Darus Ransomware
Ransomware | 07/29/2019

How to remove nasty Darus Ransomware from your system?

About: Darus Ransomware is the recent nasty member of the Djvu Ransomware Family. Follow our virus removal guidelines to learn how to remove this crypto virus from your system & recover .Darus files.

| Ransomware | How to remove nasty Darus Ransomware from your system?

Guide to Remove Darus Ransomware

Darus Ransomware is another menacing member in the arsenal of the infamous Stop Djvu Ransomware family. Just like other siblings, Darus has been generated with strong financial motive. It spreads its infection mostly via spam e-mail campaigns & unreliable software download sources.

Threat Summary -Darus

Once the system is infected, it looks for the targeted user & system files as such documents, image files, video files & audio files. When found, it encrypts them by adding a malign Darus extension to the filenames, hence making them inaccessible to the victims.

One can understand the infuriation & agitation caused to the victims by .Darus file virus & its siblings such Horon, Gehad, Madek, Godes, Dutan & the list goes on…

So, is there any way of restoring the data encrypted by Darus Ransomware? Is there any Darus decryption tool or software? How can one stop Darus Ransomware from infecting the system? Read on to find the answers –

Threat Summary-

Name Darus
Type Ransomware
Category Malware
Operating System Impacted Windows
Symptoms Encryption of files with .darus extension & appearance of ransom-demanding message.

 

Threat Behavior of Darus Ransomware 

Alike its siblings, Darus Ransomware has been developed to generate illicit revenue by extorting ransom from the victims of .Darus file virus.

The attack of Darus begins with common internet services. Some of the spread channels employed by the hackers include spam e-mail campaigns, unreliable software download sources, torrent websites & fraudulent online advertising.

Upon entering the system, Darus scans the infected system for targeted user & system files. When found, it encrypts them with RAS (Rivest–Shamir–Adleman) & AES (Advanced Encryption Standard) Encryption methods. These cryptographies are highly-complex. They also generate a unique private decryption key for each infected user & store them on the hacker-controlled server.

The encrypted files are renamed with .Darus extension & hence, instantly made unusable to the victims.

Targeted Files - darus

A file “image.jpg” might be renamed as “image.jpg.darus” after the encryption.

The file extensions that are at the target of the Darus Ransomware include:

  • Document files (.docx, .doc, .odt, .rtf, .text, .pdf, .htm, .ppt)
  • Audio Files (.mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4)
  • Video Files (.3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob)
  • Images (.jpg, .jpeg, .raw, .tif, .gif, .png)
  • Backup Files (.bck, .bckp, .tmp, .gho)

Insight into the Ransom Note & Amount Demanded by Hackers

Following the successful encryption, it drops a ransom-demanding message in every folder than contains Darus infected files. This ransom note is in text format & named “_readme.txt”.

The ransom note appears every time a victim tries to access the encrypted file. It contains the present situation of the system & certain instructions to the victims.

The note conveys that decryption of data is not possible without hacker’s interference. The restoration of data requires a unique private key & Darus decrypter that is stored on the hacker’s server.

Ransom Note - Darus

To purchase the Darus decryption tool & key, the victim must contact the hackers on their e-mail – gorentos@bitmessage.ch & gorentos2@firemail.cc. In addition to that, victims must pay a ransom of $980 in bitcoins.

It suggests that the victims reaching out to hackers within 72 hours of the encryption, will be given 50% in the ransom amount i.e., $480 (in bitcoins).

Fake Claims by Hackers

In order to guarantee the decryption, hackers ask victims to send them one file first via e-mail. The file should not contain any valuable information, the note says.

The file will be decrypted for absolutely no cost & sent back to the victims. Fearing to lose their sensitive data, may victims contact the hackers & send them a file to decrypt.

However, please note that these claims are false. The research has revealed that victims often stop receiving response from the hackers after receiving the ransom amount.

Therefore, instead of panicking & contacting the hackers, the victims should act smart & do not let the hackers extort money from them.

They can download Darus Ransomware removal tool or implement manual removal steps given below to get rid of Darus Ransomware.

Distribution Techniques of Darus Ransomware

Sources state that Darus is spreading its infection through various distribution channels at an alarming rate. No wonder why Djvu Ransomware family is considered as the most wide-spread malware infection.

The most prevalent spread method employed by the hackers is Spam E-mail Campaigns.

Users often tend to click on the e-mail with luring subject lines without discerning that content in the e-mail may be malicious. The hackers take the leverage of this careless attitude of computer users.

Hackers send out colossal amount of e-mails containing infected links & attachments. They suggest the receiver about an undelivered shipment from legit shipping services like DHL & FedEx.

A mere click on these attachments, links & files installs Darus Ransomware on the system.

Other distribution techniques that Darus is using to proliferate are-

  • Online Advertising/Luring Discount Coupons
  • Malware Laden sites- Torrent sites, Adult content sites
  • Unreliable software download sources
  • Fake software updaters/Cracks
  • Peer-to-Peer Networks
  • Exploit kits
  • Zipped Java Script Attachments

How to remove Darus Ransomware infection from the system-

STEP A: Reboot your system to Safe Mode

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click  Restart.
  3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
  5. Click on the username and enter the password.

STEP B: Delete the suspicious key from the Configuration Settings

  1. Type “Msconfig” in search box / Run Box, select it and press Enter.
  2. Click on “Services” Tab and click on “Hide all Microsoft services”.
  3. Select Darus Ransomware from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.

Windows 7

  1. Click on the next tab – “Startup”.
  2. Find any blank or suspicious entry or the entry with Darus Ransomware mentioned and remove the check mark.
  3. Click on Apply button and then click on OK.

Windows 10

  1. Click on the next tab – “Startup”.
  2. Take the mouse cursor to ‘Open task Manager‘ link and click on it.  This opens the Task Manager window.
  3. Find any blank or suspicious entry or the entry with Darus Ransomware mentioned and click on it.
  4. Then click on Disable button.

STEP C: Remove Malicious Program from Command Prompt

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click Restart.
  3. When the screen goes blank, keep tapping F8 key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Command Prompt from the list and press the Enter Key. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Command Prompt. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password.

STEP D: Restore the System Files & Settings

Method 1 using Control Panel

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
  3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
  4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
  5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
  6.  Select the restore point that is prior the infiltration of Darus Ransomware. After doing that, click Next.
  7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Darus Ransomware.

OR

Method 2 using Command Prompt

  1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
  2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
  3. Now type rstrui and press Enter again.
  4. When a new window shows up, click Next and select your restore point that is prior the infiltration of Darus Ransomware. After doing that, click Next.
  5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Darus Ransomware.

 

OR

Method 3 : Directly type 'rstrui' in the search box

  1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

How to prevent Darus Ransomware from infecting your system

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like VipreKaspersky BULL GUARD  so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

Hits: 130

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866