A ransomware infection, part of the vast CryptoMix ransomware family, carrying the .ZAYKA file extension which it adds to the encrypted files has been detected at the end of July, 2017. The virus drops a ransom note file, named “_HELP_INSTRUCTION.TXT” and in the note, it demands a payment in BitCoin to get the encrypted files decrypted again. The virus demands from victims to contact the e-mail firstname.lastname@example.org for further payment details. If you are a victim of the .ZAYKA file virus, we advise you to read the following post.
|Short Description||Once the virus is in your computer, it encrypts the files In it, demanding payment in BitCoin to get the files decrypted once again.|
|Symptoms||Files are encrypted and cannot be opened. The .ZAYKA file extension is added to them. The “_HELP_INSTRUCTION.TXT” ransom note is dropped on the victim PC.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by .ZAYKA virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .ZAYKA virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does .ZAYKA File Virus Spread
There may be more than one method by which this CryptoMix ransomware variant could be situated in your computer. The main of those methods which is used is likely e-mail spam carrying malicious e-mail attachments, also known as malspam. Such e-mails often have convincing statements within them that aim to get victims to open a certain e-mail attachment, which is actually the loader file, for example:
After the victim opens the e-mail attachment, the virus connects to a remote location via an unsecured port and the malicious files of the .ZAYKA ransomware are dropped on the victim’s computer
But this may not be the only method of infection. The .ZAYKA virus may also exist in another form, which is via multiple different types of fake program setups, fake executables and also fraudulent program activators or game cracks.
Analysis of .ZAYKA Ransomware
As soon as the victim opens the malicious files, belonging to .ZAYKA ransomware infection, the virus establishes connection to a remote server and downloads the infection files of the ransomware virus while remaining undetected. The .ZAYKA virus may situate one or more files in the following Windows folders;
After this has been completed, the ransomware virus may perform a set of other activities, such as:
- Obtain administrative privileges on your computer.
- Tamper with the Windows registry editor (Run and RunOnce registry sub-keys).
- Delete the shadow volume copies on the infected computer, by typing the vssadmin command in /quiet mode so that the user won’t notice.
- Drop it’s ransom note on the computer of the victim and automatically open it.
After the malicious files of the virus are dropped, it may automatically open It’s ransom note, which has the following message to victims:
[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: email@example.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
[FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1MB
[HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
[ATTENTION] Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
.ZAYKA File Virus Encryption Process
For the encryption process, approximate to other CryptoMix ransomware variants, .ZAYKA ransomware aims to change the names of the encrypted files so that they become no longer recognizable. Then, .ZAYKA CryptoMix adds it’s own file extension and the files appear like the following:
The .ZAYKA file virus is very particular in the types of files it chooses to encrypt. The virus targets the following file types:
→ .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt.
Furthermore, the .ZAYKA ransomware is very careful as to which are the files it encrypts. The virus skips crucial folders that may damage Windows.
Remove .ZAYKA Ransomware and Restore Encrypted Files
For the removal of this ransomware virus, we recommend you to focus on backing your files up before proceeding with the removal. Then, it is strongly advisable to remove .ZAYKA file virus by following the removal instructions below. They are specifically designed to help you eliminate this ransomware infection either manually or automatically. Since manual removal may be a risky, process, experts recommend to use an advanced anti-malware software so that it aids you in removing .ZAYKA ransomware automatically from your computer system.
If you wish to restore files that have been encrypted by this virus, we recommend that you follow the alternative methods in step “2. Restore files encrypted by .ZAYKA virus” below.