1dec Ransomware

1dec Ransomware Description

Despite already having countless variants released in the wild, the Dharma Ransomware appears to still be as popular as ever with cybersecurity researchers continuing to detect more and more newly released ransomware threats based on it. The latest one is called 1dec Ransomware. As is generally the case, the only significant difference between the 1dec Ransomware and the rest of the threats belonging to the Dharma Ransomware family is the extension used for the encrypted files and the email addresses provided by the hackers.

The 1dec Ransomware doesn't deviate from the standard behavior expected from a ransomware threat. The 1dec Ransomware attempts to infiltrate the victim's computer, most likely through spam emails carrying infected files as attachments, after which it starts encrypting the files stored on the machine. If the encryption process is completed successfully, the user's files will be rendered unusable. The hackers behind the 1dec Ransomware will then demand a certain sum to be paid in one of the various cryptocurrencies, most likely Bitcoin, in exchange for the decryption key required for the restoration of the files.

Users who have been infected with 1dec Ransomware will notice that their files' normal names have been changed suddenly, and now they have several new extensions added to their original names. The 1dec Ransomware will append a unique string of characters representing the victim's ID to the end of all encrypted files, followed by the email address "gocrypt@aol.com," and finally, the extension ".1dec". The ransom note will be dropped as a text file named "FILES ENCRYPTED.txt," as well as being displayed in a pop-up window.

The note mentions two email addresses for contact. The first is the aforementioned "gocrypt@aol.com," while the second one, which is to be used if the user doesn't get a response within 12 hours, is "gocrypt2@aol.com."

Unfortunately, it seems unlikely that a free decryption tool for the 1dec Ransomware will be created, leaving the ransomware victims with limited options. The best action is to remove the malware threat using legitimate anti-malware software and then restore the affected files from a previously created backup.

The text of the pop-up window generated by 1dec Ransomware is:


Don't worry,you can return all your files!

If you want to restore them, follow this link:email gocrypt@aol.com YOUR ID -

If you have not been answered via the link within 12 hours, write to us by e-mail:gocrypt2@aol.com


Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

The content of the text file is:

'all your data has been locked us

You want to return?

write email gocrypt@aol.com or gocrypt2@aol.com'

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.