FANDOM


DDT is a ransomware that is part of GlobeImposter.

Payloads

Transmission

DDT spreads through emails (spam campaigns), unreliable software download sources, trojans, fake/unofficial software updating tools and 'cracking' tools.

Infection

Like most programs of this type, DDT encrypts files stored on a computer and keeps them locked unless a ransom is paid. In other words, unless victims buy a decryption tool that can decrypt data encrypted by DDT. Information on how to contact cyber criminals and purchase the tool is provided in the "how_to_back_files.html" file. Additionally, this ransomware renames all encrypted files by appointing the ".{dresdent@protonmail.com}DDT" extension. For example, it renames "1.jpg" to "1.jpg.{dresdent@protonmail.com}DDT" and so on.

Before purchasing the decryption tool victims can send one image file to DDT's developers via dresdent@protonmail.com that they supposed to decrypt for free. The email must contain a personal ID that is appointed to each victim individually. After that cyber criminals will send the instructions on how to make a payment. According to the text in the "how_to_back_files.html" file, the only way to decrypt files is to use the tool that only DDT's developers can provide. Victims are informed that any attempts to decrypt files using some other software or to run ant-virus tools will result in permanent data loss. Unfortunately, there is no other tool that could be capable of decrypting files encrypted with DDT. In other words, DDT's developers are the only ones who have it. That is the case with most ransomware-type programs and encryptions caused by them.

Text presented in DDT ransomware's HTML file ("how_to_back_files.html"):

YOUR PERSONAL ID
-

ENGLISH
YOUR FILES ARE ENCRYPTED!
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

To recover data you need decryptor.
To get the decryptor you should:
Send 1 test image or text file dresdent@protonmail.com.
In the letter include your personal ID (look at the beginning of this document).

We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will 
receive a decryptor and instructions We can decrypt one file in quality the evidence 
that we have the decoder.
Attention!

Only dresdent@protonmail.com can decrypt your files
Do not trust anyone dresdent@protonmail.com
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user's unique 
encryption key
Community content is available under CC-BY-SA unless otherwise noted.