Severity scale:  

Remove Dont_Worry ransomware (Easy Removal Guide) - May 2018 update

removal by Alice Woods - - | Type: Ransomware

Dont_Worry ransomware is a virus that threatens victims by encrypting computer files

Dont_Worry ransomware

Dont_Worry ransomware is a crypto-virus that initially emerged from Crypto_Lab and is a part of AMBA virus family. The first version appeared in April 2018, and encrypted files using email_ransom-random_ID{16} file extension, as well as dropped a ransom note called Dont_Worry.txt. The second variant uses.UPS-[random_ID] appendix to lock up files and has a slightly extended message. Both variants use AES/RSA cipher and are not decryptable.

Name Dont_Worry ransomware
Type Crypto-virus
Ransom note Dont_Worry.txt
Executable files dwintl_x64.exe, gwintl.exe ; dwintl.exe 
Appendix email_ransom-random_ID{16}; .UPS-[random_ID]
Contact email ; ups@torbox3uiot6wchz.onion 
Disribution Spam emails, malicious websites, torrent sites, etc.
File recovery From backup. Otherwise, check for alternative methods below this article
Elimination Download and install Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes. Start the program in Safe Mode with Networking 

All the infections occurred in Russia, meaning that Russians are primary targets of this crypto-malware. Nevertheless, that does not mean that the ransomware cannot strike elsewhere – the internet is worldwide. Therefore, do not let your guard down and, if infected, immediately remove Dont_Worry virus from your machine.

Dont_Worry virus enters via contaminated dwintl_x64.exe and gwintl.exethe files and immediately performs malicious changes to the system. Malware implements the following steps to strengthen its presence:

  • The version of the virus is easily customizable. Hence, it can be modified for each individual attack, making it harder to extinguish
  • The infection starts with data gathering – both anonymous (software and hardware) and private (email, name, passwords, credentials, etc.). This information is used to bypass security and other software that might prevent the virus from executing its malicious tasks
  • The virus further changes system's configuration, including a modification to registry entries,[1] boot options, and system parameters

The mentioned changes allow Dont_Worry ransomware to boot up every time the system is launched. Additionally, these modifications can impact computer's performance, making apps freeze or crash, making the machine respond slowly, etc.

Dont_Worry can encrypt various files, including .doc, .xlsx, .pdf, .7zip, .jpg and many others. Nevertheless, there are few formats that the data locker skips, including mp3, .mp4, .avi, .exe, .sys and few others. The ransomware appends the email_ransom-random_ID{16} file extension to each of the files. For example, the file called random.doc would be turned into

Dont_Worry ransom note states the following:

All your information on this computer has been encrypted.
To decrypt refer to the contacts listed below.

Your code for unlock: 42943870

If you receive an answer that the mailing address does not exist:
1. You are unlucky. The address was blocked.

You will receive all instructions in the reply letter.

As evident, hackers rely on Tor browser anonymous email service to communicate with victims. The size of the ransom is not mentioned in the note, so it seems like hackers inform users in the email. Nevertheless, we advise you not to contact cybercriminals as they are often known to ignore victims, even after all their demands are fulfilled.

Dont_Worry ransomware removal should be your first action. We strongly advise using a powerful anti-malware program, such as Reimage Reimage Cleaner Intego or Malwarebytes. To avoid damage to system files, we do not recommend manual elimination.

You should only proceed with file recovery after full virus elimination. Unfortunately, the only 100% safe way to recover your files is by restoring them from a back-up, stored on a remote server or externally. Alternatively, we offer other recovery methods – please check below.

Dont_Worry crypto-virusDont_Worry ransomware is a deadly virus that locks up most of personal files and renders them useless. Cybercriminals then demand ransom to be pain in cryptocurrency.

Second variant of the Dont_Worry ransomware

The second version of the crypto-malware was spotted by security experts[2] in May 2018. It encrypts files using UPS-[random_ID] file extension and its main executable is dwintl.exe. Despite the ransom note having the same name (Dont_Worry.txt), the new variant of Dont_Worry virus brings a more detailed explanation of what exactly has to be done in order to obtain the decryptor from cybercriminals.

Victims are asked to download and install Tor browser[3], create a new email account and contact bad actors using ups@torbox3uiot6wchz.onion  email address. As usual, we advise users to refrain from communicating with hackers and fulfilling their demands. 

The ransom note states the following[translated from Russian]:

All of your information on this computer was encrypted. 
For decryption, you will have to do the following: 
1. Download and install Tor browser: 
2. Open Tor browser, go to the following address to register a new email account: 
3. Enter the mailbox: 
4. Write a letter to the following address:
e-mail: ups@torbox3uiot6wchz.onion  
Write your ID for file decryption: *** 
5. Wait for an answer. 

Note that we will not be able to get emails from usual addresses, apart from those in the following list: 

Only two infections were spotted so far, but that does not mean that the virus will not spread further. Both victims were from Russia, suggesting that the second variant of Dont_Worry is still targeting Russian-speaking users.

Dont_Worry UPS-[random_ID] extension

The way malware is distributed

Most prominent ransomware distribution method is via spam emails. This allows hackers to trick users into opening a malicious file and infecting the system instantaneously. Thus, this method is quick and efficient and widely used. Security experts[4] warn that all the emails coming from unknown sources should be ignored and deleted immediately. Finally, recognizing suspicious emails is critical too so you should check out some examples[5] online.

Other distribution methods of ransomware:

  • Torrent and other peer-to-peer websites;
  • Hacked sites;
  • Exploit kits;
  • Repacked and infected installers;
  • Keygens, etc.

Remove Dont_Worry ransomware from your computer and then attempt file recovery

As we already mentioned, we highly discourage users from attempting manual Dont_Worry removal. Crypto-virus is a complicated code that is embedded deep within system files. Tampering with those files might lead to permanent software damage.

Therefore, we urge you to remove Dont_Worry virus by using security software – Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes. These programs can find and eliminate the threat immediately. Do not attempt file recovery before you fully delete the virus as all the files will get encrypted again.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Dont_Worry virus, follow these steps:

Remove Dont_Worry using Safe Mode with Networking

If Dont_Worry virus prevents security software from starting, enter your computer in Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Dont_Worry

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Dont_Worry removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Dont_Worry using System Restore

You can try to eliminate the threat using System Restore. Simply follow these instructions:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Dont_Worry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Dont_Worry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dont_Worry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

You can safely recover your files from an external HDD or a remote server. However, if you did not have the back-up you should try the following options.

If your files are encrypted by Dont_Worry, you can use several methods to restore them:

See if Data Recover Pro can assist you with file recovery

This tool is used to recover corrupted or deleted files. Nevertheless, it can sometimes help to recover files affected by ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Dont_Worry ransomware;
  • Restore them.

Windows Previous Versions feature could be an option

If you had System Restore enabled before the attack, you can return your files back using this method:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try ShadowExplorer

Shadow volume copies are used to automatically copy your files by Windows. Therefore, if the Dont_Worry virus left these intact, you are in luck:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryptor is not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dont_Worry and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions


Your opinion regarding Dont_Worry ransomware