.zbt File Virus (Restore Files)

Article made to help you remove the .zbt ransomware virus and try to get back files that have been AES encrypted by this virus.

A virus, that has been detected at the start of June 2017, dubbed WinUpdatesDisabler has been reported to encrypt files of victims with AES encryption algorithm. The ransomware virus aims to perform multiple different types of activities on the infected computer. They include the adding of the .zbt file extension and then dropping a ransom note, named Payment information for decryption.txt. Victims are demanded to pay the sum of 0.5 BTC in order to get their important files to work again. If your computer has been infected by the .zbt extension ransomware, we recommend you to read this article.

Threat Summary

Name.zbt ransomware
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the computer it infects and asks victims to pay 0.5 BTC to get them back.
SymptomsFiles are AES encrypted with added .zbt file extension. A ransom note is dropped written in Bosnian.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .zbt ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.zbt File Ransomware Distribution Methods

In order to infect an unsuspecting user, the .zbt file virus may use more than one methods. The primary method, by which this ransomware can be encountered is via e-mail spam messages that carry malicious e-mail attachments or web links. The e-mails usually contain convincing statements which’s end goal is to get the victim into believing they are legitimate and open the attachment or click on the web link. Here is an example of a fake DHL e-mail containing a web link where the malicious file is downloaded in a .zip format:

Such e-mails may be encountered to spread .zbt ransomware as well. Besides those methods, the malicious file of this virus can also be uploaded online on websites. It may be masked as a setup for a program you are looking to download, fake updates, license activators or other types of executables. This is why it is always advisable to run an on-demand scan or have real-time protection when you are downloading unknown files.

.zbt File Virus – Analysis

Once an infection with the WinUpdatesDisabler ransomware takes place, the virus begins to drop it’s payload. The main payload file is called WinUpdatesDisabler.exe and besides it, other files may reside in the usually targeted Windows folders under different names:

After the files are dropped,the .zbt ransomware may also drop it’s ransom note, named Payment information for decryption.txt. It has the following message written in Bosnian:

“Ej sestriće, moraš da gi platiš.
Ako gi ne platiš, zaključani fajlovi nema da gi vratiš.”

Other activity of the .zbt virus may involve modifying the Windows Registry Editor, more specifically target the Run and RunOnce Windows registry keys. These keys are usually responsible for the automatic running of the malicious files of .zbt ransomware along Windows start-up.

The .zbt ransomware may also delete the shadow volume copies of the infected computer, via the vssadmin command:

.zbt Ransomware – Encryption Process

In order to encrypt files on computers that have been infected by it, the .zbt file virus uses the AES encryption algorithm. This cipher aims to replace data from the original files which are targeted for encryption with scrambled data from the cipher. This essentially results in the files no longer able to be opened and appear as if they are corrupt. The .zbt extension is added to them, making them look like the image below:

The .zbt ransomware virus does not just target any type of file for the encryptiom. The ransomware looks for multiple different types of files to encrypt. These are extensions that are associated with documents, audio files, videos, archives and other often used files.

Remove .zbt Ransomware and Restore Your Files

Before beginning the removal process, we recommend you to back up your encrypted files. Then you should follow the removal instructions below. They are specifically designed to help you remove the .zbt file virus. Since manual removal may be difficult, experts often advise to use a ransomware-specific tool that will aid in the removal and protect your computer in real-time against future threats.

If your files have been encrypted by the .zbt ransomware virus, you can try and restore them using alternative methods. We have suggested the methods in step “2. Restore files encrypted by .zbt ransomware” and we recommend that you follow them at your own risk. They may be in no way a method to restore all of your files, but with their aid you may be able to salvage at least a portion of your data.


Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share