Severity scale:  
  (98/100)

Remove Dewar ransomware (Decryption Methods Included) - Virus Removal Instructions

removal by Olivia Morelli - - | Type: Ransomware

Dewar ransomware is a Phobos family member that targets all types of Windows operating systems

Dewar ransomware

Dewar ransomware is a serious malware form that adds an extension which includes the unique victim's ID, the crook's email, and the .deware appendix. This file-encrypting parasite comes from the Phobos category and can appear on any type of Windows version such as Windows 7, Windows 8, Windows 10, etc. The malicious string aims to modify the Windows Registry and Task Manager in order to run its module and encrypt all the files and documents that are spotted on the targeted system. Afterward, Dewar ransomware drops the info.hta and info.txt ransom notes that can be placed on the computer's desktop and also included in every folder that holds encrypted files and documents.

.dewar files virus provides the kyzikrut@airmail.cc and kokux@tutanota.com email addresses as a way to discuss all of the conditions that are related to the data recovery process. Even though the cybercriminals do not provide a particular payment price, the victims are urged to buy Bitcoin and pay in this cryptocurrency. If you have read the info.hta ransom note, you should have noticed that Dewar ransomware developers have provided links where you can get BTC currency. Also, these people allow sending them 5 files that do not take more than 4 MB of space in total in order to provide proof of the decryption tool's existence.

Name Dewar ransomware
Category Ransomware virus/malware
Family Phobos ransomware
Appendix Once this malware locks up all files and documents that are found on the computer system, it attaches its email address, the unique victim's ID, and the .dewar appendix to the filename
Ransom note When all of the files are successfully encrypted, the ransomware virus places the info.hta ransom note on the computer's desktop and includes it in each folder that holds encrypted data
Target(s) The ransomware virus targets all types of Windows system versions such as Windows 7, Windows 8, Windows 10, etc. Also, it aims to target English-speaking users as this is the language in which the ransom note is written
Crooks' emails Kyzikrut@airmail.cc and kokux@tutanota.com are email addresses that are provided in the ransom-demanding message as a way to contact the criminals and discuss all the terms about the ransom price
Spreading The malicious payload is often delivered via email spam campaigns, hacked RDPs, software cracks, malvertising advertisements that are placed on third-party websites
Removal If you have been dealing with this virtual parasite lately, you should get rid of it ASAP. This can be performed with the help of an antimalware product
Repair software If you have discovered that the malware has altered or damage some system components on your Windows computer, you can try repairing them with an automatical tool such as Reimage Reimage Cleaner  

Dewar ransomware employs encryption tools such as AES[1] and RSA for locking up the files and documents that are found on the infected Windows computer. Besides, the malware can run a module that scans the system for encryptable products once in a while. This way the cybercriminals can be sure that no data is left unaffected. After that comes the ransom note that targets English-speaking people as it is written in the English language:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: kryzikrut@airmail.cc and this e-mail:kokux@tutanota.com
Write this ID in the title of your message 1E857D00-2718
Our operator is available in the messenger Telegram: hxxps://telegram.org/. To find us, enter the alias @hpdec in the messenger search box.
You can install the Jabber client and write to us in support of decrypt_here@xmpp.jp
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/                                                                                      Attention!                                                                                                                                                                                    Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Jabber client installation instructions:
Download the jabber (Pidgin) client from hxxps://pidgin.im/download/windows/
After installation, the Pidgin client will prompt you to create a new account.
Click “Add”
In the “Protocol” field, select XMPP
In “Username” – come up with any name
In the field “domain” – enter any jabber-server, there are a lot of them, for example – exploit.im
Create a password
At the bottom, put a tick “Create account”
Click add
If you selected “domain” – exploit.im, then a new window should appear in which you will need to re-enter your data:
User
password
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)
If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube – hxxps://www.youtube.com/results?search_query=pidgin+jabber+install

Dewar virus requires a Bitcoin payment because these types of currency transfers remain safe and untrackable. The hackers can urge for a price anywhere between $50 and $2000 or more. However, we do not recommend paying these people as they can handle you a fake tool or none product at all and run off with your money. This way you will be left with an empty bank account and still encrypted files.  

