DeadBolt Ransomware

7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.

*Source of claim SH can remove it.


DeadBolt is cryptovirus able to make all your files inaccessible. DeadBolt does this in order to blackmail you for your access to the said files.

The DeadBolt virus ransomware note

Once the malware infiltrates the computers of its victims, it starts seeking all files in the system that belong to some predefined formats, and types. Usually, the targets are text files, spreadsheets, presentations, and other document data, as well as images, videos, audio files, and so on. As soon as the malware finds all of the predetermined data types in the computer, it begins the process of locking them up. The lockdown procedure may take some time, especially if the computer is not very powerful, and if there’s a lot of data on it which the virus has targeted. It’s during this period of time that the user may be able to spot some of the potential infection symptoms – a slow-down of the system, spikes in the use of RAM and CPU, as well as occasional freezes of the whole system, and maybe some unusual errors.

Upon the completion of the lockdown on the files, the virus spawns a banner message on the desktop, and within this message the hackers state their demands – the victim is told that their only hope for restoring their data is through the payment of a ransom. This is the reason this type of viruses are known as Ransomware (Qqqw, Maak) – their main goal is to extort money from you via blackmailing.

The DeadBolt virus

The DeadBolt virus is known for using data-encryption. The encryption algorithm of the DeadBolt virus is what makes this Ransomware capable of sealing your files.

DeadBolt file
The DeadBolt ransomware encrypted files

Though it may not seem like it, data-encryption like the one used by this Ransomware virus is actually a process that’s supposed to keep files safe. It is commonly used, especially when some highly sensitive data needs to be protected from unauthorized access. However, when applied by a Ransomware cryptovirus, this otherwise beneficial process is turned on its head, and is used for blackmailing activities.

You may even think that paying the hackers could save your files, and while in certain cases that may indeed happen, it’s also possible that you simply waste the money you transfer to the criminals, and still remain unable to access your documents. The examples of this happening are numerous, so it is advisable to take your time before you decide what to do next.

The .DeadBolt file encryption

The .DeadBolt file encryption is a tricky obstacle to overcome. To unlock the .DeadBolt file encryption, you’ll need a key that corresponds to the applied algorithm.

That key is, of course, held by the hackers – the payment they want you to make is in exchange for the said key. As we established, however, the payment isn’t really a very wise option, so what can one do then? Well, removing the virus is a good start – it won’t automatically make your files free, but it will allow you to try some alternative recovery options. In the guide below, you can find both removal instructions and suggestions on data recovery.


Danger LevelHigh (Ransomware is by far the worst threat you can encounter)
Data Recovery ToolNot Available
Detection Tool

*Source of claim SH can remove it.

Remove DeadBolt Ransomware


A ransomware like DeadBolt may secretly start one or more malicious processes inside the system without showing any symptoms that can indicate them. That’s why, if you are about to remove this threat, you should start with checking out your Task Manager for dangerous processes that are running without your knowledge and stop them.

A good piece of advice before you do anything else is to first bookmark this page with removal instructions because you will need to get back to it after a system restart.


*Source of claim SH can remove it.

Now, to open Task Manager, click on the Start menu button (bottom left) and type Task Manager in the search bar.

Next, open the result and click on the Processes Tab in the new window that appears.

Search for a dangerous process in the list that you think could have something to do with the malicious activity of DeadBolt on your PC. Processes with strange names or higher than normal consumption of CPU and Memory are most likely to be part of the danger. If such a process grabs your attention, select it and right-click on it. Then, select Open File Location.


After that, check whatever files are stored in the file location with the help of the free virus scanner that we have published here:

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    Do not hesitate to end the processes related to the scanned files (right-click on it >>>End Process) if they turn out to be malicious. Also, don’t forget to delete the files and folders from their location.

    The same scanning process above can be applied for every process that grabs your attention as suspicious until you stop all dangerous processes that are running in the Task Manager.


    In case there are some other dangerous process that you haven’t succeeded to detect in step 1, it is best to reboot the infected computer in Safe Mode (use this guide from the link to do that quickly) for the next instructions. In Safe Mode, the system will run only the most basic programs and processes, and will block the attempts of the ransomware to run additional apps and processes of its own.

    With the computer successfully booted in Safe Mode, click on the Start menu button and type Run in the search bar. Open the result and copy the line below in the Run box that opens on the screen:

    notepad %windir%/system32/Drivers/etc/hosts

    Once you do that, click OK and a file named Hosts will open. In the text of that file, search for Localhost. Then look for if some strange-looking IP addresses have been added there (use the image below as a guidance) and if you detect anything disturbing, please copy it and write us in the comments. We will tell you if you need to do anything if we find it to be dangerous.

    hosts_opt (1)

    Ransomware threats like DeadBolt may sometimes add malicious Startup Items that start running as soon as the system boots. To disable these items, type msconfig in the search bar in the Start menu and press enter to open System Configuration.

    Next, in the Startup tab, check if some new entries unrelated to your regular programs have been added to the Start Items list and if you find an entry that has “unknown” Manufacturer or has an odd name, and you are sure it belongs to DeadBolt, remove its checkmark and click the OK button.


    *Source of claim SH can remove it.

    A very important system location where DeadBolt may make changes without the victim’s knowledge is the Registry. That’s why if you want to remove the ransomware completely, it is especially important that you check the Registry for malicious entries that need to be removed.

    The easiest way to do that is to start the Registry Editor by typing Regedit in the windows search bar and then launching the result.

    When the Editor opens, call up a Find box on the screen by pressing CTRL and F keyboard keys together.

    Write the exact name of the ransomware in the Find box and perform a search in the Registry for entries matching that name. Delete everything that gets detected and repeat the search as many times as needed until no more entries are detected.

    Caution! Delete only entries that are 100% linked to the ransomware and are malicious. Any other deletions and changes in the Registry entries that are unrelated to the threat may lead to a serious disruption in the system’s normal operation. If you don’t want to risk, please use a professional removal tool to scan and clean your system.

    When no more malicious entries are found in the Registry, go to the Start Menu and, type each of the following in the search bar:

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    In each of the locations, search for files that have been added recently and could be linked to DeadBolt. If you detect anything new that you are sure is related to the threat, delete it. When you open the Temp folder, delete all of its content.


    How to Decrypt DeadBolt files

    Once you remove all traces of the ransomware from your system, the threat will be gone but your encrypted files may not be back to normal. Therefore, to decrypt them, you may need to take different actions that are unrelated to the removal instructions above. For your convenience, in this last step, we have included a link to another comprehensive and free guide where you will find some of the most effective methods for file-decryption that are currently available. To check it out, click here.

    If you face any difficulties while completing the steps in this removal guide, or you need assistance with any of the instructions, we will be more than happy to help you out if you drop us a message in the comments below. If DeadBolt still doesn’t want to get removed after you complete the steps, it is a good idea to consider downloading the recommended professional removal tool on this page and remove any hidden traces of the ransomware with its help.


    About the author


    Brandon Skies

    Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.


    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1