Dxen Ransomware
Infosec researchers have recently uncovered a new ransomware threat known as Dxen. This type of malware operates by encrypting files on an infected device and then demanding payment from the victim for decryption. Upon successfully infiltrating a device, Dxen initiates the encryption process, altering the names of the files stored on the system. The modified filenames include:
- A unique identifier is assigned to the victim.
- The email address of the attackers.
- A '.dxen' extension.
For instance, a file originally named '1.jpg' may be transformed into '1.jpg.id[9ECFA74E-3536].[vinsulan@tutanota.com].dxen.'
Following the completion of the encryption process, Dxen generates ransom notes presented to victims through a pop-up window ('info.hta') and a text file ('info.txt'). These files are strategically placed in all encrypted directories and on the desktop to ensure visibility to the affected user. Notably, Dxen has been confirmed as a variant originating from the Phobos Ransomware family, indicating a connection to this particular strain of threatening software.
Table of Contents
The Dxen Ransomware Seeks to Extort Money from Its Victims
The text file generated by Dxen ransomware communicates to the victim that their data has undergone encryption and urges them to establish contact with the attackers to facilitate the decryption process. In addition to this, the accompanying pop-up window offers further details regarding the ransomware infection, specifying that the decryption process necessitates the payment of a ransom in Bitcoin cryptocurrency. While the exact ransom amount is left unspecified, it is purportedly contingent on the promptness with which the victim initiates contact. Notably, before committing to the ransom payment, the victim is granted the opportunity to test the decryption process on up to five files without any charge.
The ransom note concludes with cautionary warnings to the victim. Specifically, it advises against renaming the encrypted files or attempting to use third-party decryption software, as such actions could potentially result in permanent data loss. These details underscore the coercive tactics employed by the Dxen Ransomware, emphasizing the financial and operational risks faced by victims who may be compelled to engage with the attackers in order to regain access to their encrypted data.
The Dxen Ransomware Shuts Down Several Recovery Options
Dxen, as part of the Phobos Ransomware family, shares characteristics with other programs within this group, primarily targeting both local and network-shared files for encryption. Notably, infected devices remain operational, as critical system files are intentionally spared from the encryption process. To prevent exceptions due to files considered 'in use,' Dxen terminates processes associated with open files, such as database programs and text file readers.
To avoid double-encrypting previously compromised files, the Phobos Ransomware programs maintain a list of ransomware types. However, this strategy is not foolproof, as it does not encompass all existing data-encrypting malware. Additionally, these ransomware programs take measures to eliminate the possibility of file recovery by wiping the Shadow Volume Copies.
Persistence is ensured by the Phobos malware through self-replication to the %LOCALAPPDATA% path and registration with specific Run keys. Consequently, the ransomware auto-starts after each system reboot, ensuring a consistent presence on the infected device.
Moreover, the Phobos Ransomware exhibits a concerning capability by gathering geolocation data, allowing the attackers to assess the viability of proceeding with the infection. The motivation behind these attacks can be influenced by geopolitical factors, economic strength of the region, or other strategic considerations, highlighting the multifaceted nature of the threat posed by ransomware within the Phobos family.
Do not Follow the Instructions Left by Cybercriminals
Security researchers emphasize that the decryption of data encrypted by ransomware threats is typically a complex task without the involvement of cybercriminals. Furthermore, even when victims comply with ransom demands, they often do not get the promised decryption tools. Consequently, experts strongly caution against paying ransoms, as it not only fails to guarantee data recovery but also perpetuates and supports illegal activities.
To halt the encryption of additional data by ransomware, the unsafe software must be completely eradicated from the operating system. However, it is crucial to note that the removal of the ransomware itself does not automatically restore encrypted files. The only applicable solution is to recover files from a previously created backup, provided it exists and is stored in a separate location.
To enhance overall data safety, experts recommend adopting a proactive approach by maintaining backups in multiple and distinct locations. This can include remote servers, unplugged storage devices, and other secure mediums, ensuring that data recovery remains a feasible option in the event of a ransomware attack. This comprehensive strategy helps mitigate the risks associated with ransomware and underscores the importance of a robust backup system in safeguarding valuable data.
The main ransom note delivered to victims of the Dnex Ransomware is:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail vinsulan@tutanota.com
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:vinsulan@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The text files generated by Dnex Ransomware contain the following message:
'!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: vinsulan@tutanota.com.
If we don't answer in 24h., send e-mail to this address: vinsulan@cock.li'
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.