What is Diablo6 ransomware? And how does it work?
Diablo6 ransomware is another file-encoder virus and a variant of the Locky ransomware. It encrypts the targeted files using a complex algorithm which is a combination of both RSA 2048 and AES 128 ciphers. Judging by the algorithms this ransomware uses, you could really tell that it’s a threat you wouldn’t want to encounter and somehow you could say that Diablo6 ransomware is like the devil himself in the way it leaves damages to your computer and files and a ransomware infection you wouldn’t even wish on your enemies. That’s how menacing this infection can be.
During its encryption, the malware renames each targeted files by swapping its original file name with a set of characters. The modified file name follows this pattern: [8 first characters of the victim’s ID] – [next 4 random characters of the ID] – [12 random characters].diablo6. Once all the files in your computer are encrypted, this formidable malware creates an html file called diablo6.htm and a bmp file called diablo6.bmp, both containing the following ransom message:
“!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers. More information about the RSA and AES can be found here: hxxp://en.wikipedia.org/wiki/RSAicryptosysteml hxxp://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps: 1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: g46mbrrzpfszonuk.onion/D56F3331E80D9E17 4. Follow the instructions on the site.
!!! Your personal identification ID: D56F3331E80D9E17 !!!”
The diablo6.htm file is opened on a browser while the diablo6.bmp file replaces your desktop background.
This virus arrives on your computer in a .zip file which is sent out as an email attachment. The .zip file contains a VBS downloader which connects to one of the malicious domains, downloads and executes the Diablo6 ransomware. It then urge you to install a Tor browser and go to the provided .onion website to view the Locky Decryptor page. In there is the price of the decryption tool which is 0.5 Bitcoins and approximately $1642. Despite the ransomware’s sophistication, paying the ransom is not a good idea at all. So if you are unfortunate enough to be attacked by this malware, then set your worries aside for this article will provide you a removal guide which will be discussed later on.
How does Diablo6 ransomware spread?
This Locky ransomware variant is distributed via malicious spam email campaigns that deliver the infected email with subject lines similar to E[date] (random numbers).docx. Along with the subject is the corrupted .zip file named like E[date] (random numbers).zip. And as for the email’s body, it only contains a short message that says:
“Files attached. Thanks”
Like pointed out earlier, the zip file contains a VBS script that makes use of your internet connection to download the malware from a domain and execute it. needless to say that you have to be careful from now on in opening any kind of emails especially if they were from an unknown sender and scan any attachments with a updated antivirus program to determine if it’s malicious or not.
To eliminate this devil of a virus, follow the steps below that also contains some way to TRY to recover the encrypted files as well as the advanced removal guide.
Step 1: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 2: Go to the Processes tab and look for any suspicious processes and then kill them.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Diablo6 ransomware or any suspicious program and then Uninstall.
Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Go to the directories listed below and delete everything suspicous in it. Or other directories you might have saved the zip file of Diablo6 ransomware.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 7: Look for the zip file created by Diablo6 ransomware, as well as the diablo6.bmp file and close the browser containing the diablo6.htm file.
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that Azer ransomware created. So if you are not familiar with the Windows Registry skip to Step 12 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 8.
Step 8: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 9: Navigate to the path below:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Step 10: Look for suspicious registry entries and delete them.
Step 11: Close the Registry Editor.
Step 12: Empty the Recycle Bin.
Step 13: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 14: After loading the Command Prompt type cd restore and hit Enter.
Step 15: After cd restore, type in rstrui.exe and hit Enter.
Step 16: A new window will appear, and then click Next.
Step 17: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the Diablo6 Ransomware.
Step 18: A dialog box will appear, and then click Next.
Step 19: After the system restore process, download SpyRemover Pro to remove any remaining files or residues of the Diablo6 ransomware.
Step 20: Try to recover your encrypted files.
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if the evil ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the continued advanced steps below to ensure the removal of the Diablo6 ransomware:
Perform a full system scan using SpyRemover Pro.
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- Click OK to launch SpyRemover Pro.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Pro to protect your computer from future threats.