Dodged ransomware

Dodged ransomware is data locking malware that targets Italian users with COVID-19-themed phishing emails

Dodged ransomware
Dodged ransomware is a data locking virus that spreads via coronavirus-themed phishing emails

Dodged ransomware
Dodged ransomware is a data locking virus that spreads via coronavirus-themed phishing emails

Dodged ransomware is a data-locking malware sample that was spotted by MalwareHunterTeam,[1] the prevalence of which is not defined yet. However, security researchers pointed out that the infection mainly targets users in Italy, although the data redemption instructions are written in English. Also, the executable of Dodged ransomware that was seen in the sample came as COVID-20.exe, which is highly likely to stem from a coronavirus-themed phishing email.

Once inside the system, the Dodged virus begins to look for files to encrypt and then appends .dodged extension to each. It then delivers a pop-up window, which explains that victims should transfer $150 worth of Bitcoin via the onion page, accessible only via the Tor network. However, you should avoid paying the ransom to cybercriminals, as chances of getting scammed are quite high. Instead, you should focus on Dodged ransomware removal and alternative methods for data recovery.

Name  Dodged ransomware
Type File locking virus, cryptomalware, wiper
Related files COVID-20.exe, Non.exe – other executable names might also be used
Distribution  It is highly likely that the malware is mainly spread via spam email attachments, although other methods might also be used, including exploits, weakly protected RDP connections, web injects, fake updates, software cracks, etc.
Malware family  No connections to other malware families have been discovered so far 
Features Anti-analysis, data wiper, mouse inputs capture, etc.
File extension Each of the encrypted files are appended with .dodged marker, and can no longer be accessed by the users. Example of the encrypted file: picture.jpg.dodged 
Ransom size Users are asked to pay $150 in Bitcoin for an alleged file recovery tool
Detection  Ransom:MSIL/Skidware.PI!MTB, Mal/Generic-S, Win32:RansomX-gen [Ransom], Gen:Heur.Ransom.Imps.3, ML.Attribute.HighConfidence, Trojan/Win32.Wacatac, Malicious.bd1c67, Gen:NN.ZemsilF.34108.qm0@ayJxXMe (Virus Total results)
File recovery  If no data backups were retained, there is no 100% secure method to recover the encrypted files. While using third-party tools (we list a few in the recovery section below) might not be successful, paying cybercriminals is not recommended
Malware removal To eliminate the infection, you should scan your machine with a reputable security program, such as SpyHunter 5Combo Cleaner or Malwarebytes
System fix After infection elimination, some changes made to the system previously might cause stability issues. If you experience lag, crashes, errors, and similar problems, utilize Reimage Reimage Cleaner Intego to fix them for you 

While there are no definite answers on how exactly Dodged ransomware is propagated, it is highly likely to be phishing spam emails that are sent to thousands of users thanks to tools like botnets. Nonetheless, there might be other methods the attackers may use, such as malicious ads, software vulnerabilities, drive-by downloads, software cracks, and many others.

Dodged ransomware is a new strain that was deployed by unknown actors. However, it has several functionality features that suggest that the attackers are planning on making it into a larger campaign later. The analysis shows that malware is equipped with anti-analysis features, which attempts to prevent the researchers from dissecting the sample in a sandbox or virtual machine environment. Typically, such malware exists without triggering the infection routine and performing other predetermined actions.

Besides this, Dodged ransomware is also capable of the following:

  • hides its tracks by altering the appearance of some files/folders on the infected system
  • exhibits system monitoring features by tracking mouse movements
  • creates a variety of malicious files and places them on the system
  • removes certain user files from the system (wiper)[2]
  • deletes the shadow volume copies to prevent easy data recovery
  • modifies Windows registry to establish persistence, etc.

Once the system modifications are complete, (note, not all of these can be reverted manually – you should use such repair software like Reimage Reimage Cleaner Intego to avoid reinstallation of the entire operating system) Dodged ransomware begins to scan the system for the relevant files. Typically, crypto-malware is programmed to encrypt files that are most commonly used, such as .pdf, .jpg, .doc, .zip, .mp4, and many others.

Currently, it is unknown which encryption method Dodged file virus is using to encrypt data. There are two different categories of encryption, symmetric (such as AES) and asymmetric (such as RSA).[3] While the way these two mothers operate differ, it does not make much difference for victims, as they are unable to access their files afterward regardless.

