DCry ransomware / virus (Removal Guide) - updated Sep 2017

DCry virus Removal Guide

What is DCry ransomware virus?

DCry crypto-malware developers persistently create new versions

The image displaying DCry virus

DCry virus functions as crypto-malware which tries to evoke more terror by disguising under the notorious WannaCry[1] ransomware. Fortunately, the virus does not exhibit such capabilities as the former threat. Indeed, there have been such threats as, for example, FakeCry, which inflicts great damage. However, the release of the decrypter has not discouraged racketeers to engage in such illegal activity – DCry 2.0 version has made its appearance.

Speaking of the current virus, it does not launch its own graphic interface. In its HOW_TO_DECRYPT.txt file, scarce information is delivered:

Files has been encrypted.
If you want to decrypt, please, write me to e-mail: bbqb@protonmail.com

The message delivered through MsgBox repeats the same information. Besides these qualities, the original malware version appends .dcry file extension to the encrypted files, but there are new virus versions which also use .qwqd extensions.

Interestingly, the malware links to Germany[2]. According to its technical specifications, it is detectable as Trojan-Ransom.Win32.Purgen, Ransom_FAKEWCRY.I, or Trojan.GenericKD.5584545. The former entry resembles the variations of GlobeImposter family of ransomware.

Luckily, multiple cyber security applications are able to detect this malicious presence. Thus, you will be able to remove DCry virus as well. FortectIntego or Malwarebytes will speed up the process.

Update September 15th, 2017. The developers of this malware seem to be persistently working on new improvements. Besides recent .qwqda extension virus variation, now the perpetrators have released a new version – DCry 2.0 malware – which adds .dian file extension to mark encrypted files.

This version seems to be still under development as the malware authors left an amusing greeting for a famous ransomware researcher Michael Gillespie embedded in the source code. Leaving aside entertaining remarks, the virus functions via Uds.Dangerousobject.Multi!c, TR/AD.RansomHeur.rfwab, Ransom_Purgen.R01BC0WIB17, etc. Considering the latter, the very modus operandi does not seem to have changed dramatically. Besides the mentioned changes, cyber criminals switched to lnq@protonmail.com email address as well.

Update September 11th, 2017. In response to the released decrypter, the cyber developers have created another version which attaches .gocr file extension. The ransom note slightly changed its veneer as well. Now the felons present their demands in HOW_TO_GET_MY_FILES.txt file. The content of the message was slightly altered as well. Here is a short extract from it:

Hello my friend, first sorry for this.
Your files have been crypted with AES-256 method.
Don't try decrypt files use third-party software, otherwise you may loss all files permanently.
If you want to decrypt your data, write to e-mail: lnq@protonmail.com.
If you want to test the decrypt, go to https://s7c4wrcmzgbtldbs.onion (use tor browser)

Update July 14th, 2017. Security experts Michael Gillespie and Francesco Mauroni managed to create a free decryption tool for victims of DCry crypto-virus. Therefore, do not hesitate and remove the ransomware ASAP. You have a chance to restore your files for free, so do not even consider paying the ransom to cybercriminals. You can find DCry Decrypter here.

NOTE: DCry Decrypter has been updated to restore files encrypted by the latest ransomware version which appends .qwqd extensions and uses qwqd@protonmail.com email address for communication.

WannaCry – as the inspiration for cyber villains

Though since the first wave of the former threat, almost two months have passed, other crooks still use it as the material to evoke more fear to victims. Fortunately, such clones often happen to be poorly programmed and much less destructive.

DCry ransomware happens to be one of such samples as well. On the other hand, its developer cunningly makes a diversion. The virus contains references to FakeCry, WammaCry, and even Globe as some anti-virus detect as Purgen virus, reference to Globe.

Furthermore, the virus functions via Cryptor.exe and message.vbs files. The malware connects to hidden onion websites www.indyproject.org/. The latter websites serve as the opens source website created by an unknown group of netizens.

It is designed for exchanging ideas how to transfer an entire system to another computer. Regarding the fact that DCry may target systems via remote desktop protocols (RDP), the websites turn out to be more than shady.
The malware also connects to one IP address which links to Germany. However, taking into account that the perpetrator uses Tor, it might be only a diversion. The picture illustrating DCry threatDCry threat connects to a shady indyproject.com.

Key aspects of transmission strategy

Besides RDP, the threat may lurk for Windows OS users in certain corrupted websites. Thus, when they click on a certain link or download an infected website, they might encounter DCry hijack.

The latter method is getting much more dangerous as cyber criminals have found a way how to foist an infection in a file. In order to activate victims do not need to click on file anymore – hovering over it[3] is enough to face the aftermath of crypto-malware.

Thirdly, note that ransomware distribution via spam emails is still viable. Vigilance and cautiousness are not sufficient in countering ransomware. You will need cyber security applications to ward off and counterattack the malware. Now let us move on to the section which presents DCry removal options.

Eradicate DCry virus

Even though the malware may not be as destructive as its referrer, you should not delay DCry removal. In some cases, rebooting the computer interrupts data encryption process.

Before you decrypt files, you might check some of our suggested programs at the bottom of the page. Hungarian users should be careful as the virus might target the residents of this country more.[2]

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of DCry virus. Follow these steps

Manual removal using Safe Mode

Make use of Safe Mode function. It grants you partial access to the system, but it bypasses any interruption caused by the virus.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove DCry using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of DCry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that DCry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove DCry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by DCry, you can use several methods to restore them:

How useful is Data Recovery Pro?

This utility is said to recover lost and corrupted files. In addition, if you accidentally deleted highly important emails, this utility will help you retrieve them.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by DCry ransomware;
  • Restore them.

The benefits of Shadow Explorer

Since this virus is not a full-fledged copy of WannaCry, it is possible that you may restore files affected by DCry virus with the assistance of this program. It is able to restore files on the basis of shadow volume copies.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

DCry Decryptor

There is a free decryption tool available, so victims who have their files marked with .dcry and .qwqd extensions can now restore them for free. Just download the DCry decryption tool from here and start decrypting your files!

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from DCry and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions