If you turned on your computer and saw a ransom note that your files are encrypted then your PC system is infected with a ransomware infection called Locky Diablo6 ransomware. The Diablo6 virus invisibly penetrates the personal computer and encrypts photos, documents and music that stored on your computer disks. While encrypting, it renames all your important files so that they have the extension Diablo6.
The Diablo6 is new variant of the Locky ransomware, which designed to encrypt the personal personal files found on infected machine using a hybrid AES + RSA encryption mode, appending Diablo6 extension to all encrypted personal files. Once the encryption process is done, it will display a ransom note offering decrypt all users photos, documents and music if a payment is made.
Table of contents
- What is Locky Diablo6 virus
- How to decrypt .Diablo6 files
- How to remove Diablo6 ransomware virus
- Restoring files encrypted by Diablo6 ransomware infection
- How to prevent your computer from becoming infected by Diablo6 ransomware infection?
- How does your system get infected with Diablo6 ransomware
- To sum up
The ransom instructions encourages victim to contact Locky Diablo6’s developers in order to decrypt all personal files. These persons will require to pay a ransom (usually demand for 0.49 Bitcoins or approximately $1,500 USD). We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your photos, documents and music. Especially since you have a chance to restore your personal files for free using free tools like ShadowExplorer and PhotoRec.
Instructions which is shown below, will help you to remove Diablo6 ransomware infection as well as recover encrypted personal files stored on your machine drives.
What is Locky Diablo6 ransomware virus
Diablo6 is a variant of Locky crypto virus (malware which encrypt personal files and demand a ransom). It affects all current versions of Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. The Locky ransomware uses a strong encryption algorithm with 2048-bit key to eliminate the possibility of brute force a key that will allow to decrypt encrypted files.
When the Locky virus infects a system, it uses system directories to store own files. To run automatically whenever you turn on your personal computer, Diablo6 ransomware infection creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the Locky Diablo6 ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware infection uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.p7c, .wp5, .wpg, .wp7, .xlsx, .gho, .m2, .wbm, .zif, .lbf, .wpe, .re4, .wm, .esm, .xlgc, .apk, .wpb, .sum, .wn, .rgss3a, .sb, .rb, .crw, .yal, .dcr, .lvl, .orf, .pem, .cr2, .xbdoc, .7z, .1st, .bkp, .tor, .wmf, .xmind, .zw, .x3f, .nrw, .js, .xlk, .bar, .ai, .dng, .sie, .xbplate, .zip, .p7b, .asset, .z, .dwg, .wotreplay, .qdf, .wp6, .sav, .wsd, .py, .wsc, .wcf, .erf, .xyw, .sis, .xls, .dxg, .docx, .ysp, .xxx, wallet, .wpt, .odb, .avi, .bkf, .gdb, .mp4, .epk, .sidn, .wb2, .forge, .pdd, .ff, .der, .3fr, .lrf, .bik, .wbk, .wsh, .rw2, .crt, .wdp, .jpeg, .menu, .vcf, .tax, .kdc, .psk, .mrwref, .3dm, .xlsx, .raf, .xy3, .vtf, .bay, .d3dbsp, .fsh, .pfx, .wri, .zdb, .x3d, .syncdb, .zi, .odc, .mdb, .odp, .vpk, .ws, .ptx, .wgz, .t13, .webp, .kdb, .wp, .2bp, .docm, .0, .mpqge, .csv, .dba, .itm, .blob, .p12, .mdf, .ods, .wps, .wmd, .wpa, .1, .hplg, .dbf, .xmmap, .arch00, .mov, .map, .das, .wbd, .snx, .wpw, .wav, .wpd, .rofl, .ybk, .ppt, .wp4, .z3d, .cdr, .rtf, .m4a, .mcmeta, .pef, .xlsm, .wma, .doc, .odt, .indd, .odm, .x, .x3f, .xf, .xx, .big, .psd, .pst, .bc6, .iwd, .bc7, .xwp, .bsa, .mlx, .wpd, .xml, .pkpass, .ztmp, .xlsb, .xyp, .db0, .sql, .xlsm, .zip, .fos, .dazip, .dmp, .sr2, .t12, .srf, .srw, .vpp_pc, .zdc, .pdf, .hkx, .mddata, .wmv, .wot, .ibank, .jpg, .cas, .xld, .arw, .xdl, .png, .icxs, .itdb, .upk, .wdb, .litemod, .txt, .wbmp, .wpl, .desc, .slm, .mdbackup, .wps, .wbz, .hvpl, .jpe, .cfr, .sidd, .itl, .m3u, .ntl, .cer, .wire, .fpk, .mef, .sid
Once a file is encrypted, its extension modified to Diablo6. Next, the ransomware virus creates a file called “diablo6-xxx.htm”. This file contain tutorial on how to decrypt all encrypted documents, photos and music. An example of the tutorial is:
IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: xxx
4. Follow the instructions on the site.
!!! Your personal identification ID: xxx!!!
The Locky Diablo6 virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom demanding message on the desktop. It is trying to force the user of the infected computer, do not hesitate to pay a ransom, in an attempt to restore their documents, photos and music.
How to decrypt .Diablo6 files
Currently there is no available solution to decrypt .Diablo6 files, but you have a chance to recover encrypted photos, documents and music for free. The Locky virus repeatedly tells the victim that uses RSA-2048 key (AES 128-bit encryption method). What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the Diablo6 ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the Diablo6 virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware infection.
