Remove New Zeta Ransomware and Restore .rmd Encrypted Files - How to, Technology and PC Security Forum |

Remove New Zeta Ransomware and Restore .rmd Encrypted Files

data-encryption-stforumA ransomware virus believed to have something about CryptoMix as well as CryptXXX is reported to be infecting users and to encrypt their files adding the .rmd file extension to them. The virus has been reported to encrypt victims’ important files to extort them into paying a hefty ransom fee to get the files back. The virus is reported to demand somewhere between 0.5 and 1.5 BitCoins for the ransom payoff and file decryption. However, It Is not advisable to go ahead and pay the ransom because you may not get the files back. Instead, experts recommend reading this informative article to learn how to remove Zeta yourself and hopefully restore the files.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to an e-mail for contact. Changed file-extension has been used to .rmd.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Zeta


Malware Removal Tool

User ExperienceJoin our forum to Discuss Zeta.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Zeta Ransomware Causes an Infection

The virus may come onto a computer via several different methods. The primary method of infection is considered to be malicious e-mail attachments with web links leading to websites that represent a threat. These e-mails have fraudulent information, created to convince users to open the malicious attachment and hence cause the infection via an obfuscated process or another mechanism, like exploit kits, dropper Trojans, etc.

Zeta Ransomware – Post-Infection Information

After already having infected a computer, Zeta ransomware begins to encrypt files on it. ESG malware researchers report the following file extensions to be affected:

→ .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt.

Then, the virus begins to change the file extensions of all the files adding it’s distinctive suffix, known as .rmd. The files may appear like the following:


After the encryption process by Zeta has completed, the ransomware drops a distinctive ransom note, named HELP_YOUR_FILES.txt with the following contents:


After this is complete, the Zeta virus may leave behind a unique public key and send the private key to the cyber-criminals’ Command & Control servers so that they are the only ones in power to revert the files back to normal.

Zeta Ransomware – Conclusion, Removal, and File Restoration Tips

As a bottom line, we advise nobody to pay the ransom money demanded by the crooks behind this virus, since this may cause a negative outcome and you may not get the files back.

Instead, we advise you to follow the instructions below and remove Zeta from your computer permanently. In case you are having issues with manually coping with Zeta ransomware, it is also recommended download an advanced anti-malware program which will ensure automatic and complete removal in a swift manner.

Furthermore, to restore the files encrypted by the virus, unfortunately, a free decryptor has not been released. However, until you wait, we advise to backup the encrypted files and go with the alternative tools for file restoration posted below.

Manually delete Zeta from your computer

Note! Substantial notification about the Zeta threat: Manual removal of Zeta requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Zeta files and objects
2.Find malicious files created by Zeta on your PC

Automatically remove Zeta by downloading an advanced anti-malware program

1. Remove Zeta with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Zeta
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.