rstrui.exe and press Enter again..
3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Diablo6. After doing that, click Next.
4. Now click Yes to start system restore.
Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Diablo6 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Diablo6 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

At the moment, it is impossible to recover files encrypted by Locky using any third-party tools. The only solution to the problem is a data backup. You can attempt to restore some files using the following data recovery methods.

If your files are encrypted by Diablo6, you can use several methods to restore them:

Recover your data

First method: Run Data Recovery Pro

You can try Data Recovery Pro to restore some .diablo6 file extension files. The tool might fail to restore all of your files – be prepared for it.

Download Data Recovery Pro;
Follow the steps of Data Recovery Setup and install the program on your computer;
Launch it and scan your computer for files encrypted by Diablo6 ransomware;
Restore them.

Second method:. Try to recover some files using Previous Versions

This method works only if you created a system restore point in the past. To recover individual files, carry out the given instructions.

Find an encrypted file you need to restore and right-click on it;
Select “Properties” and go to “Previous versions” tab;
Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Third method: Try ShadowExplorer

ShadowExplorer is a tool that helps to detect available Volume Shadow Copies and use them for data recovery. If the virus failed to delete VSS backup, it will help you to recreate your files.

Download Shadow Explorer (http://shadowexplorer.com/);
Follow a Shadow Explorer Setup Wizard and install this application on your computer;
Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Locky Decryptor

We do not recommend buying Locky Decryptor because it is a tool created by cybercriminals. It can contain spying tools, banking trojans or other forms of malware. Besides, it might fail to restore your files. Although an official decryption tool wasn't created by malware analysts yet, we do not recommend paying the ransom to cybercriminals.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Diablo6 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.

Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author

Gabriel E. Hall - Passionate web researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions