Severity scale:  
  (99/100)

Dont_Worry ransomware. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware

Dont_Worry ransomware is a virus that threatens victims by encrypting computer files

Dont_Worry ransomware

Dont_Worry ransomware is a crypto-virus that initially emerged from Crypto_Lab and is a part of AMBA virus family. The first version appeared in April 2018, and encrypted files using email_ransom-random_ID{16} file extension, as well as dropped a ransom note called Dont_Worry.txt. The second variant uses.UPS-[random_ID] appendix to lock up files and has a slightly extended message. Both variants use AES/RSA cipher and are not decryptable.

SUMMARY
Name Dont_Worry ransomware
Type Crypto-virus
Ransom note Dont_Worry.txt
Executable files dwintl_x64.exe, gwintl.exe ; dwintl.exe 
Appendix email_ransom-random_ID{16}; .UPS-[random_ID]
Contact email wog@onionmail.info ; ups@torbox3uiot6wchz.onion 
Disribution Spam emails, malicious websites, torrent sites, etc.
File recovery From backup. Otherwise, check for alternative methods below this article
Elimination Download and install Reimage, Malwarebytes Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security. Start the program in Safe Mode with Networking 

All the infections occurred in Russia, meaning that Russians are primary targets of this crypto-malware. Nevertheless, that does not mean that the ransomware cannot strike elsewhere – the internet is worldwide. Therefore, do not let your guard down and, if infected, immediately remove Dont_Worry virus from your machine.

Dont_Worry virus enters via contaminated dwintl_x64.exe and gwintl.exethe files and immediately performs malicious changes to the system. Malware implements the following steps to strengthen its presence:

  • The version of the virus is easily customizable. Hence, it can be modified for each individual attack, making it harder to extinguish
  • The infection starts with data gathering – both anonymous (software and hardware) and private (email, name, passwords, credentials, etc.). This information is used to bypass security and other software that might prevent the virus from executing its malicious tasks
  • The virus further changes system's configuration, including a modification to registry entries,[1] boot options, and system parameters

The mentioned changes allow Dont_Worry ransomware to boot up every time the system is launched. Additionally, these modifications can impact computer's performance, making apps freeze or crash, making the machine respond slowly, etc.

Dont_Worry can encrypt various files, including .doc, .xlsx, .pdf, .7zip, .jpg and many others. Nevertheless, there are few formats that the data locker skips, including mp3, .mp4, .avi, .exe, .sys and few others. The ransomware appends the email_ransom-random_ID{16} file extension to each of the files. For example, the file called random.doc would be turned into random.doc.wog@onionmail.info-4668ffbf455b468c.

Dont_Worry ransom note states the following:

All your information on this computer has been encrypted.
To decrypt refer to the contacts listed below.

e-mail: wog@onionmail.info
Your code for unlock: 42943870

If you receive an answer that the mailing address does not exist:
1. You are unlucky. The address was blocked.

You will receive all instructions in the reply letter.

As evident, hackers rely on Tor browser anonymous email service to communicate with victims. The size of the ransom is not mentioned in the note, so it seems like hackers inform users in the email. Nevertheless, we advise you not to contact cybercriminals as they are often known to ignore victims, even after all their demands are fulfilled.

Dont_Worry ransomware removal should be your first action. We strongly advise using a powerful anti-malware program, such as Reimage or Plumbytes Anti-MalwareNorton Internet Security. To avoid damage to system files, we do not recommend manual elimination.

You should only proceed with file recovery after full virus elimination. Unfortunately, the only 100% safe way to recover your files is by restoring them from a back-up, stored on a remote server or externally. Alternatively, we offer other recovery methods – please check below.

Second variant of the Dont_Worry ransomware

The second version of the crypto-malware was spotted by security experts[2] in May 2018. It encrypts files using UPS-[random_ID] file extension and its main executable is dwintl.exe. Despite the ransom note having the same name (Dont_Worry.txt), the new variant of Dont_Worry virus brings a more detailed explanation of what exactly has to be done in order to obtain the decryptor from cybercriminals.

Victims are asked to download and install Tor browser[3], create a new email account and contact bad actors using ups@torbox3uiot6wchz.onion  email address. As usual, we advise users to refrain from communicating with hackers and fulfilling their demands. 

The ransom note states the following[translated from Russian]:

All of your information on this computer was encrypted. 
For decryption, you will have to do the following: 
1. Download and install Tor browser:
https://www.torproject.org/download/download-easy.html 
2. Open Tor browser, go to the following address to register a new email account: 
http://torbox3uiot6wchz.onion/signup-en.php 
3. Enter the mailbox: 
http://torbox3uiot6wchz.onion/sm/
4. Write a letter to the following address:
e-mail: ups@torbox3uiot6wchz.onion  
Write your ID for file decryption: *** 
5. Wait for an answer. 

Note that we will not be able to get emails from usual addresses, apart from those in the following list: 
http://torbox3uiot6wchz.onion/relay-en.php

Only two infections were spotted so far, but that does not mean that the virus will not spread further. Both victims were from Russia, suggesting that the second variant of Dont_Worry is still targeting Russian-speaking users.

Dont_Worry UPS-[random_ID] extension

The way malware is distributed

Most prominent ransomware distribution method is via spam emails. This allows hackers to trick users into opening a malicious file and infecting the system instantaneously. Thus, this method is quick and efficient and widely used. Security experts[4] warn that all the emails coming from unknown sources should be ignored and deleted immediately. Finally, recognizing suspicious emails is critical too so you should check out some examples[5] online.

Other distribution methods of ransomware:

  • Torrent and other peer-to-peer websites;
  • Hacked sites;
  • Exploit kits;
  • Repacked and infected installers;
  • Keygens, etc.

Remove Dont_Worry ransomware from your computer and then attempt file recovery

As we already mentioned, we highly discourage users from attempting manual Dont_Worry removal. Crypto-virus is a complicated code that is embedded deep within system files. Tampering with those files might lead to permanent software damage.

Therefore, we urge you to remove Dont_Worry virus by using security software – Reimage, Malwarebytes Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security. These programs can find and eliminate the threat immediately. Do not attempt file recovery before you fully delete the virus as all the files will get encrypted again.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Dont_Worry ransomware you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Dont_Worry ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing Dont_Worry ransomware (2018-05-25)
Malwarebytes
We have tested Malwarebytes's efficiency in removing Dont_Worry ransomware (2018-05-25)
Hitman Pro
We have tested Hitman Pro's efficiency in removing Dont_Worry ransomware (2018-05-25)
Malwarebytes
We have tested Malwarebytes's efficiency in removing Dont_Worry ransomware (2018-05-25)

To remove Dont_Worry virus, follow these steps:

Remove Dont_Worry using Safe Mode with Networking

If Dont_Worry virus prevents security software from starting, enter your computer in Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Dont_Worry

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Dont_Worry removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Dont_Worry using System Restore

You can try to eliminate the threat using System Restore. Simply follow these instructions:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Dont_Worry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Dont_Worry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dont_Worry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

You can safely recover your files from an external HDD or a remote server. However, if you did not have the back-up you should try the following options.

If your files are encrypted by Dont_Worry, you can use several methods to restore them:

See if Data Recover Pro can assist you with file recovery

This tool is used to recover corrupted or deleted files. Nevertheless, it can sometimes help to recover files affected by ransomware.

Windows Previous Versions feature could be an option

If you had System Restore enabled before the attack, you can return your files back using this method:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try ShadowExplorer

Shadow volume copies are used to automatically copy your files by Windows. Therefore, if the Dont_Worry virus left these intact, you are in luck:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryptor is not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dont_Worry and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References