A ransomware called Dodoc file virus is another development of cyber criminals. The principle of its functioning and the method of distribution is the same as in the case of the Todar, Lapoi, Darus and so on, the only difference is the .dodoc extension appended to the photos, documents and music that are affected by it.
Getting to the user’s machine, the Dodoc ransomware starts searching for files in all folders and recursively, and after their detection, locks up each of them using complex ciphered combination that completely blocks them and leads to their dysfunction. This ransomware virus is capable of encrypting various files such as documents, archives, database, video materials, photos, web application-related files and drawings, as well as its destructive effects can be subjected to backups. Dodoc virus encrypts almost of files, including common as:
.webp, .vfs0, .forge, .odm, .xlsx, .bar, .bay, .der, .dba, .2bp, .wdp, .arch00, .wsh, .zdb, .xdl, .wpd, .xar, .wpw, .vcf, .das, .rtf, .x, .wb2, .y, .x3f, .pfx, .dng, .pptm, .3fr, .map, .erf, .psk, .wp, .tor, .desc, .7z, .pst, .odc, .raw, .dwg, .png, .xbplate, .jpg, .xlsm, .rim, .wmo, .kdc, .jpe, .m3u, .pdf, .wma, .crt, .vdf, .xls, .crw, .nrw, .wp6, .zabw, .xlgc, .z, .esm, .wpd, .hplg, .3ds, .mdf, .sidd, .qdf, .zif, .csv, .xmmap, .mpqge, .doc, .bkp, .xbdoc, .txt, .p7c, .m4a, .wbd, .docx, .rw2, .xls, .wmf, .slm, .itl, .snx, .xyw, .bsa, .pkpass, .wav, .rb, .zdc, .ltx, .jpeg, .ptx, wallet, .wbmp, .cdr, .big, .sr2, .xy3, .zi, .t12, .lbf, .gho, .rgss3a, .zip, .wp5, .ibank, .fpk, .p12, .srf, .ods, .iwd, .cfr, .fsh, .hvpl, .wotreplay, .icxs, .mrwref, .wdb, .w3x, .sis, .pem, .re4, .1st, .hkx, .wpg, .ntl, .accdb, .kdb, .cas, .wbz, .mov, .wn, .wsd, .mcmeta, .css, .odt, .cer, .sidn, .wbk, .sum, .mddata, .wma, .dazip, .wps, .wbc, .rofl, .vpk, .wpa, .pak, .d3dbsp, .webdoc, .ybk, .sid, .wm, .xx, .ws, .xlsx, .mef, .pptx, .menu, .bik, .yal, .apk, .avi, .wmv, .r3d, .itdb, .wpt, .svg, .wcf, .wpb, .wot, .gdb, .srw, .syncdb, .ztmp, .t13, .yml, .ysp, .ai, .mdbackup, .indd, .vpp_pc, .wmd, .wri, .qic, .kf, .pef, .litemod, .layout, .ppt, .asset, .bc6, .upk, .xmind, .rar, .1, .xml, .orf, .m2, .zip, .x3f, .flv, .bc7, .xll, .sql, .fos, .blob, .dxg, .dmp, .mdb, .odp, .wgz, .docm, .bkf, .db0, .0, .xxx, .raf, .p7b, .xlsb, .tax, .sav, .dbf, .wps, .mlx, .js, .xlk, .sie, .wbm, .itm, .pdd, .cr2, .lvl, .wp7, .wmv, .odb, .dcr, .xpm, .xwp, .lrf, .iwi, .eps, .arw, .psd, .xyp, .sb, .x3d, .wp4, .wpl, .z3d, .vtf, .xlsm, .wpe, .xf, .ff, .hkdb, .wire, .xdb, .mp4, .zw, .py
Files which are locked by Dodoc receive the .dodoc extension and become inaccessible to the victim. In the place where the photos, documents and music were locked by the Dodoc virus, a ransom note appears with instructions that there was a lock of archives, tables, video materials, photos and documents, or other files important to the victim. The ransom note also states that the victim must transfer money to scammers to obtain a special code key that he can use to decrypt the encrypted files that have received the .dodoc extension. If the victim has the opportunity to transfer money to purchase this key and/or decryption utility within 72 hours, he can pay only half of the specified amount.
Threat Summary
Name | Dodoc |
Type | File locker, Crypto malware, Crypto virus, Ransomware, Filecoder |
Encrypted files extension | .dodoc |
Ransom note | _readme.txt |
Contact | gorentos@bitmessage.ch, @datarestore (telegram) |
Ransom amount | $490, $980 in Bitcoins |
Symptoms | Encrypted photos, documents and music. Your photos, documents and music now have different extensions that end with something like .locked, .crypted or .cryptor. Files called such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. You have received instructions for paying the ransom. |
Distribution methods | Phishing emails that contain malicious attachments. Drive-by downloads from a compromised web page. Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a misleading link). Torrent web-sites. |
Removal | To remove Dodoc ransomware use the removal guide |
Decryption | To decrypt Dodoc ransomware use the steps |
We recommend you to remove Dodoc ransomware sooner, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the steps below that will help you to completely remove Dodoc from your computer as well as restore encrypted documents, photos and music, using only few free utilities.
Quick links
- How to remove Dodoc file virus
- How to decrypt .dodoc files
- Dodoc decryption tool
- How to restore .dodoc files
- How to protect your machine from Dodoc crypto malware?
How to remove Dodoc file virus
In order to delete Dodoc crypto virus from your computer, you need to stop all ransomware processes and delete its associated files including Windows registry entries. If any crypto malware components are left on the computer, the crypto virus can reinstall itself the next time the personal computer boots up. Usually viruses uses random name consist of characters and numbers that makes a manual removal procedure very difficult. We recommend you to use a free crypto virus removal tools that will help uninstall Dodoc crypto virus from your PC. Below you can found a few popular malware removers that detects various ransomware.
