Dewar ransomware

Dewar ransomware is a Phobos family member that targets all types of Windows operating systems

Dewar ransomware

Dewar ransomware

Dewar ransomware is a serious malware form that adds an extension which includes the unique victim’s ID, the crook’s email, and the .deware appendix. This file-encrypting parasite comes from the Phobos category and can appear on any type of Windows version such as Windows 7, Windows 8, Windows 10, etc. The malicious string aims to modify the Windows Registry and Task Manager in order to run its module and encrypt all the files and documents that are spotted on the targeted system. Afterward, Dewar ransomware drops the info.hta and info.txt ransom notes that can be placed on the computer’s desktop and also included in every folder that holds encrypted files and documents.

.dewar files virus provides the [email protected] and [email protected] email addresses as a way to discuss all of the conditions that are related to the data recovery process. Even though the cybercriminals do not provide a particular payment price, the victims are urged to buy Bitcoin and pay in this cryptocurrency. If you have read the info.hta ransom note, you should have noticed that Dewar ransomware developers have provided links where you can get BTC currency. Also, these people allow sending them 5 files that do not take more than 4 MB of space in total in order to provide proof of the decryption tool’s existence.

Name Dewar ransomware
Category Ransomware virus/malware
Family Phobos ransomware
Appendix Once this malware locks up all files and documents that are found on the computer system, it attaches its email address, the unique victim’s ID, and the .dewar appendix to the filename
Ransom note When all of the files are successfully encrypted, the ransomware virus places the info.hta ransom note on the computer’s desktop and includes it in each folder that holds encrypted data
Target(s) The ransomware virus targets all types of Windows system versions such as Windows 7, Windows 8, Windows 10, etc. Also, it aims to target English-speaking users as this is the language in which the ransom note is written
Crooks’ emails [email protected] and [email protected] are email addresses that are provided in the ransom-demanding message as a way to contact the criminals and discuss all the terms about the ransom price
Spreading The malicious payload is often delivered via email spam campaigns, hacked RDPs, software cracks, malvertising advertisements that are placed on third-party websites
Removal If you have been dealing with this virtual parasite lately, you should get rid of it ASAP. This can be performed with the help of an antimalware product
Repair software If you have discovered that the malware has altered or damage some system components on your Windows computer, you can try repairing them with an automatical tool such as Reimage Reimage Cleaner  

Dewar ransomware employs encryption tools such as AES[1] and RSA for locking up the files and documents that are found on the infected Windows computer. Besides, the malware can run a module that scans the system for encryptable products once in a while. This way the cybercriminals can be sure that no data is left unaffected. After that comes the ransom note that targets English-speaking people as it is written in the English language:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: [email protected] and this e-mail:[email protected]
Write this ID in the title of your message 1E857D00-2718
Our operator is available in the messenger Telegram: hxxps:// To find us, enter the alias @hpdec in the messenger search box.
You can install the Jabber client and write to us in support of [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://                                                                                      Attention!                                                                                                                                                                                    Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Jabber client installation instructions:
Download the jabber (Pidgin) client from hxxps://
After installation, the Pidgin client will prompt you to create a new account.
Click “Add”
In the “Protocol” field, select XMPP
In “Username” – come up with any name
In the field “domain” – enter any jabber-server, there are a lot of them, for example –
Create a password
At the bottom, put a tick “Create account”
Click add
If you selected “domain” –, then a new window should appear in which you will need to re-enter your data:
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)
If you don’t understand our Pidgin client installation instructions, you can find many installation tutorials on youtube – hxxps://

Dewar virus requires a Bitcoin payment because these types of currency transfers remain safe and untrackable. The hackers can urge for a price anywhere between $50 and $2000 or more. However, we do not recommend paying these people as they can handle you a fake tool or none product at all and run off with your money. This way you will be left with an empty bank account and still encrypted files.  

Dewar ransomware uses unique keys for the encryption process that differ for every user. This way the codes are almost impossible to find out and even advanced computer experts have a very hard time while looking for file recovery options. However, this does not mean that you have to rush to pay the ransom price and risk your money. There are other alternatives that you can try and we have added some to the end of this page.

Dewar ransomware virus
Dewar ransomware is a malicious parasite that provides the ransom note in the info.txt and info.hta formats

Dewar ransomware virus
Dewar ransomware is a malicious parasite that provides the ransom note in the info.txt and info.hta formats

Malicious parasites such as Dewar ransomware usually enter computer systems by employing stealth techniques. Some malware developers decide to inject their products through email spam, software cracks, hacked RDPs, or malvertising. For now, ransomware infections are only targetting Windows-based operating systems but we can live up to the times when bad actors will start infecting Mac computers with this malicious software too.

When Dewar ransomware is added to the computer system, it will ensure that its malicious module is launched every time when the computer starts. This way the malware can ensure proper and successful activity. Continuously, it might decide to disable antivirus software on the system by injecting specific Windows Registry keys. Furthermore, you can find the Task Manager filled with unrecognizable processes too.

Even though Phobos family variants are known for deactivating antimalware software, according to VirusTotal,[2] Dewar ransomware has been spotted by 47 AV engines out of the total 70. Some of the detection names include:

  • Trojan.MulDrop11.37578 (DrWeb);
  • Gen:Variant.Ransom.Phobos.62 (BitDefender);
  • Win32:Malware-gen (Avast, Webroot and AVG);
  • HEUR:Trojan.Win32.Generic (Kaspersky);
  • Ransom.Win32.CRYSIS.TIBGFP (TrendMicro);
  • ML.Attribute.HighConfidence (Symantec).

