This week, experienced security researchers has received reports of yet another ransomware named ‘.Dutan ransomware‘. This ransomware spreads via spam emails and malware files and appends the .dutan file extension to encrypted files. This blog post will provide you a brief summary of information related to this ransomware and how to recover (decrypt) encrypted files for free.
Files encrypted by .dutan ransomware
The Dutan ransomware is a malicious software which created in order to encrypt photos, documents and music. It hijack a whole PC or its data and demand a ransom in order to unlock (decrypt) them. The developers of the Dutan ransomware have a strong financial motive to infect as many personal computers as possible. The files that will be encrypted include the following file extensions:
.wav, .wp7, .flv, .d3dbsp, .jpeg, .itdb, .dwg, .xpm, .dba, .wpd, .wpg, .ai, .xml, .big, .hplg, .p12, .p7c, .epk, .t12, .txt, .das, .mdb, .xlsx, .mdbackup, .bay, .cas, .wgz, .raw, .bik, .ws, .xx, .apk, .wp5, .psd, .t13, .m4a, .wbz, .forge, .vpk, .xy3, .yml, .xwp, .upk, .pptx, .wsc, .wma, .odc, .bc7, .zip, .rwl, .xlsm, .kdc, .map, .xbdoc, .xdb, .xyw, .blob, .der, .m3u, .wpt, .xlsx, .hkx, .rgss3a, .sidd, .mcmeta, .r3d, .ptx, .arw, .avi, .cdr, .pak, .wn, .esm, wallet, .sie, .pdd, .srw, .zdb, .wm, .tax, .xar, .mdf, .xxx, .odp, .iwd, .wb2, .wbmp, .bkf, .gdb, .bc6, .rtf, .sav, .srf, .itm, .ppt, .rim, .sis, .wpl, .pem, .bkp, .webp, .wcf, .menu, .lrf, .wire, .zip, .pkpass, .wp, .zdc, .svg, .fos, .xlgc, .indd, .webdoc, .m2, .ibank, .xlsb, .icxs, .wbc, .mrwref, .wps, .py, .tor, .ltx, .vdf, .xld, .dbf, .odt, .x3d, .arch00, .7z, .bsa, .pdf, .wpa, .zi, .sr2, .re4, .kf, .wmv, .csv, .cer, .z3d, .wsh, .syncdb, .xmmap, .wot, .dng, .ff, .ntl, .layout, .litemod, .wpe, .cfr, .xf, .sb, .xyp, .w3x, .wmv, .3dm, .wpw, .pfx, .wmo, .snx, .itl, .zif, .pptm, .dmp, .accdb, .erf, .mddata, .wdp, .xls, .rofl, .jpg, .2bp, .wbd, .wdb, .jpe, .1st, .sid, .kdb, .xll, .x3f, .js, .eps, .xbplate, .ybk, .wpb, .xdl, .rb, .wsd, .crw, .mlx, .xlk, .p7b, .qdf, .y, .mp4, .lbf, .wpd, .iwi, .wma, .zabw, .mov, .x3f, .fpk, .hkdb, .doc, .rar, .psk
When encrypting a file it will add the .dutan extension to each encrypted file name to identify that the file has been encrypted. For example, a file called image.bmp would be encrypted and renamed to image.bmp.dutan.
When the encryption process is complete, the malicious software leaves a ransom instructions called ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all personal files. An example of the ransom demanding message is:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-1aTCryfzhK Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | .Dutan ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Contact Emails | gorentos@bitmessage.ch, vengisto@firemail.cc |
| Ransom note | _readme.txt |
| Symptoms |
|
| Removal | To remove .Dutan ransomware use the removal guide |
| Decryption | To decrypt .Dutan ransomware use the steps |
Therefore it’s very important to follow the step-by-step guide below sooner. The steps will assist you to get rid of .Dutan ransomware. What is more, the guidance below will help you recover (decrypt) encrypted personal files for free.
Quick links
- How to remove .Dutan ransomware
- How to decrypt .dutan files
- Use STOPDecrypter to decrypt .dutan files
- How to restore .dutan files
- How to protect your personal computer from .Dutan ransomware virus?
- To sum up
How to remove .Dutan ransomware
Manual removal does not always help to completely remove the .Dutan ransomware virus, as it is not easy to identify and remove components of ransomware virus and all malicious files from hard disk. Therefore, it is recommended that you run malicious software removal utility to completely delete .Dutan ransomware virus off your personal computer. Several free malicious software removal utilities are currently available that may be used against the ransomware virus. The optimum method would be to use Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
Remove .Dutan ransomware with Zemana Anti-malware
We advise using the Zemana Anti-malware that are completely clean your computer of the ransomware. The utility is an advanced malicious software removal application created by (c) Zemana lab. It’s able to help you get rid of worms, ransomware, adware software, malicious software, trojans, and other security threats from your PC for free.
