A ransomware called Darus file virus is another development of cybercriminals. The principle of its functioning and the method of distribution is the same as in the case of the Tocue, Gusau, Madek, the only difference is the .darus extension added to the documents, photos and music that are infected with it.
Files encrypted by Darus ransomware virus
Getting to the user’s PC system, the Darus ransomware virus starts searching for files in all folders and recursively, and after their detection, encrypts each of them using complex ciphered combination that completely blocks them and leads to their dysfunction. This crypto virus is capable of blocking various files such as documents, photos, archives, drawings, video materials, database and web application-related files, as well as its destructive effects can be subjected to backups. Darus file virus encrypts almost of files, including common as:
.odm, .tax, .rtf, .vtf, .docm, .xar, .csv, .wpl, .pptx, .kdb, .mdbackup, .dwg, .p7b, .webp, .xxx, .js, .ysp, .zw, .3dm, .pfx, .wp, .3ds, .jpg, .y, .asset, .rwl, .yml, .gho, .pptm, .dbf, .itdb, .wp7, .sav, .lvl, .0, .pem, .x, .png, .itm, .sidn, .2bp, .fpk, .x3d, .ybk, .wav, .wpb, .py, .ltx, .pkpass, .wri, .odb, .avi, .vpk, .srf, .big, .layout, .1, .hvpl, .xlsx, .ptx, .x3f, .orf, .nrw, .wsh, .sr2, .bay, .wbc, .xlsm, .crt, .cfr, .sid, .mdb, .wgz, .p12, .wdp, .qic, .wbmp, .odt, .wps, .raf, .wdb, .rw2, .wm, .wsc, .ods, .yal, .xyp, .wma, .mrwref, .7z, .pdd, .odc, .kdc, .accdb, .t13, .wpe, .eps, .pst, .wpt, .zif, .bkf, .kf, .snx, .gdb, .wsd, .iwd, .raw, .xmmap, .rofl, .fsh, .sb, .jpe, .wot, .ff, .fos, .ibank, .dba, .svg, .wmf, .ai, .bik, .xwp, .mp4, .pef, .wpd, .rim, .dcr, .apk, .qdf, .xx, .mlx, .dxg, .hkdb, .dmp, .xlk, .x3f, .odp, .wps, .xmind, .litemod, .sum, .xf, .xls, .forge, .wpa, .desc, .css, .wmo, .xll, .vcf, .xld, .zdc, .xls, .wp4, .vfs0, .mpqge, .sidd, .wmv, .slm, .arw, .wbm, .psk, .r3d, .xbplate, .wcf, .cas, .xpm, .bc7, .t12, .hkx, .xdl, .wpg, .cr2, .cdr, .sie, .wb2, .wmv, .rgss3a, .zip, .xlgc, wallet, .bar, .cer, .xml, .zdb, .psd, .z3d, .1st, .map, .ws, .d3dbsp, .rb, .vdf, .doc, .pdf, .wpw, .dazip, .lrf, .wire, .txt, .xlsx, .bsa, .iwi, .flv, .ppt, .mcmeta, .upk, .wpd, .rar, .zi, .esm, .bkp, .wmd, .wbd, .jpeg, .icxs, .blob, .indd, .wma, .sis, .epk, .srw, .xlsm, .wp6, .docx, .z, .der, .xbdoc, .zip, .pak, .itl, .zabw, .xyw, .webdoc, .m4a, .sql, .wp5, .syncdb, .hplg, .dng
All locked files become useless and get the .darus extension and each directory containing the encrypted files contains a ransom instructions informing the user about the presence of ransomware virus in the computer and its destructive impact on the target files. The cyber criminals inform each user that he has the ability to recover encrypted files only paying a ransom. After transferring the specified amount to cyber criminals, the victim will receive a private key from them, which will allow to decrypt files affected by the Darus ransomware virus. If the money for the purchase of a key for decrypting files will be transferred to the cyber criminals within 72 hours, they are ready to give the victim a discount of 50%.
Darus virus – ransom note
Threat Summary
| Name | Darus file virus |
| Type | Filecoder, File locker, Ransomware, Crypto virus, Crypto malware |
| Encrypted files extension | .darus |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, gorentos2@firemail.cc |
| Ransom amount | $490, $980 in Bitcoins |
| Symptoms | Unable to open personal files. All of your personal files have a odd file extension appended to the filenames. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom note with cybercriminal’s ransom demand and instructions. |
| Distribution ways | Malicious email attachments. Malicious downloads that happen without a user’s knowledge when they visit a compromised web-page. Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a suspicious link). Flash Drives containing malware. |
| Removal | To remove Darus ransomware use the removal guide |
| Decryption | To decrypt Darus ransomware use the steps |
We suggest you to remove Darus file virus without a wait, until the presence of the ransomware has not led to even worse consequences. You need to follow the steps below that will help you to completely remove Darus from your computer as well as restore (decrypt) encrypted files, using only few free utilities.
