Cyber Security Center

How to delete Dusk ransomware


Dusk ransomware is file-encrypting malware, discovered by malware researcher S!Ri. The ransomware can be differentiated by the .dusk file extension added to all encrypted files. The malware will drop the !#!READ-ME!#.txt ransom note.

 

Dusk ransom noteDusk ransomware encrypts users’ files and demands a ransom of $50 to get the decryptor. Once files are encrypted, users will be unable to open them, unless they first decrypt the files. To do that, a special decryption tool is necessary. Those operating this ransomware will offer to sell the decryptor for $50 but users should be skeptical of this offer. Paying the ransom is not necessarily a good idea and many cybersecurity researchers discourage it as cyber criminals are not to be trusted. Not only is file decryption not guarantees, paying them only encourages cyber criminals to continue their malicious activities.

Users who have backup can recover files as soon as they remove Dusk ransomware, preferably with anti-virus software. However, those without backup don’t have many options. We should mention that malware searchers and some anti-virus vendors release free decryption tools to help victims, but unfortunately, it’s not always possible. Currently, there isn’t a free decryptor available but it may be released sometime in the future. An option for users without backup is to back up the encrypted files and wait for a decryptor to become available. But users should be very careful about where they download the decryptors from. There are many fake decryptors out there and they are often other malware. Safe sources to download decryptors from include Emsisoft, NoMoreRansom and other anti-virus vendors, as well as malware researchers.

Bad browsing habits often lead to a malware infection

Users who end up with ransomware on their computers often have bad habits, such as downloading torrents, opening random email attachments, clicking on ads when on high-risk websites, etc. If users are more careful and develop better habits, they should be able to avoid the majority of malware that may be trying to get into their computers.

Users who pirate via torrents in particular are putting their computers in danger. Sites and forums offering torrents are often not regulated properly, which allows malware operators to disguise their malware as torrents for popular entertainment content. For example, whenever popular fantasy TV series Game of Thrones was airing, torrent sites would be full of malware disguised as episodes. Same goes for other popular TV series, movies, games, etc. Downloading software cracks could also lead to a malware infection.

Spam emails remain one of the most common ways users pick up infections like ransomware. All users need to do to initiate the infection is open a malicious file. The email addresses of victims who receive malicious emails are usually purchased from hacker forums. They end up there after some service gets hacked or leaks user data. But fortunately, unless ransomware targets someone specifically, users should be able to spot malicious emails. Many of these emails are sent from weird email addresses, often made up of a random combination of letters and numbers. If users don’t recognize the sender, they have no business opening the email attachment. Even if the email address looks legitimate, users should always first make sure it actually belongs to who the sender claims to be. Another sign of a malicious email is the text being full of grammar and spelling mistakes. And even if everything checks out, users should always scan unsolicited email attachments with anti-virus software or VirusTotal before opening them.

What does Dusk ransomware do

The first obvious signs of ransomware are weird extensions added to files. In this case, all encrypted files will have the .dusk extension added to them, hence why this malware is known as Dusk ransomware. Users will not be able to open files with this extension, unless they are first decrypted. Once the ransomware has finished encrypting files, it will drop the !#!READ-ME!#.txt ransom note. The note is pretty basic and contains little information. It merely says that files have been encrypted and that paying $50 is necessary to recover them.

Here’s the Dusk ransomware ransom note:

——————————
____ __ _____ __ __
/ __ \/ / / / ___/ / /. /_/
/ / / / / / /\__ \/ ,<
/ /_/ / /_/ /___/ / / | |
/_____/\____//__/_/ |_|
——————————
Dusk v1.0
YOUR FILES ARE ENCRYPTED!
——————————
If you want to recover them follow these steps:

1. Send $50 to this address:
BTC: 1EiGoumJiBNJszEzTzasmQhCVaEYDDEbuo

2. Send email to:
cyber.duskfly@protonmail.com

3. Enjoy!

——————————
Do not waste your time trying recover your files using third party services! Only we can do that

Users are asked to first pay the $50 via Bitcoins and then send an email to cyber.duskfly@protonmail.com. It does not appear that users are assigned their own IDs so the cyber criminals operating this ransomware may not know which users have paid. So it’s more than likely that victims would not receive a decryptor after paying. $50 is not that much compared to how much other ransomware demand, but paying is still risky.

It’s likely that malware researchers will release a free decryptor for this ransomware so users should back up the encrypted files, store them somewhere safe and wait for a decryptor.

Ransomware is one of the main reasons why users need to regularly back up files. Those who do have backup can start file recovery as soon as they delete Dusk ransomware.

Dusk ransomware removal

Users should only use anti-malware software to remove Dusk ransomware. Unfortunately, removing the ransomware does not decrypt files. That can only be done with a special decryption tool.

Dusk ransomware is detected as:

  • DeepScan:Generic.Ransom.Small.0597F46B by BitDefender
  • A Variant Of MSIL/Filecoder.AK by ESET
  • Ransom.FileCryptor.MSIL by Malwarebytes
  • HEUR:Trojan-Ransom.MSIL.Encoder.gen by Kaspersky
  • Trojan:Win32/Wacatac.C!ml by Microsoft
  • Ransom.HiddenTear!g1 by Symantec