Dot Ransomware Removal Guide

Do you know what Dot Ransomware is?

Dot Ransomware can be any ransomware infection that is created using the Ransomware-as-a-Service (RaaS). This service was created by an unknown party, and anyone can use it to build their own ransomware infections. According to our research, the builder is so user-friendly, that a new infection can be created in under 5 minutes. Unfortunately, that might mean that an avalanche of new ransomware infections might be on its way. In this report, we look at the builder and how the ransomware created using it works. The bad news is that this malware has a huge potential as it is not restricted to one specific region or one group of files. When it hits the targeted operating system, it can encrypt all kinds of personal files, leaving the victim in a predicament. Please continue reading to learn more, including how to remove Dot Ransomware.

Some users might know Dot Ransomware as Unlock26 ransomware, and this malware can be created using CLI (command-line interface) builder with specific instructions on how to do it. Using the steps represented by the builder, the ransomware creator can set up a Bitcoin Address, choose which file extensions are to be encrypted, and set the decryption price. Basically, the attacker can create a unique infection. Of course, nothing is for free, and the developer of the builder demands a 50% share of the profit. However, it does not cost anything for this attacker to build an infection, and so it is very likely that many cyber criminals – especially the ones who are not experienced enough to create ransomware themselves – will use this opportunity. When it comes to the distribution, it all depends on the attacker. Some might spread Dot Ransomware using spam emails, which is the most common method of distribution, but fake installers and messenger scams can be employed as well. In general, the infection is downloaded onto targeted systems without the users’ notice, which means that they are unlikely to delete it before the encryption begins.

When Dot Ransomware is executed, it immediately starts encrypting files in these directories: %APPDATA%, %ALLUSERSPROFILE%, %HOMEDRIVE%, %LOCALAPPDATA%, %PUBLIC%, and %USERPROFILE%. According to “Setup Guide.txt”, a file created for the ransomware creators, hundreds of different types of files can be encrypted, including .jpeg, .jpg, .doc, .pdf, .zip, .txt, etc. To represent the demands, a ransom note file is created right after the encryption is complete. The name of the file might be adjusted according to the victim’s geographical location (e.g., ReadMe-1US.html if the victim is US-based). The message within this file simply instructs the victim to visit one of the provided sites. When the victim visits these sites, a coded signature is sent to the server, which allows the attacker to determine the geographical location and adjust the ransom sum. Unfortunately, if your files are not backed up on an external drive or online, you are likely to follow these demands as soon as you find that your personal files are encrypted (they will have the “.locked-[random characters]” extension attached to them). It was found that Dot Ransomware deletes shadow volume copies as well (uses the command “vssadmin delete shadows /all /quiet”), and so system restore will not work.

There are no guarantees that your documents, photos, and other personal files would be decrypted if you paid the ransom fee, and so you have to think carefully before you make the decision to pay it. If you do not have enough money to cover the ransom fee, or if you do not want to take the risk, you might have to accept the loss. In any case, you have to delete Dot Ransomware, and the instructions below show how to terminate malicious processes and remove malicious files. You can also use anti-malware software, and because it can also ensure reliable system’s protection, it is the best option. In any case, scan your PC after the ransom is eliminated, and immediately figure out a way to back up your files to ensure that you do not lose them in the future.

Remove Dot Ransomware

  1. Launch Task Manager by tapping Ctrl+Shift+Esc buttons.
  2. Move to the Processes tab.
  3. Check out the processes to look for unfamiliar ones.
  4. When you find the malicious process, right-click it and select Properties.
  5. Check the Location to find the file you need to eliminate.
  6. Click OK, select the file, and then click End process/task.
  7. Launch Windows Explorer by tapping Win+E.
  8. Type in the location of the file you want to remove. Potential locations include:
    • %USERPROFILE%\Documents
    • %USERPROFILE%\Downloads
    • %USERPROFILE%\Desktop
  9. Right-click the malicious .exe file and choose Delete.
  10. Also, Delete the ransom note file named ReadMe-[random characters].html.
  11. Empty Recycle Bin.
  12. Install a trusted malware scanner to inspect your operating system for leftovers.

In non-techie terms:

Dot Ransomware can have many different versions because it can be created by many different cyber criminals who can adjust the distribution method and even the ransom fee. Whichever version you face, you need to assess the damage first to see which files were encrypted (the ones with the “.locked-[random characters]” extension). If the files encrypted by this malware are already backed up, you do not need to worry further. If your only chance at restoring your files is to pay the ransom, think carefully because cyber criminals are unpredictable, and they might offer you nothing in return of the ransom fee. This is particularly important to think about if the ransom fee requested is very big. If you choose to remove Dot Ransomware manually, do not forget to take care of your system’s security afterward. If you employ anti-malware software for automatic removal, that is not something you will need to think about.