Dodged ransomware virus
Dodged ransomware is a data-locker that encrypts all data on the device and then asks for $150 ransom in Bitcoin

Dodged ransomware virus
Dodged ransomware is a data-locker that encrypts all data on the device and then asks for $150 ransom in Bitcoin

Besides encrypting files, Dodged ransomware is currently programmed to delete some personal files as well. This feature is typical of wiper-type ransomware, so the threat seems to be a hybrid.

At the final stage of the attack, Dodged ransomware drops a ransom note, (it also contains a 3 hour timer, although it is unknown if it actually change anything after the expiration) which reads:

Your PC has been locked.
Please, read the following instructions really carefully in order to ensure your PC’s safety.

You may not try to terminate the program by the use of any tools / manually.
You MUST pay 150$ BITCOIN at the following page address in order to get your files back.
You may run / download any antivirus software / tool
You MUST not alterate any file in your computer, if you want all of them safe at least. =)
Do not try to decrypt any file manually / using any tool, its not going to work.

Payment page:
Session ID:
Insert Decryption Key here:

While the attacks cannot be trusted, they are correct about file alternation using recovery software, as it may damage encrypted data permanently. To avoid that, you should make a copy of your hard drive (encrypted files, registry database, etc.) and only then remove Dodged ransomware from the system, followed up by attempts to recover files in an alternative way.

Spam emails – one of the most prominent malware distribution techniques

Ransomware is a lucrative business – there are experienced cybercriminal gangs operating some strains, while others are made by amateur hackers. Nonetheless, both types can cause significant damage to users who get infected with malware, as they might permanently lose access to their files. This is because malware infection and file encryption are two different processes, although the latter is only possible after the former is executed. Besides data locking, crooks now often leak the files before encrypting them to be able to threaten with public exposure – this is another extortion method that has been employed for a while now by major ransomware players, such as Maze, Sodinokibi, DoppelPaymer, and many others.[4]

What makes the situation worse is the COVID-19 pandemic, as the criminals rush to abuse the global situation and the relevance of the topic.[5] Many people are concerned and want to know as much as possible about the disease. For awhile now, cybersecurity researchers spotted multiple campaigns that target users and companies with coronavirus-themed phishing emails.

Typically, the attackers pretend to be from a reputable organization, such as World Health Organization or Centers for Disease Control and Prevention, as they use familiar logos, similar email addresses, social engineering, and other tactics. These emails are equipped with an attachment, which can come in various formats, including .doc, .pdf, .vbs, .exe, .zip, and others. Once opened, these files begin the infection process of the computer, finalizing it with data encryption.

Eliminate Dodged ransomware correctly

Many users are shocked or straight out confused as soon as they encounter ransomware. Some are not even aware of what ransomware is, or what it does, so locked data becomes a mystery. In many cases, such users also believe that they can return their data with Dodged ransomware removal, which is not the case at all.

Dodged ransomware encrypted files
Dodged ransomware is known to encrypt some and delete other files

Dodged ransomware encrypted files
Dodged ransomware is known to encrypt some and delete other files

While many ransomware viruses automatically delete themselves after the encryption is performed, others tent to operate on the system even after the process is complete with locking the incoming files. Therefore, it is best to scan the machine with anti-malware software and remove Dodged ransomware, its secondary payloads, and malicious components. However, this process should not be done before a full backup of the hard drive is prepared.

Once malware is eliminated (in case the Dodged virus is tampering with your anti-malware software, access Safe Mode with Networking as explained below), you can attempt to recover your data with the help of instructions we provide below. Unfortunately, there are no other safe methods to recover files currently, although security researchers might find bugs within malware’s code that would help them create a free Dodged ransomware decryptor in the future.

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove Dodged using Safe Mode with Networking

To access Safe Mode with Networking, perform the following actions:

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Dodged removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Dodged using System Restore

System Restore might also be used for Dodged malware removal:

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dodged from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Dodged, you can use several methods to restore them:

Data Recovery Pro might be helpful in some cases

Data recovery software does not attempt to decipher encrypted files, but rather recover working copies from the hard drive. The less you use your machine post-infection, the more chances there are for this method to work.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Dodged ransomware;
  • Restore them.

Make use of Windows Previous Versions feature

This method will only work if you had System Restore enabled prior to the infection, and the process is only applicable to separate files, and not data batches.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Employ ShaodwExplorer for data restoration

If you were lucky enough and Dodged ransomware failed to eliminate Shadow Volume Copies, use ShaodwExplorer to return your files.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dodged and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-05-14 at 07:01 and is filed under Ransomware, Viruses.