Czech Ransomware Virus Remove and Restore ??? Files - How to, Technology and PC Security Forum |

Czech Ransomware Virus Remove and Restore ??? Files

czech-ransomware-sensorstechforumA ransomware virus has been spotted to attack primarily Czech speaking users, according to malware researchers. It is dubbed Czech ransomware and uses the ??? file extension which it appends to the files encrypted by it. The affected files by Czech ransomware are appended an AES-256 encryption algorithm, one of the several military grade encryptions, for which at this stage a direct solution may take a lot of time. Czech ransomware demands users to pay the sum of 200 Czech krona which is approximately 9 USD via a Paysafe card to get their files back. This is yet another ransomware specifically oriented towards a nation. Infected users by the Czech virus are advised not to pay any ransom money and read this article to learn more about what this malware does and how to remove it and try to restore the encrypted files.

Threat Summary

NameCzech Ransomware
Short DescriptionEncrypts widely used files on the compromised computer with an AES-256 encryption and asks for 200 Czech Kronas for decryption.
SymptomsAdds the ??? file extension and the above posted picture.
Distribution MethodSpam Emails, File Sharing Networks, Executable Files
Detection Tool See If Your System Has Been Affected by Czech Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Czech Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Czech Ransomware Virus – How Does It Spread

To infect the maximum amount of users, Czech ransomware may use a spam oriented towards Czech speaking users. The spam may be via e-mail and may carry either a malicious URL or attachment with the opening of both leading to infection. This all looks primitive and simple, but it is not. The malware writers behind Czech crypto-virus have focused on making this malware to be undetected and widespread, and this is a huge investment of tools and spamming services they may have used to fool the antivirus of most computers.

Czech Crypto Virus – Detailed Description

Once the virus file enters your device, it may drop the payload of Czech ransomware in the following Windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalRow%
  • %SystemDrive%
  • %User’s Profile%

The Czech ransomware may also modify the following registry keys to run everytime Windows boots:


The Czech ransomware’s encryption process includes the modification of the code of the files and it’s replacement with the highly sophisticated and strong AES-256 encryption algorithm, decryption for which is not available unless there is a bug in the malware and researchers exploit it or the decryption key is known.

Czech ransomware looks for different types of files to encrypt, including:

  • Videos.
  • Audio files.
  • Pictures.
  • Database files.
  • Files associated with Microsoft Office.
  • Adobe Reader files.
  • Files used by widely downloaded programs that are well known.

After detecting the files, Czech ransomware begins the encryption process. The encrypted files are appended the ???, extension that may either be in front of them or after their original extension, for example:

???.New Text Document.txt
New Text Document.txt.???

After encryption, the file icon is removed, and Windows does not recognize the original type of software used to open this file. The Czech ransomware then drops the following ransom note:

→“Váš počítač a vaše soubory byly uzamknuty!
Co se stalo?
Veškeré vaše soubory byly zašifrovány šifrovacím algoritmem AES-256 společně s vaším osobním počítačem.
Pokud nesplníte všechny dané požadavky uvedené níže do 2 DNÍ, váš dešifrovací klíč se SMAŽE a vy své soubory a ÚČTY NIKDY NEUVIDÍTE.
Jak získat klíč?
– Stačí zakoupit kartu PaySafe Card v hodnotě 200Kč ,zadat její kód (číslo) do textového pole pod tímto textem a stisknout zelené tlačítko.
Vaše platba pak bude odeslána k ověření. Po ověření budou vaše soubory a váš počítač uvedeny do původního stavu.
– Kde koupím PaySafe Card?
PaySafe Card se dá zakoupit v jakékoliv trafice, či pumpě. Stačí se zeptat prodejce.”

Remove Czech Ransomware and Restore ??? Encrypted Files

In case you have decided to fight this threat on your own instead of paying the ransom, we recommend removing it and then attempting to decrypt your files. One method to remove Czech ransomware is to follow the removal instructions below. Malware researchers strongly advise users to use an advanced anti-malware program for best removal results, since Czech ransomware may situate multiple objects that are concealed in various places.

To try and restore files that have been encrypted by Czech ransomware, please make sure to check the alternative solutions in step “Restore file encrypted by Czech Ransomware” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share