Please go to the link below to download Zemana Free. Save it to your Desktop so that you can access the file easily.
165041 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the download is done, close all software and windows on your computer. Double-click the install file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” that will help you setup Zemana Anti-Malware (ZAM) on your PC system. Follow the prompts and don’t make any changes to default settings.
Once installation is finished successfully, Zemana Free will automatically start and you can see its main screen as shown on the image below.
Now press the “Scan” button . Zemana AntiMalware utility will begin scanning the whole computer to find out the .Dutan ransomware virus and other security threats. This process can take quite a while, so please be patient. While the Zemana Free tool is scanning, you can see how many objects it has identified as being affected by malicious software.
After the system scan is finished, Zemana Anti Malware (ZAM) will display you the results. Review the scan results and then click “Next” button. The Zemana Free will remove .Dutan ransomware and other security threats and add threats to the Quarantine. After the cleaning process is finished, you may be prompted to restart the personal computer.
Remove Dutan ransomware virus with MalwareBytes Anti Malware
If you are having problems with the Dutan ransomware virus removal, then download MalwareBytes Anti Malware (MBAM). It is free for home use, and scans for and removes various unwanted apps that attacks your system or degrades machine performance. MalwareBytes can remove ransomware as well as malware, including worms and trojans.
Visit the page linked below to download the latest version of MalwareBytes Free for Windows. Save it directly to your Windows Desktop.
327268 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is finished, close all applications and windows on your computer. Double-click the install file called mb3-setup. If the “User Account Control” dialog box pops up as displayed in the figure below, click the “Yes” button.
It will open the “Setup wizard” that will help you setup MalwareBytes AntiMalware (MBAM) on your machine. Follow the prompts and do not make any changes to default settings.
Once install is finished successfully, click Finish button. MalwareBytes Anti-Malware will automatically start and you can see its main screen like below.
Now click the “Scan Now” button . MalwareBytes AntiMalware (MBAM) utility will start scanning the whole computer to find out the Dutan ransomware related files, folders and registry keys. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the tool is scanning, you can see how many objects and files has already scanned.
After MalwareBytes Anti-Malware has finished scanning your PC, MalwareBytes Free will display a list of detected items. Once you have selected what you wish to delete from your computer press “Quarantine Selected” button. The MalwareBytes Anti Malware (MBAM) will remove Dutan ransomware related files, folders and registry keys and move threats to the program’s quarantine. When that process is finished, you may be prompted to restart the PC system.
We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes Anti Malware (MBAM) to get rid of adware, browser hijacker and other malware.
Remove .Dutan ransomware with KVRT
KVRT is a free removal tool that may be downloaded and use to delete ransomwares, adware, malicious software, worms, trojans and other threats from your PC. You may run this utility to search for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) from the link below.
129295 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the Kaspersky virus removal tool screen as shown on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to locate .Dutan ransomware virus and other malware. This process may take quite a while, so please be patient. While the KVRT tool is checking, you can see how many objects it has identified as being infected by malicious software.
Once KVRT has finished scanning your computer, KVRT will show a screen that contains a list of malware that has been found as on the image below.
You may delete items (move to Quarantine) by simply click on Continue to start a cleaning task.
How to decrypt .dutan files
The .Dutan ransomware encourages victim to contact it’s authors in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $490-$980 in Bitcoins).
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
With some variants of Dutan ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .dutan files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.dutan).
Please check the twitter post for more info.
How to restore .dutan files
In some cases, you can recover files encrypted by .Dutan ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Run ShadowExplorer to restore .dutan files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore .dutan documents, photos and music encrypted by the .Dutan ransomware virus from Shadow Copies for free.
Please go to the link below to download the latest version of ShadowExplorer for Windows. Save it on your MS Windows desktop or in any other place.
439670 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is done, extract the saved file to a directory on your system. This will create the necessary files as shown on the screen below.
Launch the ShadowExplorerPortable program. Now choose the date (2) that you wish to recover from and the drive (1) you want to restore files (folders) from like below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Restore .dutan files with PhotoRec
Before a file is encrypted, the .Dutan ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover apps like PhotoRec.
Download PhotoRec by clicking on the following link. Save it on your Desktop.
When downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as displayed below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted personal files like below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, click Browse button to choose where recovered documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as shown below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from .Dutan ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your system from .Dutan ransomware virus
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro Alert is simple. First you’ll need to download HitmanPro Alert on your Windows Desktop from the following link.
After downloading is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is opened, you will be displayed a window where you can choose a level of protection, as shown in the figure below.
Now click the Install button to activate the protection.
To sum up
Now your PC should be clean of the .Dutan ransomware virus. Remove Kaspersky virus removal tool and MalwareBytes Free. We suggest that you keep Zemana Free (to periodically scan your system for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to get rid of .Dutan ransomware virus from your personal computer, then ask for help here.