Dewar ransomware might try to harden the decryption process for you by permanently eliminating the Shadow Volume Copies via specific PowerShell commands. This way you will be prevented from using software that might be capable of restoring some of the encrypted files. Also, be aware that the ransomware virus might aim to permanently damage the Windows hosts file to prevent you from accessing cybersecurity-related websites.

Nevertheless, Dewar ransomware makes your computer vulnerable to other infections and opens the backdoors for various other threats. The malware might bring trojans and other parasites to the system that can initiate other malicious activities. What is more, the ransomware virus can already be programmed to install another infection and you might find it lurking on your Windows computer after completing a full malware scan.

Dewar virus
Dewar virus – ransomware that distributes through hacked RDP, phishing emails, etc.

Dewar virus
Dewar virus – ransomware that distributes through hacked RDP, phishing emails, etc.

The best thing to do is to complete Dewar ransomware removal with the help of antimalware software. Make sure to choose only reliable products fr the process and avoid completing any manual steps of your own as you can easily make harmful mistakes. Furthermore, if you think that the ransomware virus or any type of additional malware has brought some damage to your computer system, you can try repairing the compromised areas with Reimage Reimage Cleaner .

If you are having a hard time to remove Dewar ransomware from your Windows machine, there should be a reason for that. If the malware is running malicious process on your computer system that keep him away from getting detected, you should boot your computer in Safe Mode with Networking or activate the System Restore feature to disable all of the malicious changes. When you are done and the virus has vanished, go to the end of this article where you will find some file recovery steps.

Phobos ransomware is focused on targetting worldwide businesses but can make regular users victims too

Phobos ransomware’s name symbolizes the Greek god of fear that is known as Phobos. However, this name expresses the malicious strain very well as hearing its name already brings fear and many doubts to various people. This dangerous parasite is mostly focused on targeting well-known businesses but will not also outrun regular users if it has a chance.

Phobos virus is most commonly distributed through an unprotected RDP (Remote Desktop Protocol) that is connected to the 3389 port. The hackers brute-force the collected login details and connect to the targeted computer system remotely. Other spreading techniques include email spam messages and their malicious attachments, according to Malwarebytes Labs.[3]

Even though these are the main sources where Phobos ransomware can be found, it is also sold in the black market as a RaaS (ransomware-as-a-service) where any type of hacker who does not want to waste time while creating his own malware can buy this one and distribute it wherever he/she likes.

Phobos ransomware has already released numerous versions of its malware family and Dewar ransomware is one of the most recent ones. All of the variants carry various extensions such as .actin, .actor, .acute, .Adame, .banjo, .banhu, .bbc, .blend, .Calvo, .calix, .Caleb, .Cales, .com, .DDoS, .Dever, .devil, .dewar, .elbow, .elder, .phoenix, and many more.

These ransomware viruses always provide a ransom note in the text file format and in the .HTA format. The criminals are likely to provide there contact details for discussing the terms about the ransom price. These people also always require a Bitcoin payment and include hyperlinks from which the cryptocurrency can be bought.

Phobos ransomware carries a complex operation module that allows not only encrypting files but also initiating other hazardous tasks. It is known that the parasite can delete Shadow Copies and local backups to harden the decryption process, disable antivirus software to evade detection and prevent systems from recovering via booting modes. 

Delivery peculiarities of ransomware viruses 

The mentioned ransomware strain is mostly delivered through hacked RDP and port 3389 when it does include strong security or includes no passwords at all. After hacking the port or including stolen login details, the hackers can remotely connect to your Windows computer system. Regarding this fact, it is very important to secure your RDP with a strong and reliable password that contains symbols, letters, and numbers.

Continuously, ransomware infections can get distributed through phishing email messages and their malicious attachments. Most of the time, hackers attach word documents or excel sheets that look like regular order information, health notifications, business letters, and so on but truly carry malicious payload inside. Once you have received an email that you were not expecting, do not rush to open the downloaded attachment before scanning it with antimalware first.

Furthermore, ransomware viruses are delivered through software cracks that are downloaded from unsecured networks such as p2p ones. You can get cracked products from websites such as The Pirate Bay, BitTorrent, etc. According to experts,[4] getting your software from official sources should help you solve this problem. Also, ransomware can be distributed through malicious ads that are known as malvertising, infectious hyperlinks, fake software updates, etc.

Dewar ransomware removal possibilities

If you have been dealing with this cyber threat lately and it has affected your files, Dewar ransomware removal is the first step you should take towards a better security state of your computer and data. Employ only reliable antimalware products that are capable of eliminating the cyber threat. Afterward, try some data recovery techniques that are added by our specialists to the end of this article.

When you remove Dewar ransomware from your Windows computer system and no malicious processes are longer active, you should start looking for possibly-damaged objects on your devices. Automatical tools such as SpyHunter 5Combo Cleaner and Malwarebytes will scan the computer system and provide you with the results. If the system checkup shows that there are some damaged areas on your computer, you can try fixing them by employing software such as Reimage Reimage Cleaner .

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-02-06 at 06:29 and is filed under Ransomware, Viruses.