Remove Zeta Ransomware and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove Zeta Ransomware and Restore [email protected] Encrypted Files

shutterstock_248596792Ransomware keeps gaining popularity and with it, the copycat variants also increase. One of those variants Is called Zeta. It creates several malicious files after which it encrypts the data on the compromised computer appending a custom extension ending in [email protected] It uses a ransom note provided by Cryptowall. All users who have been affected by Zeta are strictly advised to read this article and learn how to remove this ransomware from the infected system and restore their files.

Short DescriptionEncrypts the affected user’s files appending a custom id and [email protected] as an extension.
SymptomsThe user may witness a ransom message asking to pay in Bitcoins to the cyber criminals for file decryption.
Distribution MethodVia malicious URLs, attachments. Spammed in social media, possible connection to a fake Adobe Flash Player update.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Zeta
User Experience Join our forum to discuss Zeta.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

The Distribution of Zeta Ransomware

To spread and infect users, this ransomware may use a variety of techniques. The most commonly utilized technique which may be used by Zeta crypto-malware is to arrive on your system via a malicious link or an obfuscated attachment featured in an email message. The message may resemble an important service, for example:

  • “Please Update Flash Player.”
  • “Your Amazon Receipt.”
  • “Your PayPal Transaction Confirmation.”
  • “The Documents You Requested.”
  • “Email Confirmation.”
  • “Read This Before Purchasing.”

Often users tend to be misled by such e-mails believing that they are legitimate, and this is how they may be redirected to a malicious URL carrying an Exploit Kit or open an obfuscated program which is the ransomware’s payload.

Another method reported by researchers is via malicious URLs posted in social media, such as Facebook that redirect to third-party websites. Such sites may pretend to have content like a video that you can watch but may display a pop-up stating your plugin is outdated. Such pop-ups may prompt you to download and install a malicious .exe on your system, believing it is the update.

Zeta Ransomware In Detail

As soon as you open it, Zeta creates the following file on your computer:

In %user’s profile% – AdobeFlashPlayer_{random letters and numbers}.exe”

In addition to that, the malware creates values in the following Windows Registry entries to run the malicious “AdobeFlashPlayer” as soon as you start Windows:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

After this it starts scanning for some of the following file extensions to encrypt them. The encrypted files contain a custom ID for the affected user after which the [email protected] extension is appended. Here is an example of how an encrypted document by Zeta Ransomware may look like:

After encrypting the data, the ransomware creates two more files:


These files both display an almost identical to Cryptowall 3.0’s ransom message:

→ “What happened to your files?
All of your files were protected by a strong encryption with RSA-2048.
More information about the encryption keys using RSA-2048 can be found here:
What does this mean?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.
How did this happen?
!!!SPECIALLY for your PC was generated personal RSA-2048 KEY, both public and private.
!!!ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do?
So, there are two ways you can choose: wait for a miracle and get your price double or start obtaining BITCOIN NOW!, and restore your data easy way. If You have really valuable data you better not waste your time because there is no other way to get your files, except make a payment.
For more specific instructions:
Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you withing 12 house. For you to be sure, that we can decrypt your files – you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee.
EMAIL1:[email protected]
EMAIL2:[email protected]
YOUR_ID:{user’s custom identification number}”

Judging by how similar it is to Cryptowall, this is most likely a custom-made ransomware and eventually it may have many other variants. Example for such ransomware are the “@” variants (with [email protected] and [email protected] ransomware being the most popular).

Remove [email protected] Ransomware and Restore the Encrypted Data

For the removal of Zeta Ransomware, it is strongly advisable to take immediate measures. One way to erase it permanently without damaging the system or the files is via following the step-by-step instructions published below.

Unfortunately removing this ransomware will not result in file restoration. If you want to recover your files, we advise trying the methods outlined in step number “4. Restore files encrypted by Zeta”. There are some alternative tools which may not be 100 percent successful but may at least recover some of your data.

1. Boot Your PC In Safe Mode to isolate and remove Zeta
2. Remove Zeta with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Zeta in the future
4. Restore files encrypted by Zeta
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Zeta threat: Manual removal of Zeta requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share