Dewar ransomware uses unique keys for the encryption process that differ for every user. This way the codes are almost impossible to find out and even advanced computer experts have a very hard time while looking for file recovery options. However, this does not mean that you have to rush to pay the ransom price and risk your money. There are other alternatives that you can try and we have added some to the end of this page.

Dewar ransomware virus
Dewar ransomware is a malicious parasite that provides the ransom note in the info.txt and info.hta formats

Malicious parasites such as Dewar ransomware usually enter computer systems by employing stealth techniques. Some malware developers decide to inject their products through email spam, software cracks, hacked RDPs, or malvertising. For now, ransomware infections are only targetting Windows-based operating systems but we can live up to the times when bad actors will start infecting Mac computers with this malicious software too.

When Dewar ransomware is added to the computer system, it will ensure that its malicious module is launched every time when the computer starts. This way the malware can ensure proper and successful activity. Continuously, it might decide to disable antivirus software on the system by injecting specific Windows Registry keys. Furthermore, you can find the Task Manager filled with unrecognizable processes too.

Even though Phobos family variants are known for deactivating antimalware software, according to VirusTotal,[2] Dewar ransomware has been spotted by 47 AV engines out of the total 70. Some of the detection names include:

  • Trojan.MulDrop11.37578 (DrWeb);
  • Gen:Variant.Ransom.Phobos.62 (BitDefender);
  • Win32:Malware-gen (Avast, Webroot and AVG);
  • HEUR:Trojan.Win32.Generic (Kaspersky);
  • Ransom.Win32.CRYSIS.TIBGFP (TrendMicro);
  • ML.Attribute.HighConfidence (Symantec).

Dewar ransomware might try to harden the decryption process for you by permanently eliminating the Shadow Volume Copies via specific PowerShell commands. This way you will be prevented from using software that might be capable of restoring some of the encrypted files. Also, be aware that the ransomware virus might aim to permanently damage the Windows hosts file to prevent you from accessing cybersecurity-related websites.

Nevertheless, Dewar ransomware makes your computer vulnerable to other infections and opens the backdoors for various other threats. The malware might bring trojans and other parasites to the system that can initiate other malicious activities. What is more, the ransomware virus can already be programmed to install another infection and you might find it lurking on your Windows computer after completing a full malware scan.

Dewar virus
Dewar virus - ransomware that distributes through hacked RDP, phishing emails, etc.

The best thing to do is to complete Dewar ransomware removal with the help of antimalware software. Make sure to choose only reliable products fr the process and avoid completing any manual steps of your own as you can easily make harmful mistakes. Furthermore, if you think that the ransomware virus or any type of additional malware has brought some damage to your computer system, you can try repairing the compromised areas with Reimage Reimage Cleaner .

If you are having a hard time to remove Dewar ransomware from your Windows machine, there should be a reason for that. If the malware is running malicious process on your computer system that keep him away from getting detected, you should boot your computer in Safe Mode with Networking or activate the System Restore feature to disable all of the malicious changes. When you are done and the virus has vanished, go to the end of this article where you will find some file recovery steps.

Phobos ransomware is focused on targetting worldwide businesses but can make regular users victims too

Phobos ransomware's name symbolizes the Greek god of fear that is known as Phobos. However, this name expresses the malicious strain very well as hearing its name already brings fear and many doubts to various people. This dangerous parasite is mostly focused on targeting well-known businesses but will not also outrun regular users if it has a chance.

Phobos virus is most commonly distributed through an unprotected RDP (Remote Desktop Protocol) that is connected to the 3389 port. The hackers brute-force the collected login details and connect to the targeted computer system remotely. Other spreading techniques include email spam messages and their malicious attachments, according to Malwarebytes Labs.[3]

Even though these are the main sources where Phobos ransomware can be found, it is also sold in the black market as a RaaS (ransomware-as-a-service) where any type of hacker who does not want to waste time while creating his own malware can buy this one and distribute it wherever he/she likes.

