DCRTR Ransomware Removal Guide

Do you know what the DCRTR ransomware is?

The DCRTR ransomware is an aggressive piece of malware making unauthorized changes on the system to scare victims into paying big sums of money in return to their lost data. The DCRTR ransomware encrypts files after accessing the computer surreptitiously, which is usually done either through phishing emails. The DCRTR threat does not have its graphic user interface as the vast majority of ransomware threats, but that does not change much because the victim learn about the issue from numerous ransom notes created in every affected directory. The nefarious infection should be removed once its damage caused is spotted, even though the attackers attempt to convince the victim that the fix is guaranteed after submitting a payment.

To ensure that it will continue running when the original executable is deleted, the DCRTR ransomware creates its copy in the %APPDATA% directory. The copy is named msshost.exe, and the name seems to be chosen purposely because the suffix -host is used for valid Windows files, for example, taskhost.exe or svchost.exe.

Additionally, the DCRTR ransomware creates two points of executions (PoE), which is quite unusual because less persistent ransomware threats tend to create only one or no PoE. More specifically, the ransomware in question creates its malicious run registry values in the hives HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. Moreover, the DCRTR ransomware stops built-in security related services, including WinDefender, WerSvc, ERSvs, BITS, wuauserv, and WSCSvc. Without these services running, the user is not notified about various security issues, thereby enabling the threat to succeed in file encryption.

The DCRTR ransomware also tampers with the Windows Volume Shadow Copies service. The infection disables data recovery processes and deletes already created shadow copies.

Having disabled security and data backup-related processes, the DCRTR ransomware deploys AES and RSA encryption algorithms to encode the multiple files located in different directories, only leaving the %WINDIR% directory intact.DCRTR Ransomware Removal GuideDCRTR Ransomware screenshot
Scroll down for full removal instructions

Every file encoded gets the extension .[decryptor@cock.li].dcrtr, which has determined the name of the infection. Next to the affected files in each folder, the DCRTR ransomware creates a file with information about the victim's further actions. The file is easy to recognize because it is a .txt file named Readme_Decryptor.

According to the ransom note, the victim has to pay a release fee in Bitcoin, but the exact sum is not mentioned. Instead, the attackers request that they are contacted at decryptor@cock.li for more information, which most likely means that the ransom fee depends on when the victim contacts the attackers. If no reply is received from the schemers in 24 hours, the victim is expected to send another inquiry to masterdecrypt@openmailbox.org. To encourage the unsuspecting user of the affected computer, the schemers promise to decrypt 5 files for free, but that does not prove that they will do the same with the rest of the files after receiving their revenue.

Cyber criminals developing ransomware are only interested in earning money from inexperienced computer users, who are familiar with the capabilities of ransomware. It is crucial to remove the DCRTR ransomware without making any payment to its authors, because this is how people can deprive schemers of revenues and make them lose their interest in building such lucrative threats.

Importantly, it is not enough to remove the DCRTR ransomware and leave the OS as it is. It is important to take a few measures to prevent similar episodes in the future. Ransomware spreads via deceitful email, RDP brute-force attacks, and drive-by downloads, so you should beware of the possibility of getting the computer infected when it is least expected. Hence, think critically when exposed to a questionable email or link in an email or some obscure website. If you use the RDP service, make sure that your login data is complex and barely breakable. Moreover, it is advisable to block users after their periodic attempts to connect to your device.

On top, it is also critically important to keep the system protected by a reputable security program. Malware spreads surreptitiously, and you cannot know what other malicious threats are running on your PC without a reliable malware and spyware removal tool. Our recommended security program can remove the DCRTR ransomware for good and safeguard you against various threats. In case you are determined to remove DCRTR manually, use the following removal instructions.

How to remove DCRTR Ransomware

  1. Delete questionable files from the desktop and other directories to which you save downloaded files.
  2. Delete the msshost.exe file from the %APPDATA% directory.
  3. Open the Windows Registry Editor and delete the malicious registry values marked in bold:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run::MssHostEngine
HKCU\Software\Microsoft\Windows\CurrentVersion\Run::MssHostEngine

In non-techie terms:

The DCRTR ransomware is a piece of malware encrypting files in an attempt to scare you and make you pay money for your files. The infection encrypts files in multiple directories and creates ransom notes in every folder. The requirements in the ransom notes should be ignored, and the malicious executable should be removed. After removing the infection, consider making backups of your data to prevent unwanted data loss in the future.