Dex ransomware, known as file-encrypting malware, is part of the notorious Dharma family. It’s a dangerous piece of malware that encrypts files and then demands that victims pay a ransom to get them back.
Dex ransomware is a pretty typical ransomware from the Dharma ransomware family. Dharma is notorious for releasing ransomware versions on a regular basis, and among those we have reported on are MUST, RXD, Elvis, Kut, and bH4T. This version can be identified by the .dex extension added to all encrypted files. As victims of this ransomware have already noticed, files with that extension will not be openable. For users to open them, they would first need to be decrypted, to do which users would need to first obtain the decryptor. The cyber criminals behind this ransomware will try to sell the decryptor, as explained in the pop-up and the text ransom notes. The price for the decryptor is not specified in the ransom note, though it will likely be a couple of thousand dollars. Whatever the price may be, paying is risky. When it comes to ransomware, there are no guarantees that a decryptor will be sent to users, considering that the people users are thinking will keep their end of the deal are cyber criminals. They have no obligation to help users, even if they pay.
Because a decryptor is not guaranteed, backup is currently the only way users can recover files. However, to stop backed up files from becoming encrypted as well, backup can only be accessed when users fully delete Dex ransomware from their computers.
For users who do not have backup and no other way to recover files, backing up the encrypted files is recommended. A free decryption tool may be released by malware researchers in the future. However, users should be aware that there are many fake decryptors on the internet, downloading which could lead to another malware infection. Users should only trust sources like NoMoreRansom, Emsisoft, other anti-virus vendors and malware researchers to provide safe decryptors.
How does ransomware infect a computer?
Regular users usually infect their computers with ransomware via malspam attachments and torrents. The fact that many users click on ads when on high-risk sites and not install essential updates also does not help.
Users who open unsolicited email attachments without making sure they are safe have an increased risk of picking up some kind of malware infection. Malicious actors launch malspam campaigns using email addresses they purchase from hacking forums, though fortunately, it’s usually pretty obvious when an email is malicious. The email is usually written to resemble official correspondence from a bank, a package delivery service, a goverment agency, etc., but it often contains loads of grammar and spelling mistakes, which immediately give it away. They’re also sent from nonsense or random-looking email addresses, which is yet another sign that the email could be malicious. The emails also pressure users into opening the email attachments by claiming that it’s an important document.
Torrents are also a common ways users can pick up malware. Torrent sites are not regulated properly, which allows cyber crooks to easily upload malicious software disguised as torrents for a movie, TV series, or game. It’s particularly common to find malware in torrents for movies and TV shows that are popular at that time. For example, when Game of Thrones was airing, torrents for episodes often contained malware.
Ransomware is also one of the reasons why installing updates is so important. Ransomware often uses system vulnerabilities to get in, which is why patching those vulnerabilities is essential.
What does the ransomware do?
When the ransomware is initiated, it will start encrypting files immediately. It mainly targets documents, photos, videos, etc. Users will be able to identify the ransomware by the .dex file extension added to encrypted files. The extension will also contain users’ unique IDs and a contact email address. For example, image.jpg would become image.jpg.uniqueID.[email@example.com].dex. Users will not be able to open the files with that extension. Once the encryption process is complete, a pop-up ransom note will appear, and a FILES ENCRYPTED.txt text one will be dropped. The text note contains only the contact email addresses firstname.lastname@example.org. The pop-up ransom note has slightly more information and displays the victim’s unique ID. According to the note, to initiate the decryption process users need to send an email to email@example.com. The cyber crooks behind this ransomware should then inform the victims how much they would need to pay in order to get the decryptor because the ransom note does not mention it.
Here is the text from the Dex ransomware pop-up ransom note:
YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email firstname.lastname@example.org YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:dex.dex.tuta.io
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
As we said above, paying the ransom is not recommended because it does not guarantee that a decryptor will be sent. At this moment in time, the only sure way to recover files is via backup.
Dex ransomware removal
Users will need to use anti-malware software to remove Dex ransomware because this is a complex malware infection. Only once the ransomware is no longer present should users access their backup, otherwise, the backed up files may become encrypted as well.
Dex ransomware is detected as:
- Trojan.Ransom.Crysis.E by BitDefender
- Win32:RansomX-gen [Ransom] by AVG/Avast
- Trojan-Ransom.Win32.Crusis.to by Kaspersky
- A Variant Of Win32/Filecoder.Crysis.P by ESET
- Ransom-Dharma!9DFCD5165FCB by McAfee
- Ransom:Win32/Wadhrama!hoa by Microsoft
- Trj/GdSda.A by Panda
- Trojan.Ransom.Crysis.E (B) by Emsisoft
- Ransom.Crysis by Malwarebytes and Symantec