Dewar Ransomware Removal Guide

Dewar Ransomware is an infection capable of invading Windows operating systems that are not protected appropriately and whose users are acting carelessly. According to the malware researchers working in our internal lab, this infection comes from the Phobos Ransomware family, and it is comparable to Devos Ransomware, Dever Ransomware, and several other file-encryptors too. If you have found any of these infections on your operating system, there is a good chance that you opened a corrupted spam email attachment, clicked a malicious link sent to you via social networking platforms, or downloaded a file or a program from an unreliable source. These are just a few of the many ways that cybercriminals are known to spread their malicious infections, but in most cases, deception is used, and so you must be cautious. If you fail to protect your operating system, you might discover that you need to delete Dewar Ransomware, but note that even if you remove this threat successfully, your personal files will remain locked.

The attackers behind Dewar Ransomware have found a very simple way to make money, and that is by encrypting personal files of careless Windows users. Once files are encrypted – which is what the launcher file is responsible for – they are changed, and you cannot read them unless you obtain a decryptor. In this case, the decryptor is in the hands of cybercriminals, and if you think that they will give it to you, you are mistaken. Unfortunately, they want you to believe that you can purchase a decryptor. Therefore, right after your files are encrypted, “info.txt” and “Info.hta” files are dropped on the Desktop. The .TXT file represents the shortened version of the .HTA file. It informs that files were encrypted and that you need to contact cybercriminals to learn how to decrypt them. In most cases, ransom notes list one or two email addresses that the victims can use, but Dewar Ransomware offers three different ways to contact the attackers. You can send them a message via email at kryzikrut@airmail.cc and kokux@tutanota.com, via Telegram at @hpdec, and via Jabber at decrypt_here@xmpp.jp. Even though you can, you should not.

The messages are trying to convince you that there is a way for you to decrypt all files that were corrupted by Dewar Ransomware. You should see the “.id[unique ID code].[kryzikrut@airmail.cc].dewar” extension attached to them. However, as you know, these messages were created by the same crooks who encrypted your files, and so you should not expect them to do the right thing. If you choose to contact them – which is extremely risky and, therefore, not recommended – they will instruct you to pay for a decryptor. But how can you be sure that they would send it to you? Unfortunately, cybercriminals are not to be trusted, and if you pay the ransom, you are likely to find yourself empty-handed. Even if the ransom was small or if you had no other option, following the demands of cybercriminals is too risky! You are in a great position if you have copies of your personal files stored online, on external drives, or another device. If that is the case, only one copy is corrupted by Dewar Ransomware, and you can easily delete it and replace it with an externally stored backup after the removal.

How much experience do you have with the removal of malware? If you have none or very little experience, removing Dewar Ransomware manually could be too difficult. Even if you have previous experiences, the launcher of this infection can be dropped in different locations, which means that if you cannot find and delete this file, it will not matter that you can complete the remaining steps, which you can find in the guide below. The good news is that you do not need to figure this out on your own. Instead, you can implement an anti-malware tool that has been created to find and delete Dewar Ransomware along with all components and all additional threats that, perhaps, you are not even aware of yet. Do you know what the best part is? Besides removing malware, it also can ensure trustworthy protection of your operating system, which is the only way to keep all kinds of threats away.

Of course, even if you implement the best anti-malware software, you want to take all steps to protect yourself and all of your files. That means that you have to create copies of personal files and store them someplace else just in case, and that you also need to be cautious whenever you are online.

How to delete Dewar Ransomware

1. Right-click and Delete the {unique name}.exe file that executed the infection.
2. Right-click and Delete the ransom note file, info.txt (if copies exist, erase them too).
3. Move to the Desktop and then right-click and Delete the file named Info.hta.
4. Simultaneously tap Win and E keys at once to launch File Explorer.
5. Enter %HOMEDRIVE% into the field at the top and then right-click and Delete the Info.hta file.
6. Enter the following lines into the field at the topone by one:
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %LOCALAPPDATA%
7. If you can find and identify a malicious {unique name}.exe file, right-click and Delete it.
8. Simultaneously tap Win and R keys to launch the Run dialog box.
9. Type regedit into the box and click OK to launch Registry Editor.
10. Move to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
11. Right-click and Delete any values that could be associated with the ransomware.
12. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and repeat step 11.
13. Empty Recycle Bin and then quickly install a legitimate malware scanner. If the tool detects threats or the leftovers of ransomware, eliminate them as soon as possible.