New ransomware virus dubbed ZeroCrypt by malware researchers has been spotted to encrypt files adding it’s .zn2016 file extension after their original ones and rendering them no longer openable. After it encrypts the files, the virus notifies the victim whose computer has been infected via a ransom note going by the name of “ZEROCRYPT_RECOVER_INFO.txt”. Malware researchers do not predict this virus to be very widespread but there is a cloud of uncertainty surrounding it’s decryption. It is also strongly recommended to focus on removing ZeroCrypt in case you have become a victim of it. This can be achieved by reading the following article which also has alternative methods to try and recover the encrypted files instead of paying money to criminals to decrypt your files. We will also keep following malware researchers and notify you with a web link on this article as soon as the ZeroCrypt virus is cracked.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions” in the form of “ZEROCRYPT_RECOVER_INFO.txt” file that may lead to a web page and a decryptor. Changed file names and the file-extension .zn2016 has been used.|
|Detection Tool||See If Your System Has Been Affected by ZeroCrypt.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
ZeroCrypt – In-Depth Analysis
The infection process of ZeroCrypt begins with the most important for the cyber-criminals distribution stage or spreading of the malware.
Stage 1: ZeroCrypt Ransomware Spread
This particular type of malware may employ a combination of methods and tools that allow it to spread via two main methods:
- Via malicious web links (URLs).
- Via malicious files.
When we take a look at malicious URLs, we take into consideration that the cyber-criminals may have utilized spam bots and spamming software which allows them to insert a malicious script on a web host that causes the infection. But since such malicious web links are immediately detected by online services and e-mail spam filters, the cyber-criminals use a so-called browser redirect from a legitimate link. This means that the web link you may have clicked on believing it is legitimate transfers you to the malicious web link that causes the infection.
In case the infection is performed via malicious files, then this means that a combination of advanced tools may be used to obfuscate the files and hide them from any security software. Usually if files are being used for infection, they may be of the following types:
The files usually pretend to be legitimate with changed file icons to an often used program, like Adobe PDF Reader file or a Microsoft Office document. They may be spread via file sharing services like dropbox or online sharing websites, but there is also the possibility that the files may be in a .zip, .rar or other archives and sent to you via fake e-mail spam message. Fake messages usually pretend to be a legitimate service or institution to trick you the file itself is important, so proceed wisely in the future.
Once the malicious file or web link is opened, there may be an exploit kit, other malware or a malicious script that may download the actual payload of ZeroCrypt ransomware on your computer. The payload of ZeroCrypt may be consisting of malicious files, which malware researchers refer to as modules. Those modules may be the same type like the ones mentioned in the red frame above and each of them may execute a separate function. They may be located in the often used administrative Windows directories, such as:
Post Infection Activity of ZeroCrypt Ransomware
Once the files are activated, ZeroCrypt gets down to business. The malware’s first activity is to inject malicious scripts into the legitimate Windows processes such as:
As soon as this is done, ZeroCrypt may also drop files in the %Startup% folder that run every time Windows starts. It then may modify the Windows Registry editor, adding custom values in different registry keys. Most often the Run and RunOnce keys of HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER are modified with custom values set in them to run the malicious module that actually encrypts your files.
As soon as the file encryptor is ran, according to the ransom note, ZeroCrypt appends a powerful Rivest-Shamir encryption algorithm (RSA) with the bit strength of 1024. This encryption changes the structure code of several blocks of data on the files replacing it with symbols generated by the cipher. This makes the files no longer openable. Judging by the encryption algorithm reported, the ZeroCrypt malware may also generate two type of decryption keys, private and public, which can only be directly cracked by using factorization programs with specific scripts in them, like Python, for example.
After the encryption is complete, the ZeroCrypt virus also adds it’s unique file extension .zn2016 to the encrypted files, making them look somewhat like the following image:
After the encryption process is complete, ZeroCrypt ransomware drops a .txt file notifying the user what had happened. Interestingly enough ZeroCrypt is not very polite in it’s ransom note, asking the insane amount of 10 BTC to just get the simple decryption key and try to figure out how to decrypt your files with it and the even more preposterous amount of 100 BTC to get a working decryption software! Now multiply that by 695$ which is the current BitCoin rate! Here are the contents of the ransom message ZeroCrypt drops:
ZeroCrypt Ransomware Virus – Conclusion and Removal and File Restoring Tips
If you have been infected by ZeroCrypt, do not pay up the ransom! The obvious reasons are that there is no guarantee you will get your files back and the crooks may want more from you afterwards. Researchers also advise against paying up the criminals, because this will assist them in further investing in the spreading of the virus. But what to do in case you haven’t paid? There are several alternatives that may help you, but first it is recommended to remove ZeroCrypt.
To perform a safe removal, you can follow our removal instructions below. Security experts often recommend using automatic removal solutions like an anti-malware software that will automatically remove every registry object and malicious modules of the ZeroCrypt virus.
After having removed the virus, we have provided several suggestions on how to restore your files in step “2. Restore files encrypted by ZeroCrypt” below. They include web links to two of the largest developers of decryptors – Kaspersky and Emsisoft which have expert reverse engineers and may develop a decryptor for your virus soon. However, bear in mind that these decryptors are third-party and any of the methods besides them used below are not 100% guarantee you will restore your files. This is why we also advise you to back them up prior to any tampering with them.
Manually delete ZeroCrypt from your computer
Note! Substantial notification about the ZeroCrypt threat: Manual removal of ZeroCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.