Quick links
How to remove Darus file virus
There are not many good free antimalware applications with high detection ratio. The effectiveness of malicious software removal tools depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malware. We suggest to run several applications, not just one. These programs that listed below will allow you remove all components of the Darus ransomware from your disk and Windows registry.
How to remove Darus ransomware virus with Zemana Free
Zemana Anti Malware can scan for all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Darus ransomware, you can easily and quickly remove it.
- Visit the following page to download the latest version of Zemana for MS Windows. Save it to your Desktop.
Zemana AntiMalware
164979 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once you have downloaded the installation file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana setup on your machine.
- Select installation language and click ‘OK’ button.
- On the next screen ‘Setup Wizard’ simply click the ‘Next’ button and follow the prompts.
- Finally, once the setup is finished, Zemana Free will open automatically. Else, if does not then double-click on the Zemana icon on your desktop.
- Now that you have successfully install Zemana, let’s see How to use Zemana Free to uninstall Darus virus from your computer.
- After you have started the Zemana, you’ll see a window as displayed on the image below, just press ‘Scan’ button . Zemana Free program will scan through the whole computer for the crypto virus.
- Now pay attention to the screen while Zemana scans your computer.
- When the system scan is finished, Zemana Anti-Malware (ZAM) will create a list of unwanted applications and ransomware viruses. Once you’ve selected what you wish to delete from your computer press ‘Next’ button.
- Zemana may require a reboot system in order to complete the Darus ransomware removal process.
- If you want to fully delete ransomware from your personal computer, then press ‘Quarantine’ icon, select all malicious software, adware software, PUPs and other threats and click Delete.
- Restart your machine to complete the ransomware removal process.
Delete Darus with MalwareBytes Anti-Malware (MBAM)
You can uninstall Darus ransomware virus automatically with a help of MalwareBytes Free. We recommend this free malware removal utility because it may easily uninstall crypto malware, adware, malware and other undesired apps with all their components such as files, folders and registry entries.
Click the link below to download MalwareBytes Anti-Malware. Save it on your Desktop.
327222 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is done, close all windows on your PC system. Further, launch the file called mb3-setup. If the “User Account Control” prompt pops up like below, press the “Yes” button.
It will display the “Setup wizard” that will assist you install MalwareBytes on the computer. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, click Finish button. Then MalwareBytes will automatically launch and you can see its main window as displayed on the screen below.
Next, click the “Scan Now” button to begin checking your machine for the Darus crypto virus related files, folders and registry keys. This process may take some time, so please be patient. While the utility is checking, you may see count of objects and files has already scanned.
When the scanning is done, a list of all items found is prepared. All found threats will be marked. You can remove them all by simply press “Quarantine Selected” button.
The MalwareBytes AntiMalware (MBAM) will delete Darus crypto malware related files, folders and registry keys and move items to the program’s quarantine. When the task is done, you can be prompted to reboot your computer. We advise you look at the following video, which completely explains the procedure of using the MalwareBytes AntiMalware (MBAM) to delete browser hijacker infections, adware and other malicious software.
Remove Darus ransomware with KVRT
KVRT is a free portable program that scans your computer for adware, PUPs and crypto viruss like Darus and helps remove them easily. Moreover, it will also allow you uninstall any harmful web-browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the following link.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you’ll see the KVRT screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . KVRT tool will start scanning the whole personal computer to find out Darus crypto virus and other malicious software.
As the scanning ends, KVRT will show a list of detected threats as shown on the image below.
All detected threats will be marked. You can delete them all by simply click on Continue to begin a cleaning process.
How to decrypt .darus files
To date, there is no other method to restore the encrypted files, but only to pay the money to cybercriminals. Developers of free Darus decryption utilities which can unlock these files are working on creating them, but the result is not yet, and it is not known when it will be.
Never pay the ransom! However, the victim who will pay the money to developers of the Darus crypto malware cannot be completely sure of obtaining a special code key, because he is dealing with unscrupulous and dishonest people who are ready to commit any immoral actions, including hiding after receiving the money from the victim, and not providing a decryption tool (key) to decrypt encrypted photos, documents and music.
Files encrypted by Darus ransomware virus
Of course, it can not be considered that the only correct method out of the situation when your machine is affected with Darus ransomware, will be the payment of ransom, as this only leads to the prosperity of illegal actions of fraudsters. The smart thing to do is to try to recover the locked files from the backup or wait for the release of the Darus decryption tool to decrypt them. You can also try to unlock photos, documents and music using free programs listed below.
Darus decryption tool
With some variants of Darus ransomware, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Tocue decryption tool named STOPDecrypter. It can decrypt .Darus files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Darus decryption tool
STOPDecrypter is a program that can be used for Darus files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Darus files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Darus files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given here.
