Severity scale:  
  (97/100)

Remove Mr. Dec ransomware (Virus Removal Guide) - Jul 2019 update

removal by Alice Woods - - | Type: Ransomware

Mr. Dec ransomware is a deadly virus that renders all personal files useless and threatens to delete the decryptor within specific time limit

Mr. Dec ransomware image
Mr. Dec ransomware is a dangerous virus that renders all personal files on the device useless and asks to contact hackers for the decoder

Mr. Dec ransomware is cryptovirus that was first spotted in mid-May 2018, and since then was updated multiple times. Hackers behind it use a variety of distribution methods, such as spam email, exploits,[1] brute-force attacks, malicious ads, fake updates, and other tactics, so that more users would be susceptible for the infection.

Mr. Dec ransomware encrypts all personal data on the device with the help of AES encryption algorithm[2] and appends .[ID]random 16 characters[ID] file extension, preventing from their further usage. Additionally, the malware drops a ransom note Decoding help.hta, which explains that users need to contact cybercrooks to have a chance of retrieving their data. Nevertheless, experts advise avoiding contact with them and urge users to remove Mr. Dec ransomware instead.

Questions about Mr. Dec ransomware

Hackers behind Mr. Dec ransomware used various email addresses and ransom notes – the latest variant drops Decoder.hta on the infected machines and prompts to contact bad actors via asist.help@protonmail.com or asist5000@tutanota.com emails. It is also known that the threat mainly targets businesses and formats all the backups, although regular users are affected as well.

Name Mr. Dec
Type Ransomware
Danger level Very high
Distribution Spam emails, exploits, web infects, brute-force attacks, fake updates, cracked software, etc.
Contact addresses
  • mr.dec@tutanota.com, mr.dec@protonmail.com
  • shine2@protonmail.com,  shine1@tutanova.com 
  • JonStokton@Protonmail.com, JonStokton@tutanota.com
  • filessnoop@aol.com, filessnoop@tutanota.com
  • mr.file@protonmail.com
  • localgroup@protonmail.com, localgroup@tutanota.com
  • asist.help@protonmail.com, asist5000@tutanota.com
File extension .[ID]16 random characters[ID]
Name of the ransom note Decoding help.hta, Help for decrypting (mr.file@protonmail.com).txt, Decoder.hta 
Related files DECODE KEY.KEY, searchfiles.exe
Removal You can only delete Mr. Dec ransomware with a professional anti-malware software
Recovery Use Reimage Reimage Cleaner to restore Windows Registry and remediate your computer from the infection

Despite how threatening it might seem, we do not recommend you to contact the criminals in any way. According to the instructions, they should send you Mr. Dec's decryptor after you make the payment. Unfortunately, these are merely empty promises by hackers since they are only interested in blackmailing you for more money.

Thus, there is a high risk that you will be asked for more money once you pay for Mr.Dec ransomware authors. Here is the latest variant of the ransom note Decoder.hta which is displayed right after the malware finishes data encryption:

You are unlucky! The terrible virus has captured your files! For decoding please contact by email asist.help@protonmail.com or asist5000@tutanota.com

1. In the subject line, write your ID.
2. Attach 1-2 infected files that do not contain important information (less than 2 mb) are required to generate the decoder and restore the test file.

Attention!
Hurry up! Time is limited!
Do not contact third parties for help, this may lead to the fact that you will be deceived and you will not receive your decoder.

REMEMBER – only we have a tool to get your files back!

Mr.Dec ransomware ransom note

Note that criminals behind Mr.Dec ransomware are good at human psychology. Likewise, they put their victims under time pressure to make sure that they will agree to pay the ransom for locked files. However, we want to warn you that you do not necessarily need to make the transaction for data decryption, as you can get scammed or even be sent a malicious file instead of the decoder.

While there is currently no decryption tool for Mr.Dec ransomware available that would be able to help you with file recovery, you might want to try alternative solutions that we provide instructions for below.

Although, you must terminate Mr. Dec ransomware before starting data recovery. Even though many might think that they are experienced enough to deal with ransomware-type infections, only professionals or automatic tools can help you eliminate this cyber threat from your system.

Therefore, we strongly advise you to stay cautious and do not try manual Mr. Dec ransomware removal. It is highly dangerous and might put your computer's well-being at risk. Instead, you should install professional antivirus software and let it eliminate this ransomware automatically. After that, we suggest you scan your PC with Reimage Reimage Cleaner – it will help you recover from the infection and make Windows run normally again.

Mr. Dec Ransomware illustration
Mr. Dec Ransomware is a dangerous cyber threat which demands a ransom to decrypt files with .[ID][Random characters][ID] extension.

Stay away from spam emails and adequately protect your computer from malware

In order to avoid ransomware attacks in the future, one must understand how it reaches the system in the first place. Likewise, we advise you to stay away from malicious spam emails right away since it is the primary malware distribution source which can easily trick many novice computer users.

Usually, the sent emails look innocent and even legitimate, like coming from a well-known company as an invoice or another document. Unfortunately, this is merely a trick, and the attachment is holding the payload of the ransomware. Thus, if you open it, you automatically let the cyber threat inside your system. 

For this reason, we recommend you only open emails from trusted sources and never allow macros to run if prompted via the attachment. Besides, you should also look into these protection methods that would reduce the infection chance to a minimum:

  • Equip your computer with anti-malware software and enable Firewall;
  • Install the ad-blocking application;
  • Update your Windows OS regularly, along with all the installed software on it;
  • Never download pirated software to cracks;[3]
  • Avoid peer-to-peer[4] networks and sites;
  • Use strong passwords for all your accounts;
  • Backup your files routinely.

Safe Mr. Dec virus removal guide

As we have already mentioned, there is no other way how to remove Mr. Dec ransomware rather than get help from a professional. For that, you can either see your local IT specialists or install a robust antivirus to help you complete the elimination procedure safely. 

Mr.Dec ransomware encrypted files
As soon as the infection of Mr.Dec spreads in the PC, it encrypts all personal files, including pictures, videos, music, etc.

You can install SpyHunter 5Combo Cleaner, Malwarebytes, or other security software, and it should complete Mr. Dec removal within several minutes. Nevertheless, be aware that new versions of the virus regularly emerge, so not all AV engines can catch it at all times. Also, anti-malware software is excellent for protecting computers from various other cyber threats that might try to enter the system.

Additionally, Virusi.bg[5] experts say that if you are unable to download the malware removal program, there is a high risk that the ransomware is still active. Check the guidelines below and learn how to deactivate the malicious software to start the elimination procedure right away.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove Mr. Dec virus, follow these steps:

Remove Mr. Dec using Safe Mode with Networking

You should start the elimination of the ransomware by booting your computer into Safe Mode as shown below:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Mr. Dec

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Mr. Dec removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Mr. Dec using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Mr. Dec. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Mr. Dec removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Mr. Dec from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Mr. Dec, you can use several methods to restore them:

Get Data Recovery Pro tool for decryption

Experts have developed a professional software which is designed to help people recover files if they have accidentally lost them or in case of ransomware attack.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Mr. Dec ransomware;
  • Restore them.

Windows Previous Versions feature might help you

Another great way to get back the access to the compromised files is to use an inbuilt Windows feature. Unfortunately, it requires System Restore function to be enabled before ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

You might retrieve files using Shadow Explorer

If the malware hasn't corrupted or deleted Shadow Volume Copies from your computer, we highly advise you trying this tool.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

There is no Mr. Dec ransomware decryptor available yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mr. Dec and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References


Your opinion regarding Mr. Dec ransomware