Dex Ransomware

The Dex Ransomware is a file-locking Trojan that's part of the Dharma Ransomware family, a Ransomware-as-a-Service. The Dex Ransomware can block most media formats, including documents, on infected PCs, delete their backups, change their extensions, and leave behind ransom notes. Users should have backups on at least one other device for restoring any content and let their dedicated security services remove the Dex Ransomware.

Some More Ransomware-as-a-Service with a Smile

The Dharma Ransomware family appears neck-and-neck with the STOP Ransomware as a favorite Ransomware-as-a-Service on the dark Web as of 2020. Due to its streamlined but effective features and general ease of usability, the family's variants, like the Fresh Ransomware, the KICK Ransomware, the PLUT Ransomware, the Zimba Ransomware, or the freshly-identified the Dex Ransomware, are appearing in threat analysis databases regularly. For its part, the Dex Ransomware leaves a few linguistic clues that may or may not relate to its campaign but is an otherwise-vanilla version of this Trojan collective.

The Dex Ransomware's attacks abide by a long-established data sabotage pattern that preferentially targets media formats, such as documents, pictures, or databases. During installation, it establishes a basic launch routine through Windows Startup and proceeds with 'locking' or encrypting the user's files, which prevents them from opening. The Trojan adds an extension with ransoming information and its campaign tag of '.dex' to them and leaves a generic Dharma Ransomware HTA note for extortion.

Although the Dex Ransomware's startup component uses a random name, its installer currently circulates under 'pavodu,' which has several etymological possibilities, including Czech and Croatian. Although Germany is a more typical target for these attacks, entities in other areas of Europe also are at risk, as the Dex Ransomware's campaign reminds readers. While malware analysts require more samples for confirming any infection exploits, the Dex Ransomware is a recently-dated variant threat of no earlier than mid-November.

Restoring Work from Trojans of Suspect Nationality

Whichever nations the Dex Ransomware might target, its attacks, and those of its relatives in the same family, can block users' files on most versions of Windows, without any concern for language settings or other geographical details. Since the Dex Ransomware also wipes the Restore Points, Windows users are best capable of recovering with the assistance of non-local backups, such as protected cloud services. Paying the ransom is a possibility but doesn't always pay off due to the naturally 'flexible' business values and trustworthiness of threat actors.

Windows users also should abide by security standards that are universally likely to prevent attacks by Dharma Ransomware variants like the Dex Ransomware and other families of file-locker Trojans. While browsing the Web, disabling some features, such as scripts, and updating software through secure sources, will counteract most drive-by-download exploits by Exploit Kits and the like. Password security also is vital for network and server admins, who risk brute-force attacks whenever they use easily-cracked credentials.

Samples of the Dex Ransomware are tripping typical threat analytics from most vendors. Anti-malware products should quarantine or delete the Dex Ransomware and may block any file-locking attacks from happening effectively.

Each ransom in a criminal's wallet is another motivator for threats like the Dex Ransomware. With this threat's prime weakness being data security standards, nobody should assume that their files are safe only with nothing more than a local backup.