Dme ransomware is malware from the Dharma family that encrypts files. It’s one of the many versions released by the Dharma ransomware gang. Can be differentiated from other ransomware versions by the [email@example.com].dme file extension added to encrypted files. Shows a pop-up ransom note but also drops a FILES ENCRYPTED.txt file.
Detected by malware researcher Jakub Kroustek, Dme ransomware is a dangerous malware that encrypts files and then demands payment for their decryption. Dme is part of the Dharma ransomware family, which has been releasing new versions on a regular basis. We recently wrote about its other versions, such as FLYU and Cve ransomware.
It’s practically identical to other ransomware, though users will be able to tell which ransomware they’re dealing with by the extension added to encrypted files. In this case, the extension is a unique ID followed by [firstname.lastname@example.org].dme. Files with that extension will be unopenable until they are decrypted with a special decryption tool, which the Dharma ransomware gang will try to sell victims. However, users are always discouraged from giving into the demands for a couple of reasons. First of all, paying does not guarantee file decryption. The cyber crooks behind the ransomware can just take the money and not send anything in return. Many users have not received the decryptors they paid for, so paying is a big risk. Second, paying makes ransomware profitable, which only encourages cyber criminals to continue. As long as users continue to pay the ransom, ransomware will thrive.
Backup is currently the only way users can recover files. Users who have backed up files prior to them becoming encrypted can start file recovery as soon as they remove Dme ransomware from their computers.
User who don’t have backup should back up the encrypted files and wait for a potential free decryptor to be released. Malware researchers do release free decryptors when possible but there isn’t one for every ransomware. Users should be very careful not to download fake decryptors when looking for one that decrypts Dme ransomware. There is a lot of malware disguised as decryptors, and these “decryptors” may be promoted on various forums and sites. Users should only trust sources like Emsisoft, NoMoreRansom, anti-virus vendors and malware researchers to provide legitimate decryptors.
How does ransomware infect a computer?
Ransomware usually infects computers of users who have bad browsing habits. Those bad habits include opening unsolicited email attachments without first checking them, clicking on ads while on high-risk websites and downloading questionable programs, as well as using torrents to pirate content. Learning how ransomware spreads and developing better habits can go a long way towards preventing an infection.
One of the main ways ransomware infects a computer is via email attachments. If users open unsolicited email attachments without first checking that they’re safe, they are risking infecting their computers with serious malware. The emails carrying malicious files are usually quite obvious because sender’s email addresses are random, despite senders claiming to be from known companies or organizations. The contents of the email will also be full of grammar and spelling mistakes. Overall, as long as users are careful, they should be able to determine whether an email is malicious. But just to be on the safe side, users should scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.
Another common way users pick up ransomware is by downloading pirated content via torrents. Because torrent sites are poorly regulated, anyone can disguise malware and upload it as a torrent for a movie, game, TV series, software, etc. Users should avoid using torrents when downloading pirated content, and stop pirating overall.
What does Dme ransomware do?
Soon after Dme ransomware infects a computer, users will notice that they cannot open their files. All encrypted files will have .unique ID.[email@example.com].dme added to them. This extensions contains the victim’s unique ID, the contact address for cyber crooks behind this ransomware as well as .dme. For example, image.jpg would become image.jpg.unique ID.[firstname.lastname@example.org].dme. All files with this extension will be unopenable until they’re decrypted.
Once file encryption is complete, a pop-up ransom note will appear. In addition, a FILES ENCRYPTED.txt note will also be dropped. The text note contains little information, merely mentions that victims should email email@example.com or firstname.lastname@example.org to get the decryptor. The pop-up ransom note mentions the same email addresses but also contains a unique ID. The price for the decryptor is not mentioned and would likely depend on how quickly victims write them.
Here is the full Dme ransomware pop-up ransom note:
YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email email@example.com YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:firstname.lastname@example.org
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Whatever the ransom sum is, we don’t recommend paying it. As we already mentioned, it does not guarantee file decryption because cyber crooks won’t necessarily send the decryptor. Unfortunately, many users who paid in the past were left with encrypted files and lost money.
The number one way of safeguarding against ransomware is backup. If users aren’t already backing up files on a regular basis, they need to begin right away. In case of ransomware or problems with a computer, files would always be safe in backup.
Dme ransomware removal
Users should use anti-virus software to delete Dme ransomware. If they try the manual way, they may end up doing even more damage, thus manual Dme ransomware removal is not recommended unless users know exactly what they’re doing. Unfortunately, removing the ransomware does nothing to decrypt files. Only users who have backup can currently recover files for free.
Dme ransomware is detected as:
- Win32:RansomX-gen [Ransom] by Avast/AVG
- Trojan.Ransom.Crysis.E by Bitdefender
- Trojan.Ransom.Crysis.E (B) by Emsisoft
- Ransom:Win32/Wadhrama!hoa by Microsoft
- Ransom.Crysis by Malwarebytes
- A Variant Of Win32/Filecoder.Crysis.P by ESET
- Ransom.Win32.CRYSIS.SM by TrendMicro