Severity scale:  
  (98/100)

DCRTR ransomware. How to remove? (Uninstall guide)

removal by Ugnius Kiguolis - - | Type: Ransomware

DCRTR ransomware – a file locker that can make important files inaccessible

DCRTR ransomware
DCRTR ransomware is a dangerous computer virus which appears in the computer system after opening a rogue email message or its attachment.

DCRTR ransomware is a file-encrypting virus that uses a strong encryption[1] algorithm and appends .dcrtr file extension. When all targeted files are encrypted, malware downloads a ransom note called ReadMe_Decryptor.txt where criminals tell to contact them via decryptor@cock.li email address. DCRTR virus typically spreads as an obfuscated email attachment.[2] Once a victim opens it, malicious payload is dropped to the system. Malware immediately alters Windows Registry, downloads malicious files and might affect legit system processes. As soon as it makes a presence on the affected machine, the ransomware virus runs data encryption procedure. Crypto-malware targets the most popular types of files, such as Microsoft Office documents, images, audio, video files, databases or archives.

Name DCRTR 
Type Ransomware
New version WDM-DCRTR
Extensions added [decryptor@cock.li].dcrtr, .crypt
Ransom message ReadMe_Decryptor.txt, HOW TO DECRYPT FILES.txt
Email address decryptor@cock.li, masterdecrypt@openmailbox.org, dekode@qq.com 
Encryption ciphers A combination of AES, SHA, and RSA algorithms is used
Target The most popular types of files that are locked by the ransomware – images, audios, videos, text files, databases
Main distribution source Spam messages and their rogue attachments
Removal process Perform the elimination as soon as you spot the first symptoms. You can use Reimage to detect all possibly damaged objects in the system

Malware uses a combination of AES, SHA and RSA ciphers to make files on the device inaccessible. The significant feature of the DCRTR is the appended file extension. Typically, it adds [decryptor@cock.li].dcrtr suffix to targeted data. Following the successful encryption, malware provides a ransom-demanding message to the victims. In the text file, authors of DCRTR malware asks to send an email to decryptor@cock.li. Victims are urged to do it immediately because the size of the ransom depends on the writing speed.

The DCRTR ransom message looks like this:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail decryptor@cock.li
In case of no answer in 24 hours write us to theese e-mails: masterdecrypt@openmailbox.org

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 

Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) 

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
hxxps://localbitcoins.com/buy_bitcoins 
Also you can find other places to buy Bitcoins and beginners guide here: 
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Crooks also offer to add 5 files for free decryption in order to prove they actually have the DCRTR decryptor. According to the ransom note, victims should receive a response with the number of Bitcoins they have to pay in order to use criminal’s decryptor. However, if they do not receive a letter in 24 hours, they should send an email again to masterdecrypt@openmailbox.org.

However, paying the ransom is not recommended[3] because crooks might disappear once they receive your transaction. What is worse, they might ask you to pay more money by threatening that your files will be leaked or deleted. We guess that you definitely do not want to face money losses, especially useless ones. You should not get tricked by these threats and remove DCRTR virus from the device.

Unfortunately, DCRTR removal won’t recover your files. However, virus elimination is needed to clean and fix your computer in order to use it safely again. For that, we highly recommend using Reimage. Once your device is virus-free, you can use data backups or try alternative recovery methods. Find third-party software below this article and choose the most attractive tool for you. Perform each step as shown in the guidelines and you might be able to restore some of your files successfully.

WDM-DCRTR – a new version

At the beginning of November this year, a new version of DCRTR ransomware was released. This file-locking cyber threat is called very similarly – WDM-DCRTR ransomware. The virus operates in the same way as its old variant. Once installed, it uses unique encryption ciphers to lock important documents on the infected computer. Files appear with the .crypt extension and cannot be loaded successfully until they are blocked by the ransomware virus.

WDM-DCRTR virus
WDM-DCRTR - a new variant of the DCRTR ransomware virus.

You can recognize WDM-DCRTR virus from this file: FileCryptor.pdb. This sneaky cryptovirus can display various ransom notes. The ransom message can appear as HOW TO DECRYPT FILES.txt. What is even more interesting, WDM-DCRTR ransomware imitates other ransomware viruses. The payment page is designed in the same way as GandCrab-ransomware's, a ransom note's text related to the Rapid ransomware. The content of this message says:

the Hello, dear friend E! 
Have your files is the All Been The ENCRYPTED 
the Do you really want to the restore your files is? 
Our email to the Write – dekode@qq.com 
and tell's us your unique ID – ID-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Nevertheless, WDM-DCRTR uses the Dharma-related Info.hta files to launch one of the ransom notes. So, as we can see, this cryptolocker tries to imitate other viruses by using similar content. This cyber threat also reaches the system via dubious email messages and their attachments. However, you can get easily messed up which ransomware[4] has infected your PC once you see the note.

Methods used for spreading file-encrypting viruses

The virus might be attached to any spam email that appears in your inbox. Malicious spam emails are the primary ransomware distribution methods. Thus, be careful when opening emails from unknown senders and do not rush opening attached files even though they look safe and legit. If you are not expecting to receive anything important lately, better delete all unrecognizable messages that you receive.

Furthermore, ransomware executable might hide under ads on various websites, presented as a software update or any illegal software that you can download from file-sharing websites. Keep in mind that security programs do not always protect from malware if you download malicious files yourself. Additionally, be careful once browsing on pages that you have never seen before as their links might also have malware-laden content injected.

Security experts from LesVirus.fr[5] also remind to create copies of the most important files and save them in the external storage devices. They will be very helpful if ransomware hits your PC. However, if you decide to purchase a USB flash drive, make sure that you keep it unplugged when it is out of usage.

Get rid of DCRTR virus

DCRTR removal is too complicated to perform manually. Therefore, you should not try to locate and delete any malware-related files. This may lead to irreparable damage to the system. For this reason, you should choose reliable software that will take care of your PC. We recommend using Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes to get rid of the cyber threat from your machine. These programs are strong enough to clean your PC from malicious components.

However, after you remove DCRTR virus, you should also reboot the system to Safe Mode with Networking to disable the virus first. In this way, crypto-virus won’t be able to disturb its elimination. After you perform these steps, you can start thinking about the data recovery process. We have provided some methods below this article which we advise trying.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove DCRTR virus, follow these steps:

Remove DCRTR using Safe Mode with Networking

Rebooting System to Safe Mode with Networking ensures that automatic ransomware elimination is smooth:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove DCRTR

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete DCRTR removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove DCRTR using System Restore

System Restore methods might also be helpful to disable the virus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of DCRTR. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that DCRTR removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove DCRTR from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Take a look at the below-given methods as some of them might appear to be truly helpful. Make sure you carry out each step exactly as shown in the instructions to reach the best results possible.

If your files are encrypted by DCRTR, you can use several methods to restore them:

Try to recover files with Data Recovery Pro

Data Recovery Pro is NOT a ransomware decryptor. However, this tool might help to recover some of the damaged files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by DCRTR ransomware;
  • Restore them.

Access the most important files using Windows Previous Versions feature

This method is helpful to recover important individual files by following the steps below. However, this method requires being enabled System Restore before DCRTR attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try ShadowExplorer for data recovery if possible

ShadowExplorer recovers files from Shadow Volume Copies. So, if ransomware did not delete them, follow these steps to recover your files:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

DCRTR decryptor is not available yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from DCRTR and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

References