A ransomware virus has been spotted to attack primarily Czech speaking users, according to malware researchers. It is dubbed Czech ransomware and uses the ??? file extension which it appends to the files encrypted by it. The affected files by Czech ransomware are appended an AES-256 encryption algorithm, one of the several military grade encryptions, for which at this stage a direct solution may take a lot of time. Czech ransomware demands users to pay the sum of 200 Czech krona which is approximately 9 USD via a Paysafe card to get their files back. This is yet another ransomware specifically oriented towards a nation. Infected users by the Czech virus are advised not to pay any ransom money and read this article to learn more about what this malware does and how to remove it and try to restore the encrypted files.
|Short Description||Encrypts widely used files on the compromised computer with an AES-256 encryption and asks for 200 Czech Kronas for decryption.|
|Symptoms||Adds the ??? file extension and the above posted picture.|
|Distribution Method||Spam Emails, File Sharing Networks, Executable Files|
|Detection Tool|| See If Your System Has Been Affected by Czech Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Czech Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Czech Ransomware Virus – How Does It Spread
To infect the maximum amount of users, Czech ransomware may use a spam oriented towards Czech speaking users. The spam may be via e-mail and may carry either a malicious URL or attachment with the opening of both leading to infection. This all looks primitive and simple, but it is not. The malware writers behind Czech crypto-virus have focused on making this malware to be undetected and widespread, and this is a huge investment of tools and spamming services they may have used to fool the antivirus of most computers.
Czech Crypto Virus – Detailed Description
Once the virus file enters your device, it may drop the payload of Czech ransomware in the following Windows folders:
- %User’s Profile%
The Czech ransomware may also modify the following registry keys to run everytime Windows boots:
The Czech ransomware’s encryption process includes the modification of the code of the files and it’s replacement with the highly sophisticated and strong AES-256 encryption algorithm, decryption for which is not available unless there is a bug in the malware and researchers exploit it or the decryption key is known.
Czech ransomware looks for different types of files to encrypt, including:
- Audio files.
- Database files.
- Files associated with Microsoft Office.
- Adobe Reader files.
- Files used by widely downloaded programs that are well known.
After detecting the files, Czech ransomware begins the encryption process. The encrypted files are appended the ???, extension that may either be in front of them or after their original extension, for example:
After encryption, the file icon is removed, and Windows does not recognize the original type of software used to open this file. The Czech ransomware then drops the following ransom note:
→“Váš počítač a vaše soubory byly uzamknuty!
Co se stalo?
Veškeré vaše soubory byly zašifrovány šifrovacím algoritmem AES-256 společně s vaším osobním počítačem.
Pokud nesplníte všechny dané požadavky uvedené níže do 2 DNÍ, váš dešifrovací klíč se SMAŽE a vy své soubory a ÚČTY NIKDY NEUVIDÍTE.
Jak získat klíč?
– Stačí zakoupit kartu PaySafe Card v hodnotě 200Kč ,zadat její kód (číslo) do textového pole pod tímto textem a stisknout zelené tlačítko.
Vaše platba pak bude odeslána k ověření. Po ověření budou vaše soubory a váš počítač uvedeny do původního stavu.
– Kde koupím PaySafe Card?
PaySafe Card se dá zakoupit v jakékoliv trafice, či pumpě. Stačí se zeptat prodejce.”
Remove Czech Ransomware and Restore ??? Encrypted Files
In case you have decided to fight this threat on your own instead of paying the ransom, we recommend removing it and then attempting to decrypt your files. One method to remove Czech ransomware is to follow the removal instructions below. Malware researchers strongly advise users to use an advanced anti-malware program for best removal results, since Czech ransomware may situate multiple objects that are concealed in various places.
To try and restore files that have been encrypted by Czech ransomware, please make sure to check the alternative solutions in step “Restore file encrypted by Czech Ransomware” below.