TEREN Ransomware

TEREN Ransomware Description

The TEREN Ransomware is a new ransomware threat spawned from the prolific family of ransomware based on the Dharma Ransomware. The most significant differences between TEREN and the other members of the Dharma malware family are the extension it uses for all the encrypted files and the email addresses for contact with the hackers.

Upon successful infiltration, the TEREN Ransomware begins to encrypt the files stored on the computer system with an uncrackable cryptographic algorithm, effectively locking the users out of accessing their own private files. The cybercriminals will then demand the payment of a ransom, usually in Bitcoin, in exchange for the decryption key or tool that could potentially restore the locked data. As all of the Dharma variants, the TEREN Ransomware also modifies the filenames of every encrypted file significantly. First, it appends a unique alphanumeric string representing the ID of the specific victim, followed by an email address controled by the hackers, and finally '.TEREN' as a new extension.

The TEREN Ransomware is programmed to deliver two ransom notes, one in the form of a text file that can be found in every folder with encrypted data, and one displayed in a pop-up window. The text files are named 'FILES ENCRYPTED.txt' and contain only a couple of lines of text, mainly the two email addresses of the hackers - 'databack44@tuta.io' and 'decrypt24@gytmail.com.' The pop-up window delivers the proper instructions from the cybercriminals. While no specific amount is mentioned, the note does state that the price will depend on how fast the affected users have initiated communication. They also are offered to send one file that is less than 1 MB in size for free decryption. Furthermore, the second email address - decrypt24@gytmail.com, is supposed to be used only in the case that 24 hours have passed without the victims getting a response on the primary email. 

The message from the text files created by the TEREN Ransomware is:

'all your data has been locked us

You want to return?

Write email databack44@tuta.io or decrypt24@gytmail.com.'

The pop-up window instructions are:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the email databack44@tuta.io

Write this ID in the title of your message -

In case of no answer in 24 hours write us to theese e-mails:decrypt24@gytmail.com

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.


Also you can find other places to buy Bitcoins and beginners guide here:



Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

Unfortunately, there is currently no way to decrypt files encrypted by TEREN ransomware without assistance from the attackers. It might be possible in the future if white hat hackers and security experts can obtain decryption keys from their servers. For now, however, there are only two ways to get your data back.

The first is to pay the fee. Experts always recommend against doing this, however. There is no guarantee that you will get the decryption key or tools you paid for. Even if you get the tools, there’s still no guarantee they will work. Hackers are under no obligation to live up to their end of the deal, and many ransomware victims also become scam victims once they transfer the money and get nothing in return.

The other option is to use an external backup. You may be able to get your data back using a local backup, but you shouldn’t count on it. Ransomware viruses look for local backups and Shadow Volume Copies and remove them. One of the reasons to keep an external or cloud backup of your important files is so that you can get your computer back to normal and avoid data loss during virus attacks.

Related Posts

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.