Remove zCrypt Ransomware and Restore .Zcrypt Encoded Files - How to, Technology and PC Security Forum |

Remove zCrypt Ransomware and Restore .Zcrypt Encoded Files

zcrypt-ransomware-sensorstechforumRansom malware, known by the name zCrypt has been reported to target primarily Russian-speaking countries, researchers claim. The ransomware may use a strong RSA-2048 cipher to encrypt the files on the computers it infects. After this, it leaves a ransom note written entirely In Russian and demanding to contact the cybercriminal’s email to pay the ransom money. Users who have had their files encrypted by zCrypt ransomware are warned not to contact the cyber-criminals and not to pay the ransom money for security reasons. Experts also recommend removing the ransomware and trying alternative methods, such as the ones in this article to restore your data.

Threat Summary

Short DescriptionThe ransomware encrypts files with the RSA-2048 algorithm and asks a ransom for decryption.
SymptomsFiles are encrypted with a .zcrypt file extension added to them and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by zCrypt


Malware Removal Tool

User ExperienceJoin our forum to Discuss zCrypt Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Zcrypt Ransomware – Distribution

To be widespread across user PCs, zCrypt is believed to use malicious e-mail attachments. One of the malicious executables has been reported by Kaspersky researchers to be pretending to be an invoice, suggesting a spam message with the same topic may be used to trick the user into opening it:

→ File name: invoice-order.exe
File size: 791.0 KB ( 809984 bytes )Source: Kaspersky

This technique is also typical for other ransomware variants, such as Zyklon, Cerber and Locky Ransomware.Users are strongly advised to use services which check URLs and email attachments before they are downloaded on their drives. One of those services that can assist with that is VirusTotal, which provided over 20 detections of zCrypt’s malicious executable.

Zcrypt Ransomware In Detail

Once activated on the computer, the payload carrying file may create an exploit on the infected computer, open a port and download or extract the following malicious files:

In C:\Users\{User’s Directory}\Appdata\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\:
In C:\Users\{User’s Directory}\Appdata\Roaming:
In %Desktop%:
How to decrypt files.html

In the same time a registry entry for the ransomware may be created to run the encryption on Windows startup:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\zcrypt

After creating its malicious files, zCrypt Ransowmare begins to encrypt the files of the infected computer. It scans for and encrypts the most widely used file types, for example:


The ransomware uses the .zcrypt file extension which it ads to the files that are encoded, for example:

→ Picture.jpg.zcrypt

The encrypted files are believed to be encoded with a powerful RSA-2048 cipher. After encryption, the ransomware may change the wallpaper of the infected user to the following one:

zcrypt-wallpaperSource: Infected User

Furthermore, there has been a Russian version of the ransomware reported, which leaves a “!ИНСТРУКЦИЯ!.html”(Instruction) file containing the following ransom note in Russian:

→ВНИМАНИЕ! Ваши файлы зашифрованы криптостойким алгоритмом RSA-2048!
Отправьте на [email protected] один из зашифрованных файлов.
Попытки самостоятельной расшифровки могут привести к безвозвратной порче данных!
В письме укажите также ваш ID – {UNIQUE ID}”
ATTENTION! Your files are encrypted with the algorithm RSA-2048!
Send to [email protected] one of the encrypted files.
Any attempts to decipher the files yourself can lead to permanent destruction of the files.
In the letter include your unique ID = {UNIQUE ID} Source:

Remove zCrypt Ransomware and Restore the Files

Experts strongly recommend removing this ransomware instead of paying the ransom money to the cyber-criminals. One way to do it efficiently is by following the step-by-step instructions outlined below. One preferable way to remove it is to use an advanced anti-malware tool which will assist you with completely deleting zCrypt associated files and registry entries from your computer. Such tool will also assist with protecting you from future threats.

To revert at least some of your files back to normal, we advise trying the alternative methods we provided in step “3. Restore files encrypted by zCrypt” below.

Manually delete zCrypt from your computer

Note! Substantial notification about the zCrypt threat: Manual removal of zCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove zCrypt files and objects
2.Find malicious files created by zCrypt on your PC
3.Fix registry entries created by zCrypt on your PC

Automatically remove zCrypt by downloading an advanced anti-malware program

1. Remove zCrypt with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by zCrypt in the future
3. Restore files encrypted by zCrypt
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share