Diablo6 ransomware virus. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware
12

Diablo6 virus rolls out its another malspam campaign

Diablo6 ransomware virus

Diablo6 virus operates as the latest version of the notorious Locky ransomware[1]. It encodes data on victim’s computer using a combination of RSA-2048 and AES-128 cryptography ciphers and attaches .diablo6 file extension to every file. Once the procedure is finished, the data becomes unreadable. Finally, the malware creates a ransom note called diablo6.htm and replaces desktop’s background with a diablo6.bmp image. Note that this malicious crypto-ransomware is not related to Diablo game in any way even though the authors seem to be its fans.

The virtual threat arrives in the form of an .ZIP email attachment that contains a VBS downloader. It hen connects to one of the malicious domains, downloads and executes the Locky Diablo6 ransomware.

During the encryption, Locky virus renames each file by swapping its original name with a set of characters. The new file name is created using such pattern: [8 first characters of the victim's ID]-[next 4 characters of the ID]-next 4 characters of the ID]-[4 random characters]-[12 random characters].diablo6.

Once data encryption is complete, the virus immediately launches the ransom note using victim’s default browser. The ransom note starts with a straightforward explanation of what happened:

!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.

The virus urges the victim to install Tor browser and visit a provided .onion website to access Locky Decryptor page. The price of Diablo6 decryption tool is 0.5 Bitcoin, which is approximately 1642 US dollars.

At the moment, there are no ways to decrypt files encrypted by this dangerous virus. Speaking of its sophistication, it is very similar to Cerber. Despite that, it doesn’t mean that you have to pay the ransom. Paying the ransom doesn’t guarantee efficient data recovery, either. The possibility of getting scammed is high, besides, obeying extortionists’ demands simply motivates them to create even more malware[2].

If your files were corrupted by the latest Locky ransomware variant, remove Diablo6 using Reimage or Malwarebytes Anti Malware. Your computer must be in a Safe Mode with Networking in order to complete the removal successfully.

After completing Diablo6 removal, use your data backup to restore damaged files. Many people do not have data backups, so if you are one of them, it might be impossible to restore your records. Try to think of ways where you could find intact data copies (USBs, CDs, email or elsewhere) and transfer them to your computer after deleting the virus. You can find alternative data recovery options below the article.

The ransomware now switches to .docm files 

The Locky Diablo6 variant is distributed via malspam campaign that delivers emails with subject lines similar to E [date] (random numbers).docx. The malware-laden email contains an attachment that is named E [date] (random numbers).zip. The message body lacks any explanation and contains three words only:


Files attached. Thanks

The ZIP file contains a VBS script that uses victim’s Internet connection to download malware from a compromised domain. The script may include several domains to connect to in case one of them won’t respond. The script is designed to download Diablo6 ransomware to %TEMP% folder and launch it immediately. Note that the dates of the report might be earlier. It only implies that Locky authors have diligently working on the new campaign.

The current analysis reveals that the threat now diverts to its old habit of fishing for users via .docm files. As its predecessor variation, which attempted to persuade unsuspecting users to open the infected .doc file and enable macros, Diablo6 functions the same. However, this case it employs .docm file as bait. This time, there is no message content except the subject line, the infected .docm is disguised within

This time, there is no message content except the subject line, the infected .docm is disguised within IMG_[4 digits].pdf.[3] If you enable the macros of the file, you will face the severe consequences of the malware.

The perpetrators indeed polish their malware distribution campaigns which now looks more sophisticated. However, despite how elaborate such emails may look, note that you should not give in to curiosity and not to open any attachments received from unknown recipients.

On the other hand, if your friend gets infected with a computer worm, he or she might send the corrupted link unwillingly. In that case, contact them directly. If you scan the file, note that malware authors apply various “cloaking” techniques to prevent the anti-virus from detecting the infection.

To protect yourself from Locky Diablo, follow the provided tips:

  • Never open email attachments that were sent to you by someone you don’t know. If the message looks vague or shady, never click on links or files attached to it;
  • Secure your computer system with anti-malware software. Keep it running at all times;
  • Dedicate some time to create a data backup. It is the only efficient tool that helps to restore crippled files after a ransomware attack;
  • Enable automatic software updates to always have the latest and most secure software versions on your PC.

According to experts, the first wave of ransomware hit Germany and US. If you are a German-speaking PC user, consider visiting DieViren.de for help[4].

Eliminate Locky Diablo6 virus 

Your computer will be secure only if you remove Diablo6 virus professionally. Let us remind you that you are dealing with one of the most destructive ransomware-type programs which might be perceived inferior to another ransomware – Cerber.

It continuously changes its attack vectors and its own structure, so better assign Diablo6 removal for a professional anti-malware program developed by malware analysts. Do not forget that you must update the security program to the latest version of it in order to eliminate the ransomware fully. After deleting the virus, start testing available data decryption techniques.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Diablo6 ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Diablo6 ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Diablo6 virus Removal Guide:

Remove Diablo6 using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Steps to remove Diablo6 ransomware virus:

  • Reboot your computer in Safe Mode with Networking;
  • Download or update anti-malware software;
  • Run a full system scan to find malicious files and eliminate them all at once.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Diablo6

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Diablo6 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Diablo6 using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

If the method 1 didn't help you to remove the ransomware, try the second option.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Diablo6. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Diablo6 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Diablo6 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

At the moment, it is impossible to recover files encrypted by Locky using any third-party tools. The only solution to the problem is a data backup. You can attempt to restore some files using the following data recovery methods.

If your files are encrypted by Diablo6, you can use several methods to restore them:

First method: Run Data Recovery Pro

You can try Data Recovery Pro to restore some .diablo6 file extension files. The tool might fail to restore all of your files – be prepared for it.

Second method:. Try to recover some files using Previous Versions

This method works only if you created a system restore point in the past. To recover individual files, carry out the given instructions.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Third method: Try ShadowExplorer

ShadowExplorer is a tool that helps to detect available Volume Shadow Copies and use them for data recovery. If the virus failed to delete VSS backup, it will help you to recreate your files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Locky Decryptor

We do not recommend buying Locky Decryptor because it is a tool created by cybercriminals. It can contain spying tools, banking trojans or other forms of malware. Besides, it might fail to restore your files. Although an official decryption tool wasn't created by malware analysts yet, we do not recommend paying the ransom to cybercriminals.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Diablo6 and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References

Removal guides in other languages