Phobos ransomware has already released numerous versions of its malware family and Dewar ransomware is one of the most recent ones. All of the variants carry various extensions such as .actin, .actor, .acute, .Adame, .banjo, .banhu, .bbc, .blend, .Calvo, .calix, .Caleb, .Cales, .com, .DDoS, .Dever, .devil, .dewar, .elbow, .elder, .phoenix, and many more.

These ransomware viruses always provide a ransom note in the text file format and in the .HTA format. The criminals are likely to provide there contact details for discussing the terms about the ransom price. These people also always require a Bitcoin payment and include hyperlinks from which the cryptocurrency can be bought.

Phobos ransomware carries a complex operation module that allows not only encrypting files but also initiating other hazardous tasks. It is known that the parasite can delete Shadow Copies and local backups to harden the decryption process, disable antivirus software to evade detection and prevent systems from recovering via booting modes. 

Delivery peculiarities of ransomware viruses 

The mentioned ransomware strain is mostly delivered through hacked RDP and port 3389 when it does include strong security or includes no passwords at all. After hacking the port or including stolen login details, the hackers can remotely connect to your Windows computer system. Regarding this fact, it is very important to secure your RDP with a strong and reliable password that contains symbols, letters, and numbers.

Continuously, ransomware infections can get distributed through phishing email messages and their malicious attachments. Most of the time, hackers attach word documents or excel sheets that look like regular order information, health notifications, business letters, and so on but truly carry malicious payload inside. Once you have received an email that you were not expecting, do not rush to open the downloaded attachment before scanning it with antimalware first.

Furthermore, ransomware viruses are delivered through software cracks that are downloaded from unsecured networks such as p2p ones. You can get cracked products from websites such as The Pirate Bay, BitTorrent, etc. According to Virusai.lt experts,[4] getting your software from official sources should help you solve this problem. Also, ransomware can be distributed through malicious ads that are known as malvertising, infectious hyperlinks, fake software updates, etc.

Dewar ransomware removal possibilities

If you have been dealing with this cyber threat lately and it has affected your files, Dewar ransomware removal is the first step you should take towards a better security state of your computer and data. Employ only reliable antimalware products that are capable of eliminating the cyber threat. Afterward, try some data recovery techniques that are added by our specialists to the end of this article.

When you remove Dewar ransomware from your Windows computer system and no malicious processes are longer active, you should start looking for possibly-damaged objects on your devices. Automatical tools such as SpyHunter 5Combo Cleaner and Malwarebytes will scan the computer system and provide you with the results. If the system checkup shows that there are some damaged areas on your computer, you can try fixing them by employing software such as Reimage Reimage Cleaner .

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove Dewar virus, follow these steps:

Remove Dewar using Safe Mode with Networking

Try diminishing all of the malicious changes that were caused by the ransomware virus by booting your Windows computer system in Safe Mode with Networking. Here are the instructions:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Dewar

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Dewar removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Dewar using System Restore

Try restoring your computer back to its previous state and disabling Dewar ransomware virus by activating System Restore by completing the following guidelines:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Dewar. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Dewar removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dewar from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If you have spotted files with the .dewar appendix and tried entering them, you probably have failed. However, we are here to try to help you to get proper access back. Rather than risking paying the demanded ransom price, you should try some of the following tools.

If your files are encrypted by Dewar, you can use several methods to restore them:

Using Data Recovery Pro might help you to reverse some files.

If you have been looking for a tool that would help you to get your encrypted files back, you can try using this one.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Dewar ransomware;
  • Restore them.

Employ Windows Previous Versions feature for data recovery.

This software might appear very helpful if you have enabled the System Restore feature in the past.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try using Shadow Explorer and restore some files.

If the ransomware virus did not permanently delete or destroy the Shadow Volume Copies of your encrypted files, this method might work.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The official .dewar files decrypter is still in the development mode.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dewar and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References


Your opinion regarding Dewar ransomware