DDT Ransomware

The ranks of file-encrypting malware keep filling with new threats, and DDT Ransomware is one of the latest examples. Although we can identify it as a new threat, in reality, it is a new variant of a well-established infection, Globe Imposter 2.0 or Globeimposter Ransomware. This malware is dangerous, and restoring the files that it corrupts does not appear to be possible. Hopefully, your files were not corrupted by it yet, and you can focus on patching all security backdoors and securing your operating system. The infection can use misleading spam emails to trick you into letting it in yourself, but it could slither in silently too using an exposed remote access vulnerability. Unfortunately, if it managed to get in and corrupt your files, not much can be done to salvage them. You are safe only if backups of your files exist externally, outside the infected machine. Of course, whether or not you can resolve the situation, you have to remove DDT Ransomware, and this report will help you do that.

If DDT Ransomware finds its way in, it immediately starts making a mess. The threat can use malicious script to delete shadow volume copies, and that means that internal backups can be destroyed too. That is why it is always best to backup files online (virtual cloud storage) or on external drives. Of course, the most important task for the infection is to encrypt files, and when it does that, it also adds a unique extension – “.{dresdent@protonmail.com}DDT” – to the files, which should help you spot them right away. DDT Ransomware also creates an entry in the Windows Registry to ensure that it can auto-start with Windows. That means that every single time you restart your computer, the infection should initiate the encryption process again. After encryption, the threat drops a file named “how_to_back_files.html” to every single location where the corrupted files exist. That is done so that you would not overlook the message that the attackers want you to read. Note that the file is not malicious, but we recommend deleting it because the message inside can make you act in dangerous ways.

The message created along with DDT Ransomware explains that files were encrypted and immediately suggests that a special decryptor is the only thing that can save them. To obtain it, according to the attackers, you need to email dresdent@protonmail.com, and you can send one file to have decrypted for free. This is very smart because if victims are convinced that their files can be recovered, they might be more willing to pay the ransom. Do not fall for this trick. No one can guarantee that you would see the decryptor with your own eyes if you emailed the attackers and then paid for the decryptor. We do not know how much would be asked in return for this tool, but even if it is a small sum, paying it is risky. In fact, emailing cyber criminals might be the most risky action because they could scam you now and many times in the future. If you are willing to take your chances, at least use a new email account; one that you could forget about or even remove after figuring out what DDT Ransomware creators want.

You need to be able to find the infection’s .exe file if you are thinking about removing it manually. If you are able to find it, deleting DDT Ransomware remaining components should not be too difficult. The guide below lists all of these components. If manual removal is not something you can handle on your own, an anti-malware tool will do the job for you. We recommend utilizing this tool even if you are able to get rid of the ransomware yourself because it will take care of it automatically, and you will solve the issue of Windows protection at the same time. The tool will enable full-time protection, and if you do not want other file-encryptors attacking you again, that is exactly what you need. You also need to get in the habit of backing up all personal files because you want to be prepared in case malware strikes again.

DDT Ransomware Removal

1. Find and Delete the [unknown name].exe file that unleashed the infection (could be named cmd.exe).
2. Delete all copies of the how_to_back_files.html file (you will find them next to the encrypted files).
3. Tap Win+E keys to launch Explorer and then enter %APPDATA% into the quick access field.
4. Delete a malicious [unknown name].exe file.
5. Enter %TEMP% into the quick access field and then Delete a malicious [unknown name].tmp.bat file.
6. Tap Win+R keys to launch Run and then enter regedit into the box to launch Registry Editor.
7. In the panel on the left, go to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.
8. Delete the value named BrowserUpdateCheck if the value data points to the %APDATA%\[unknown name].exe file.
9. Empty Recycle Bin.
10. Install a legitimate malware scanner.
11. Run it to examine your system, and if leftover threats are found, Delete them ASAP.