Severity scale:  

Remove DCry ransomware / virus (Removal Guide) - updated Jan 2021

removal by Linas Kiguolis - - | Type: Ransomware

DCry crypto-malware developers persistently create new versions

The image displaying DCry virus

DCry virus functions as crypto-malware which tries to evoke more terror by disguising under the notorious WannaCry[1] ransomware. Fortunately, the virus does not exhibit such capabilities as the former threat. Indeed, there have been such threats as, for example, FakeCry, which inflicts great damage. However, the release of the decrypter has not discouraged racketeers to engage in such illegal activity – DCry 2.0 version has made its appearance.

Questions about DCry ransomware virus

Speaking of the current virus, it does not launch its own graphic interface. In its HOW_TO_DECRYPT.txt file, scarce information is delivered:

Files has been encrypted.
If you want to decrypt, please, write me to e-mail:

The message delivered through MsgBox repeats the same information. Besides these qualities, the original malware version appends .dcry file extension to the encrypted files, but there are new virus versions which also use .qwqd extensions.

Interestingly, the malware links to Germany[2]. According to its technical specifications, it is detectable as Trojan-Ransom.Win32.Purgen, Ransom_FAKEWCRY.I, or Trojan.GenericKD.5584545. The former entry resembles the variations of GlobeImposter family of ransomware.

Luckily, multiple cyber security applications are able to detect this malicious presence. Thus, you will be able to remove DCry virus as well. ReimageIntego or Malwarebytes will speed up the process.

Update September 15th, 2017. The developers of this malware seem to be persistently working on new improvements. Besides recent .qwqda extension virus variation, now the perpetrators have released a new version –  DCry 2.0 malware – which adds .dian file extension to mark encrypted files. 

This version seems to be still under development as the malware authors left an amusing greeting for a famous ransomware researcher Michael Gillespie embedded in the source code. Leaving aside entertaining remarks, the virus functions via Uds.Dangerousobject.Multi!cTR/AD.RansomHeur.rfwabRansom_Purgen.R01BC0WIB17, etc. Considering the latter, the very modus operandi does not seem to have changed dramatically. Besides the mentioned changes, cyber criminals switched to email address as well.

Update September 11th, 2017. In response to the released decrypter, the cyber developers have created another version which attaches .gocr file extension. The ransom note slightly changed its veneer as well. Now the felons present their demands in HOW_TO_GET_MY_FILES.txt file. The content of the message was slightly altered as well. Here is a short extract from it:

Hello my friend, first sorry for this.
Your files have been crypted with AES-256 method.
Don't try decrypt files use third-party software, otherwise you may loss all files permanently.
If you want to decrypt your data, write to e-mail:
If you want to test the decrypt, go to https://s7c4wrcmzgbtldbs.onion (use tor browser)

Update July 14th, 2017. Security experts Michael Gillespie and Francesco Mauroni managed to create a free decryption tool for victims of DCry crypto-virus. Therefore, do not hesitate and remove the ransomware ASAP. You have a chance to restore your files for free, so do not even consider paying the ransom to cybercriminals. You can find DCry Decrypter here.

NOTE: DCry Decrypter has been updated to restore files encrypted by the latest ransomware version which appends .qwqd extensions and uses email address for communication.

WannaCry – as the inspiration for cyber villains

Though since the first wave of the former threat, almost two months have passed, other crooks still use it as the material to evoke more fear to victims. Fortunately, such clones often happen to be poorly programmed and much less destructive.

DCry ransomware happens to be one of such samples as well. On the other hand, its developer cunningly makes a diversion. The virus contains references to FakeCry, WammaCry, and even Globe as some anti-virus detect as Purgen virus, reference to Globe.

Furthermore, the virus functions via Cryptor.exe and message.vbs files. The malware connects to hidden onion websites The latter websites serve as the opens source website created by an unknown group of netizens.

It is designed for exchanging ideas how to transfer an entire system to another computer. Regarding the fact that DCry may target systems via remote desktop protocols (RDP), the websites turn out to be more than shady.
The malware also connects to one IP address which links to Germany. However, taking into account that the perpetrator uses Tor, it might be only a diversion. The picture illustrating DCry threatDCry threat connects to a shady

Key aspects of transmission strategy 

Besides RDP, the threat may lurk for Windows OS users in certain corrupted websites. Thus, when they click on a certain link or download an infected website, they might encounter DCry hijack.

The latter method is getting much more dangerous as cyber criminals have found a way how to foist an infection in a file. In order to activate victims do not need to click on file anymore – hovering over it[3] is enough to face the aftermath of crypto-malware.

Thirdly, note that ransomware distribution via spam emails is still viable. Vigilance and cautiousness are not sufficient in countering ransomware. You will need cyber security applications to ward off and counterattack the malware. Now let us move on to the section which presents DCry removal options.

Eradicate DCry virus

Even though the malware may not be as destructive as its referrer, you should not delay DCry removal. In some cases, rebooting the computer interrupts data encryption process.

Before you decrypt files, you might check some of our suggested programs at the bottom of the page. Hungarian users should be careful as the virus might target the residents of this country more.[2]

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove DCry virus, follow these steps:

Remove DCry using Safe Mode with Networking

Make use of Safe Mode function. It grants you partial access to the system, but it bypasses any interruption caused by the virus.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove DCry

    Log in to your infected account and start the browser. Download ReimageIntego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete DCry removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove DCry using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of DCry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that DCry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove DCry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by DCry, you can use several methods to restore them:

How useful is Data Recovery Pro?

This utility is said to recover lost and corrupted files. In addition, if you accidentally deleted highly important emails, this utility will help you retrieve them.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by DCry ransomware;
  • Restore them.

The benefits of Shadow Explorer

Since this virus is not a full-fledged copy of WannaCry, it is possible that you may restore files affected by DCry virus with the assistance of this program. It is able to restore files on the basis of shadow volume copies.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

DCry Decryptor

There is a free decryption tool available, so victims who have their files marked with .dcry and .qwqd extensions can now restore them for free. Just download the DCry decryption tool from here and start decrypting your files!

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from DCry and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions


Your opinion regarding DCry ransomware virus