Mr. Dec ransomware is a deadly virus that renders all personal files useless and threatens to delete the decryptor within specific time limit

Mr. Dec ransomware is cryptovirus that was first spotted in mid-May 2018, and since then was updated multiple times. Hackers behind it use a variety of distribution methods, such as spam email, exploits,[1] brute-force attacks, malicious ads, fake updates, and other tactics, so that more users would be susceptible for the infection.
Mr. Dec ransomware encrypts all personal data on the device with the help of AES encryption algorithm[2] and appends .[ID]random 16 characters[ID] file extension, preventing from their further usage. Additionally, the malware drops a ransom note Decoding help.hta, which explains that users need to contact cybercrooks to have a chance of retrieving their data. Nevertheless, experts advise avoiding contact with them and urge users to remove Mr. Dec ransomware instead.
Hackers behind Mr. Dec ransomware used various email addresses and ransom notes – the latest variant drops Decoder.hta on the infected machines and prompts to contact bad actors via asist.help@protonmail.com or asist5000@tutanota.com emails. It is also known that the threat mainly targets businesses and formats all the backups, although regular users are affected as well.
| Name | Mr. Dec |
|---|---|
| Type | Ransomware |
| Danger level | Very high |
| Distribution | Spam emails, exploits, web infects, brute-force attacks, fake updates, cracked software, etc. |
| Contact addresses |
|
| File extension | .[ID]16 random characters[ID] |
| Name of the ransom note | Decoding help.hta, Help for decrypting (mr.file@protonmail.com).txt, Decoder.hta |
| Related files | DECODE KEY.KEY, searchfiles.exe |
| Removal | You can only delete Mr. Dec ransomware with a professional anti-malware software |
| Recovery | Use FortectIntego to restore Windows Registry and remediate your computer from the infection |
Despite how threatening it might seem, we do not recommend you to contact the criminals in any way. According to the instructions, they should send you Mr. Dec's decryptor after you make the payment. Unfortunately, these are merely empty promises by hackers since they are only interested in blackmailing you for more money.
Thus, there is a high risk that you will be asked for more money once you pay for Mr.Dec ransomware authors. Here is the latest variant of the ransom note Decoder.hta which is displayed right after the malware finishes data encryption:
You are unlucky! The terrible virus has captured your files! For decoding please contact by email asist.help@protonmail.com or asist5000@tutanota.com
1. In the subject line, write your ID.
2. Attach 1-2 infected files that do not contain important information (less than 2 mb) are required to generate the decoder and restore the test file.Attention!
Hurry up! Time is limited!
Do not contact third parties for help, this may lead to the fact that you will be deceived and you will not receive your decoder.REMEMBER – only we have a tool to get your files back!

Note that criminals behind Mr.Dec ransomware are good at human psychology. Likewise, they put their victims under time pressure to make sure that they will agree to pay the ransom for locked files. However, we want to warn you that you do not necessarily need to make the transaction for data decryption, as you can get scammed or even be sent a malicious file instead of the decoder.
While there is currently no decryption tool for Mr.Dec ransomware available that would be able to help you with file recovery, you might want to try alternative solutions that we provide instructions for below.
Although, you must terminate Mr. Dec ransomware before starting data recovery. Even though many might think that they are experienced enough to deal with ransomware-type infections, only professionals or automatic tools can help you eliminate this cyber threat from your system.
Therefore, we strongly advise you to stay cautious and do not try manual Mr. Dec ransomware removal. It is highly dangerous and might put your computer's well-being at risk. Instead, you should install professional antivirus software and let it eliminate this ransomware automatically. After that, we suggest you scan your PC with FortectIntego – it will help you recover from the infection and make Windows run normally again.

Stay away from spam emails and adequately protect your computer from malware
In order to avoid ransomware attacks in the future, one must understand how it reaches the system in the first place. Likewise, we advise you to stay away from malicious spam emails right away since it is the primary malware distribution source which can easily trick many novice computer users.
Usually, the sent emails look innocent and even legitimate, like coming from a well-known company as an invoice or another document. Unfortunately, this is merely a trick, and the attachment is holding the payload of the ransomware. Thus, if you open it, you automatically let the cyber threat inside your system.
For this reason, we recommend you only open emails from trusted sources and never allow macros to run if prompted via the attachment. Besides, you should also look into these protection methods that would reduce the infection chance to a minimum:
- Equip your computer with anti-malware software and enable Firewall;
- Install the ad-blocking application;
- Update your Windows OS regularly, along with all the installed software on it;
- Never download pirated software to cracks;[3]
- Avoid peer-to-peer[4] networks and sites;
- Use strong passwords for all your accounts;
- Backup your files routinely.
Safe Mr. Dec virus removal guide
As we have already mentioned, there is no other way how to remove Mr. Dec ransomware rather than get help from a professional. For that, you can either see your local IT specialists or install a robust antivirus to help you complete the elimination procedure safely.

You can install SpyHunterCombo Cleaner, MalwarebytesMalwarebytes, or other security software, and it should complete Mr. Dec removal within several minutes. Nevertheless, be aware that new versions of the virus regularly emerge, so not all AV engines can catch it at all times. Also, anti-malware software is excellent for protecting computers from various other cyber threats that might try to enter the system.
Additionally, Virusi.bg[5] experts say that if you are unable to download the malware removal program, there is a high risk that the ransomware is still active. Check the guidelines below and learn how to deactivate the malicious software to start the elimination procedure right away.
Was this guide helpful?
Be the first to comment