DEDCryptor ransomware is the new EDA2 with .ded extension. Magic Ransomware no more.

DEDCryptor ransomware previously known as EDA2 is the new open source development. Well there’s kind of a big story behind all this and no happy ending for victims of the Magic Ransomware. Magic Ransomware is know as the latest innovation in this kind of a viruses using open source C Sharp programming language. It encrypts files using AES and adds .magic extension at the end of encrypted files. To get them back victims will be asked to pay 1 bitcoin. However Magic and Hidden Tear ransomware, was a development of people who claim that all this was for educational purposes. Whatever is going on it is causing big trouble for those who are infected.eda2 ransomware noteThose who have been developing and using EDA2 ransomware are apparently with low technical skills. EDA2 contains all a cyber criminal would need to modify and create one of their own. This virus contains including the code for the ransomware executable, encryption algorithm and PHP web panel which substitute Command & Control server for key storage of victims. All this can cause trouble if falling into the wrong hands. Creator of both projects is Turkish security researcher Utku Sen. The story behind this is instead Command & Control server for key storage, this is using free web services and hosted on C2 servers. Which means that all decryption key databases can be deleted by the hosting provider just exactly what happened with Magic ransomware.

Just like any ransomware it will encrypt user files and than demand them for 1BTC.  The .magic extension will appear at the end of locked files. Files will be skipped into the following directories: C:\Windows, or c:\program. It is currently unknown how executable called magic.exe is distributed. The common ransom note is presented on victims desktop called DECRYPT.TXT and DECRYPT_ReadMe.TXT. To get instructions of how to decrypt files user have to pay 1 bitcoin and contact cyber criminals via email to [email protected][email protected], or [email protected]

A few months later new DEDCryptor variant of EDA2 ransomware is spotted. The demand is higher than before and now it is 2 bitcoin. May be EDA2 did fall into the wrong hands. Utku Sen denied that backdoor to Eda2 was discovered and all the files that commits of Eda2 project were removed.

DEDCryptor ransomware

New “.ded” extension appear to be the one related with DEDCryptor ransomware. AES-256 is the encryption algorithm using 32-character password unique for different victims. No ransom note will found but the background image of victim’s will be changed to the one you can see above. DEDCryptor ransomware will target the extensions such as:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv,
.sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .dll, .lnk, .pdf

NOTE: The steps below might not work. We recommend using anti-malware tool to remove DEDCryptor Ransomware.

Now that you have been infected you have a few options:

Many suggest that you simply pay and hope that you will get all off your data back. However in this case you risk losing money and still being stuck with crypted files. We do not recommend this way simply because you will support the work of hackers and the more money thay get the stronger they will become.

The best option for you is if you have a backup, wipe your hard drive and perform system restore.

Use any type of anti malware software to remove DEDCryptor Ransomware.

NOTE: In this option the virus will be removed but the files will remain locked! You have to decrypt your files.

New research discovery shows how ransomware deletes files and substitute encrypted copy of them. It is not guaranteed, but it is a possibility that you may recover your files with data recovery software. Before trying to decrypt any files you can scan your computer for posible data loss.

Go here to find out how to recover deleted files.

Decrypt DEDCryptor files.

Good news is that we can now use decryption programs. A lot of security companies like Kasperky lab, bitdefender and more has developed a program that is fully capable of decryption key for ransomware malware. You can find this programs anywhere on the internet but it is strongly suggested to download this programs from official websites. NOTE: It may take a long time for your files to be decrypted depending on your PC performance.

  • Name – DEDCryptor
  • Type Spamming – Malware, Ransomware, Trojan Horse
  • Danger Level – High
  • Brief Description – Encrypt files and demand ransom.
  • Symptoms – Poor pc performance or freezing, ransom massages.
  • Method – Via Trojan Horse or spam email.

How to remove “DEDCryptor Ransomware”

Short guide:

  1. Login as administrator.
  2. Go to control panel and uninstall any suspicious software.
  3. Use any type of anti malware software to remove DEDCryptor.
  4. Decrypt .locked  files.
  5. Delete all temporary files from disk cleanup.
  6. Restart your computer.

Note: Removing DEDCryptor Ransomware manually could be very risky and unpredictable!

Manual steps, how to remove “DEDCryptor”

Manual steps to remove ransomware or malware. How to prevent ransomware or malware.

For now, removing ransomware or malware manually will only be able for IT specialists. If you don't know one don't worry. We have a solution for you. Over here we will use Spyhunter to remove the virus. The Spyhunter anti-malware is a collection of programs that can be used to scan for malware and clean infected computers. You can also use full anti-malware program in this case which is the better option because it also offers protection.

How to remove "ransomware or malware"

NOTE: In this option the virus will be removed but the files will remain locked! You have to decrypt your files.
  1. Download Spyhunter anti-malware.
  1. 2.  After program has been downloaded, double-click to open it. User will have to install the program. Click on Spyhunter.exe to start the process.
User Account Control dialog may appear, asking you to allow the following program to make changes to this computer. Click "Yes" or "Run" to proceed with the installation. User can also choose variety of languages. Click Ok and the installation will begin with a welcome massage for Spyhunter. Click Next to continue to the next step. User will also have to accept Spyhunter license agreement by clicking on "I accept the agreement" and click Next. Spyhunter will ask user to read important information provided before continuing. Once done click on next to go to the next step. User can choose where to install the program. By default - C:Program FilesEnigma Software GroupSpyHunter. The process will continue and then Spyhunter will install. The installation process may take awhile, depending on a computer system performance. Once the installation is done, click Finish.
  1. 3. Update the software before scanning. Once program has been updated go to scan. You can choose from a free trial version or activate license. It is recommended to buy full version as the trial will not protect computer system.
  1. 4. The scan process will begin. The scan process may take awhile, depending on a computer system performance.
  1. 5. Once the scan is complete you can choose between delete or quarantine the viruses. The quarantine option is recommended and since the malware is active a reboot will be required to finish process.

Click here for guide of how to uninstall spyhunter.

Decrypt ransomware files.

Good news is that we can now use decryption programs. A lot of security companies like Kasperky lab, bitdefender and more has developed a program that is fully capable of decryption key for ransomware malware. You can find this programs anywhere on the internet but it is strongly suggested to download this programs from official websites. NOTE: It may take a long time for your files to be decrypted depending on your PC performance.