DCOM Ransomware
The DCOM Ransomware belongs to a group of malware derived from the Globe Imposter Ransomware and is similar to other ransomware like the Popotic Ransomware and the Lotep Ransomware. Most GlobeImposter Ransomware variants work the same way: encrypt all data, append an extension, and demand payment to decrypt.
Table of Contents
What is the Objective of the DCOM Ransomware
The DCOMRansomware is a ransomware that encrypts your data and adds a ".dcom" extension to every file. It also adds a text file called "how_to_back_files" on the desktop.
The Globe Imposter variants' ransom note is almost always the same:
- Inform the victims that their files are encrypted and require a decrypt key or software to be decrypted.
- Provide an email address and an alternate email address in case the first one is non-responsive.
- Offer to decrypt one file for free.
- A public key that will presumably be used to identify the private key required to decrypt.
The malware is spread by sending spam email containing a link or attached file. After opening the attachment or downloading and opening the file pointed to in the link, the malware spreads through the storage aggressively and affects as many files as possible. Sometimes the malware is contained inside a Word Document or similar document that contains "macros" – a corrupted code that executes while you are reading. It is still not revealed who are the creators of the malware, and it is highly likely that the attackers request payment using BitCoin to avoid being tracked. The DCOM Ransomware appears to use an unknown, sophisticated encryption method and is therefore extremely difficult to reverse currently.
Sample Ransom Note
All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:
--------------------------------
Contact us on this email below.
example@example.li
If No answer in 24hr email this
example2@example.li
------------------------------------
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption
-----------------------------------
DO NOT CHANGE DATA BELOW...
Protecting Yourself from the DCOM Ransomware
It is important always to verify the source of any file you download from the Internet or received via email. Most unsafe emails come from obviously fake accounts and are easy to detect. One common method for distributing malware is to bundle them with torrent files. When you download a torrent file from an unknown source, make sure you are not installing anything besides it. It is also important to have good third-party anti-virus software installed on your system. Keep all your software, including your operating system and anti-virus definitions up-to-date to protect yourself from new threats coming out every day. It also is a good idea to keep an external drive with all of your important documents and software backed up regularly.
My Device has been Infected. What do I do Now?
Unfortunately, the best to do is to remove the threat and protect the files it did not reach. This is important because any hard drive you connect to, or sometimes even any email you send from an infected device can spread the malware further. You can format your hard drive to be certain that any malware has been removed permanently, or use a good third-party anti-virus to scan for and remove the malware. There are some manual methods to remove DCOM, but there is no guarantee of success. Currently, there is no known way to recover files infected by the DCOM Ransomware.
NEVER try to reach out to the email addresses mentioned in the ransomware as it may lead to further invasion of your privacy and documents. If you pay the ransom via Bitcoin, the chances are that you will be asked for more money, or the attacker will simply disappear.
