Cyber Security Center

Dusk 2 ransomware removal


Dusk 2 ransomware is an updated version of the Dusk ransomware. While it adds the same .DUSK file extension to encrypted files as the previous version, users can identify which versions they are dealing with by the README.txt ransom note, which clearly says DUSK 2.

 

Ransomware image

Dusk 2 ransomware is file-encrypting malware and an updated version of Dusk ransomware, about which we’ve written about some time ago. It’s a dangerous piece of malware because it encrypts files, and their recovery is not always possible if users don’t have backup. And in many cases, they don’t, which is one of the reasons why ransomware is still such a common threat.

When Dusk 2 ransomware gets inside a computer, it starts encrypting files immediately. Once those files are encrypted, they will have .DUSK added to them, and users will not be able to open them. To decrypt them, users would need to obtain a decryptor, which is offered in the README.txt ransom note. The previous version asked for a $50 ransom, but this one has upped the price to $80. In any case, paying the ransom is not recommended because there are no guarantees that files will be decrypted. The cyber crooks behind this ransomware are not obligated to keep their end up of the deal, so users should be aware of the risks. Furthermore, paying also supports future criminal activities.

At this time, only users who have backup of their files can recover them. But before accessing their backup, they should first make sure to fully delete Dusk 2 ransomware. Otherwise, their backed up files may become encrypted as well.

For users who do not have backup, waiting for malware researchers to develop a free decryptor may be the only option. Researchers do release free decryptors to help victims but it’s not always possible. If a decryptor was to be released, it would become available on NoMoreRansom. Users should beware of fake decryptors advertised on various questionable sites, as they could be harboring malware.

Ransomware distribution methods

Ransomware is a particularly serious threat for users who have bad browsing habits, which include carelessly opening unsolicited email attachments, using torrents to pirate content, and clicking on links/ads while on high-risk websites. By simply being more attentive and careful, users should be able to avoid the majority of malware infections.

Spam email is one of the most common ways users pick up ransomware. Malicious actors purchase email addresses from hacker forums, write a generic text, attach a malicious attachment, and send out the email to potential victims. All users need to do to initiate the malware is open the malicious attachment and enable macros. Fortunately, these emails are more or less obvious in most cases. They have an abundance of grammar and spelling mistakes, are sent from generic or nonsense email addresses, and pressure users into opening the attached files. Thus, as long as users know the signs, they should be able to recognize the malicious emails.

Torrent sites are notoriously badly regulated, some not at all, which allows cyber criminals to easily upload their malicious software disguised as torrents for some kind of movie, TV show, game, etc. It’s particularly common for torrents of content that’s popular at that time to contain malware. For example, when popular TV series Game of Thrones was airing, torrents for episodes often contained malware. Thus, users are discouraged from pirating content, not only because it’s basically stealing but also because it’s dangerous for the computer.

Is it possible to recover Dusk 2 ransomware encrypted files?

When users initiate the ransomware, it will start encrypting files. Like most ransomware, it targets photos, videos, documents, etc., essentially files that users would be most willing to pay for. All encrypted files will have .DUSK added to them. For example, image.jpg would become image.jpg.DUSK. This is the same extension as the one added by the other Dusk ransomware version, but users can identify which one they’re dealing with by the README.txt ransom note. The ransom note dropped by this ransomware clearly says DUSK 2.

The note explains that files have been encrypted and that paying $80 in Bitcoin is necessary to get the decryptor. Users are also supposed to contact these cyber crooks via lasvegasincel@cock.li or duskeer@protonmail.com with their IDs. However, contacting these cyber crooks, let alone paying the ransom is not a good idea. It does not ensure that a decryptor will be sent. The note also claims that they will send 75% of their earnings for good purposes, which is unlikely to be true. In any case, paying the ransom would only encourage these cyber crooks to continue their malicious activities.

Here is the text from the ransom note dropped by this ransomware:

All your files have been encrypted using military grade encryption algorithms!
They cannot be decrypted without our securely generated key.

The only thing you can do now is buy your key and decryptor.
The price is 80 USD.
The only payment method we accept is BitCoin.

How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

How to contact you for the payment?
We use E-Mail to contact with our customers.
When contacting us please send your personal ID that can be seen at the end of the message.
Our main e-mail is:
lasvegasincel@cock.li
Our backup e-mail is:
duskeer@protonmail.com
NOTE:
Write to our backup e-mail only when you don’t receive reply from our main e-mail in 48 hours.

Why do we do that?
We Are anonymous good people. We will transfer 75% of what we earn for good purposes.

If you’re so evil
If you’re evil and don’t trust us you can send up to 2 files for free decryption. They can’t weigh more than 2 MB (non-archived).

Attention!
Do not try restore files without our help, this is useless and you may lose data permanetly
Do not rename encrypted files!
Do not use third party “decryptors”
Do not try to remove our heavenly software using evil AntiVirus or AntiMalware software

Personal ID

If users have backup, they can easily start file recovery, as soon as they remove DUSK 2 ransomware from their computer. If the ransomware still remains, backed up files may become encrypted as well.

DUSK 2 ransomware removal

It is highly recommended to use anti-virus software to delete DUSK 2 ransomware. Unfortunately, even when the ransomware is removed, the files will remain encrypted.

DUSK 2 ransomware is detected as:

  • HEUR:Trojan.MSIL.Diztakun.gen by Kaspersky
  • ML.Attribute.HighConfidence by Symantec
  • Ransom:MSIL/Polar.PB!MTB by Microsoft
  • Ransom.FileCryptor by Malwarebytes
  • Trojan.GenericKD.35146313 (B) by Emsisoft
  • Trojan.GenericKD.35146313 by BitDefender
  • Win32:Malware-gen by AVG/Avast