How to remove Diablo6 virus
There are a few methods that can be used to remove Diablo6. But, not all ransomware such as this ransomware can be completely deleted utilizing only manual solutions. In many cases you’re not able to uninstall any virus utilizing standard Microsoft Windows options. In order to remove Diablo6 you need run reliable removal tools. Most IT security researchers states that Zemana Anti-malware, Malwarebytes or KVRT tools are a right choice. These free applications are able to find and delete Diablo6 virus from your computer for free.
Automatically remove Locky Diablo6 ransomware virus with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can scan for security threats such Diablo6 ransomware virus, adware and other malware which most ‘classic’ antivirus software fail to pick up on. Moreover, if you have any Diablo6 removal problems which cannot be fixed by this tool automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
- Please download Zemana anti-malware by clicking on the following link. Save it on your Desktop.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
- At the download page, click on the Download button. Your internet browser will open the “Save as” prompt. Please save it onto your Windows desktop.
- Once the download is done, please close all programs and open windows on your PC. Next, start a file named Zemana.AntiMalware.Setup.
- This will run the “Setup wizard” of Zemana antimalware onto your computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the antimalware will run and open the main window.
- Further, press the “Scan” button to begin scanning your computer for the Diablo6 ransomware infection and other known infections. This procedure can take some time, so please be patient. When a threat is found, the number of the security threats will change accordingly. Wait until the the checking is finished.
- Once the system scan is finished, it will open you the results.
- Next, you need to click the “Next” button to begin cleaning your personal computer. Once the task is finished, you may be prompted to reboot the system.
- Close the Zemana Anti-Malware and continue with the next step.
Run Malwarebytes to remove Diablo6 virus
Delete Locky Diablo6 ransomware infection manually is difficult and often the virus is not completely removed. Therefore, we suggest you to run the Malwarebytes Free that are completely clean your computer. Moreover, the free application will allow you to get rid of malicious software, PUPs, toolbars and adware that your PC can be infected too.
- Download Malwarebytes (MBAM) by clicking on the link below. Save it on your MS Windows desktop.
Category: Security tools
Update: May 12, 2017
- When the downloading process is done, close all software and windows on your PC system. Open a file location. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once installation is done, click the “Scan Now” button to begin scanning your system for the Diablo6 ransomware virus . This task can take some time, so please be patient.
- When that process is done, it will display a screen which contains a list of malware that has been detected. Review the scan results and then click “Quarantine Selected”. Once disinfection is done, you can be prompted to reboot your computer.
The following video offers a steps on how to get rid of browser hijacker with Malwarebytes.
Scan your personal computer and delete Locky Diablo6 ransomware virus with KVRT
KVRT is a free removal utility that may be downloaded and use to delete ransomwares, ad supported software, malicious software, PUPs, toolbars and other threats from your computer. You can use this utility to find threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) from the following link and save it directly to your Windows Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
When the downloading process is complete, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as shown on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . This will start scanning the whole machine to find out Diablo6 virus and other malicious software. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour. While the application is checking, you can see count of objects it has identified as threat.
When it completes the scan, it’ll open a list of all items found by this tool as on the image below.
Next, you need to press on Continue to start a cleaning task.
Restoring files encrypted by Diablo6 ransomware virus
In some cases, you can restore files encrypted by Locky Diablo6 ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Use shadow copies to recover .Diablo6 files
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
Download ShadowExplorer by clicking on the link below. Save it on your Desktop. This utility is available for Windows Vista, Windows 7, Windows 8 and Windows 10.
Category: Security tools
Update: February 12, 2016
After downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and choose Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the following example.
Run ShadowExplorerPortable. You will see the a window as displayed in the figure below.
From the first drop down list you can choose a drive that contains encrypted documents, photos and music, from the second drop down list you can select the date that you wish to recover from. 1 – drive, 2 – restore point, as shown on the image below.
Righ-click entire folder or any one encrypted file and select Export, as shown on the screen below.
It will open a dialog box which asking whether you’d like to recover a file or the contents of the folder to.
Restore .Diablo6 files with PhotoRec
Before a file is encrypted, the Diablo6 virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover software such as PhotoRec.
Download PhotoRec on your system from the link below.
Category: Security tools
Update: March 23, 2016
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as displayed in the figure below.
Choose a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown on the screen below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, press on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as shown in the following example.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your PC system from becoming infected by Diablo6 ransomware virus?
Most antivirus programs already have built-in protection system against the virus. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your computer from Diablo6 virus
Download CryptoPrevent from the link below. Save it on your Microsoft Windows desktop or in any other place.
Run it and follow the setup wizard. Once the installation is done, you will be displayed a window where you can choose a level of protection, as shown on the screen below.
Now click the Apply button to activate the protection.
How does your system get infected with Diablo6 virus
The Diablo6 ransomware is distributed through the use of spam emails. Below is an email that is infected with a virus like Diablo6 ransomware virus.
Once this attachment has been opened, this ransomware will be started automatically as you do not even notice that. The Diablo6 ransomware infection will begin the encryption procedure. When this procedure is complete, it’ll open the usual ransomnote like above on diablo6-xxx.htm.
To sum up
After completing the step by step guide above, your machine should be clean from Diablo6 virus and other malware. Your personal computer will no longer encrypt your files. Unfortunately, if the steps does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next press “Do a system scan only” button.
- Once the checking is complete, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Diablo6 ransomware infection.