Use Zemana Anti Malware to remove Dodoc virus
Zemana Free highly recommended, because it can find security threats such Dodoc crypto virus, other malicious software and trojans which most ‘classic’ antivirus applications fail to pick up on. Moreover, if you have any Dodoc removal problems which cannot be fixed by this tool automatically, then Zemana AntiMalware provides 24X7 online assistance from the highly experienced support staff.
Visit the following page to download Zemana Free. Save it directly to your MS Windows Desktop.
163869 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the downloading process is complete, close all applications and windows on your personal computer. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup like below.
When the setup begins, you will see the “Setup wizard” that will help you install Zemana Anti-Malware on your system.
Once setup is done, you will see window as displayed in the figure below.
Now click the “Scan” button to perform a system scan with this tool for the Dodoc ransomware, other malicious software, worms and trojans. Depending on your PC system, the scan may take anywhere from a few minutes to close to an hour. While the Zemana Anti-Malware utility is checking, you can see how many objects it has identified as being infected by malicious software.
Once finished, Zemana Free will open a list of all items found by the scan. Once you have selected what you wish to delete from your system press “Next” button.
The Zemana will remove Dodoc ransomware, other malware, worms and trojans.
Run MalwareBytes Free to delete Dodoc ransomware
We suggest using the MalwareBytes Anti-Malware. You can download and install MalwareBytes Free to locate and delete Dodoc from your computer. When installed and updated, this free malware remover automatically identifies and removes all threats present on the computer.
Click the link below to download MalwareBytes Free. Save it directly to your Windows Desktop.
326191 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the downloading process is complete, run it and follow the prompts. Once installed, the MalwareBytes will try to update itself and when this task is finished, click the “Scan Now” button to begin scanning your PC for the Dodoc crypto virus related files, folders and registry keys. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. While the MalwareBytes AntiMalware (MBAM) program is scanning, you can see number of objects it has identified as threat. All detected threats will be marked. You can delete them all by simply press “Quarantine Selected” button.
The MalwareBytes Free is a free program that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal utility, we suggest you to read and follow the steps or the video guide below.
Remove Dodoc ransomware virus with KVRT
KVRT is a free portable program that scans your machine for adware, trojans and crypto viruses like Dodoc ransomware and helps delete them easily. Moreover, it’ll also allow you delete any harmful internet browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop from the following link.
128994 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the Kaspersky virus removal tool screen as displayed on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the Dodoc crypto malware . This task may take some time, so please be patient. While the Kaspersky virus removal tool program is scanning, you may see number of objects it has identified as threat.
After the scan is complete, KVRT will show you the results as displayed on the image below.
When you are ready, press on Continue to begin a cleaning process.
How to decrypt .dodoc files
You can damage photos, documents and music affected by Dodoc crypto malware, or make them useless forever if you try to find the special code key on your own, which is almost impossible in view of its cryptographic complexity. It is very important to know and understand the level of importance of constantly backing up important files to various media, like an Flash Drive, so that in case of damage to your computer by ransomware you can always extract a copy of encrypted files.
Never pay the ransom! Some victims, wishing to decrypt encrypted photos, documents and music, pay the ransom amount of money to fraudsters. However, it is important to remember before performing this action that you are interacting with unscrupulous and dishonest people, and the probability that after transferring money they will not provide you with a private key and Dodoc decryption utility to unlock .dodoc files or increase the amount of ransom is high enough.
There is no such solution to this problem, which is suitable for everyone. However, paying for the unique key is not an obvious answer. If you pay for it, remember that no one gives you a guarantee that you will receive it. There is also a possibility that even the cyber frauds themselves do not have this key. Most probably, they are just trying to defraud you and use you in order to get money. You should try the steps in this article. The instructions will help you completely uninstall Dodoc crypto malware and you will be able to decrypt some of the blocked data without paying any ransom payment. Given the fact that fighting crypto virus is incredibly difficult, we cannot promise you that you will defuse it. Nevertheless, it is still worth a try.
Dodoc decryption tool
With some variants of Dodoc file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Dodoc decryption tool named STOPDecrypter. It can decrypt .Dodoc files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
STOPDecrypter is a program that can be used for Dodoc files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Dodoc files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Dodoc files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .dodoc files
In some cases, you can recover files encrypted by Dodoc crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Recover .dodoc files with ShadowExplorer
The Windows has a feature named ‘Shadow Volume Copies’ that can help you to restore .dodoc files encrypted by the Dodoc ransomware. The way described below is only to restore encrypted files to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your computer by clicking on the link below.
438198 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is complete, extract the downloaded file to a folder on your system. This will create the necessary files as shown on the screen below.
Start the ShadowExplorerPortable application. Now choose the date (2) that you wish to recover from and the drive (1) you wish to restore files (folders) from as on the image below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button similar to the one below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Recover .dodoc files with PhotoRec
Before a file is encrypted, the Dodoc crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file recover applications like PhotoRec.
Download PhotoRec from the following link. Save it on your MS Windows desktop.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as on the image below.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown on the screen below.
Press File Formats button and select file types to restore. You can to enable or disable the restore of certain file types. When this is done, press OK button.
Next, click Browse button to select where recovered documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as on the image below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your machine from Dodoc crypto malware?
Most antivirus applications already have built-in protection system against the crypto virus. Therefore, if your PC does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from Dodoc ransomware virus
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Click the link below to download the latest version of HitmanPro Alert for Microsoft Windows. Save it on your Microsoft Windows desktop.
After the download is done, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is launched, you will be shown a window where you can choose a level of protection, as displayed on the screen below.
Now click the Install button to activate the protection.