Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · May 2018

How to remove Dont_Worry ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Alice Woods · Likes to teach users about virus prevention

Dont_Worry ransomware is a virus that threatens victims by encrypting computer files

Dont_Worry ransomware

Dont_Worry ransomware is a crypto-virus that initially emerged from Crypto_Lab and is a part of AMBA virus family. The first version appeared in April 2018, and encrypted files using email_ransom-random_ID{16} file extension, as well as dropped a ransom note called Dont_Worry.txt. The second variant uses.UPS-[random_ID] appendix to lock up files and has a slightly extended message. Both variants use AES/RSA cipher and are not decryptable.

SUMMARY
Name Dont_Worry ransomware
Type Crypto-virus
Ransom note Dont_Worry.txt
Executable files dwintl_x64.exe, gwintl.exe ; dwintl.exe 
Appendix email_ransom-random_ID{16}; .UPS-[random_ID]
Contact email wog@onionmail.info ; ups@torbox3uiot6wchz.onion 
Disribution Spam emails, malicious websites, torrent sites, etc.
File recovery From backup. Otherwise, check for alternative methods below this article
Elimination Download and install FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. Start the program in Safe Mode with Networking 

All the infections occurred in Russia, meaning that Russians are primary targets of this crypto-malware. Nevertheless, that does not mean that the ransomware cannot strike elsewhere – the internet is worldwide. Therefore, do not let your guard down and, if infected, immediately remove Dont_Worry virus from your machine.

Dont_Worry virus enters via contaminated dwintl_x64.exe and gwintl.exethe files and immediately performs malicious changes to the system. Malware implements the following steps to strengthen its presence:

  • The version of the virus is easily customizable. Hence, it can be modified for each individual attack, making it harder to extinguish
  • The infection starts with data gathering – both anonymous (software and hardware) and private (email, name, passwords, credentials, etc.). This information is used to bypass security and other software that might prevent the virus from executing its malicious tasks
  • The virus further changes system's configuration, including a modification to registry entries,[1] boot options, and system parameters

The mentioned changes allow Dont_Worry ransomware to boot up every time the system is launched. Additionally, these modifications can impact computer's performance, making apps freeze or crash, making the machine respond slowly, etc.

Dont_Worry can encrypt various files, including .doc, .xlsx, .pdf, .7zip, .jpg and many others. Nevertheless, there are few formats that the data locker skips, including mp3, .mp4, .avi, .exe, .sys and few others. The ransomware appends the email_ransom-random_ID{16} file extension to each of the files. For example, the file called random.doc would be turned into random.doc.wog@onionmail.info-4668ffbf455b468c.

Dont_Worry ransom note states the following:

All your information on this computer has been encrypted.
To decrypt refer to the contacts listed below.

e-mail: wog@onionmail.info
Your code for unlock: 42943870

If you receive an answer that the mailing address does not exist:
1. You are unlucky. The address was blocked.

You will receive all instructions in the reply letter.

As evident, hackers rely on Tor browser anonymous email service to communicate with victims. The size of the ransom is not mentioned in the note, so it seems like hackers inform users in the email. Nevertheless, we advise you not to contact cybercriminals as they are often known to ignore victims, even after all their demands are fulfilled.

Dont_Worry ransomware removal should be your first action. We strongly advise using a powerful anti-malware program, such as FortectIntego or MalwarebytesMalwarebytes. To avoid damage to system files, we do not recommend manual elimination.

You should only proceed with file recovery after full virus elimination. Unfortunately, the only 100% safe way to recover your files is by restoring them from a back-up, stored on a remote server or externally. Alternatively, we offer other recovery methods – please check below.

Dont_Worry crypto-virus

Second variant of the Dont_Worry ransomware

The second version of the crypto-malware was spotted by security experts[2] in May 2018. It encrypts files using UPS-[random_ID] file extension and its main executable is dwintl.exe. Despite the ransom note having the same name (Dont_Worry.txt), the new variant of Dont_Worry virus brings a more detailed explanation of what exactly has to be done in order to obtain the decryptor from cybercriminals.

Victims are asked to download and install Tor browser[3], create a new email account and contact bad actors using ups@torbox3uiot6wchz.onion  email address. As usual, we advise users to refrain from communicating with hackers and fulfilling their demands. 

The ransom note states the following[translated from Russian]:

All of your information on this computer was encrypted. 
For decryption, you will have to do the following: 
1. Download and install Tor browser:
https://www.torproject.org/download/download-easy.html 
2. Open Tor browser, go to the following address to register a new email account: 
http://torbox3uiot6wchz.onion/signup-en.php 
3. Enter the mailbox: 
http://torbox3uiot6wchz.onion/sm/
4. Write a letter to the following address:
e-mail: ups@torbox3uiot6wchz.onion  
Write your ID for file decryption: *** 
5. Wait for an answer. 

Note that we will not be able to get emails from usual addresses, apart from those in the following list: 
http://torbox3uiot6wchz.onion/relay-en.php

Only two infections were spotted so far, but that does not mean that the virus will not spread further. Both victims were from Russia, suggesting that the second variant of Dont_Worry is still targeting Russian-speaking users.

Dont_Worry UPS-[random_ID] extension

The way malware is distributed

Most prominent ransomware distribution method is via spam emails. This allows hackers to trick users into opening a malicious file and infecting the system instantaneously. Thus, this method is quick and efficient and widely used. Security experts[4] warn that all the emails coming from unknown sources should be ignored and deleted immediately. Finally, recognizing suspicious emails is critical too so you should check out some examples[5] online.

Other distribution methods of ransomware:

  • Torrent and other peer-to-peer websites;
  • Hacked sites;
  • Exploit kits;
  • Repacked and infected installers;
  • Keygens, etc.

Remove Dont_Worry ransomware from your computer and then attempt file recovery

As we already mentioned, we highly discourage users from attempting manual Dont_Worry removal. Crypto-virus is a complicated code that is embedded deep within system files. Tampering with those files might lead to permanent software damage.

Therefore, we urge you to remove Dont_Worry virus by using security software – FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. These programs can find and eliminate the threat immediately. Do not attempt file recovery before you fully delete the virus as all the files will get encrypted again.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.