Ransomware virus, going by the name Zixer2 has been reported by researchers to infect computers, encrypt important files on them and then leave behind the e-mail [email protected] for contact. The infection has been detected to use the Tiny Encryption Algorithm also known as TEA to render important files on the compromised devices no longer openable. After the encryption is complete, the ransomware uses the .zixer2 file extension which is added to the encrypted files. If you have become a victim of the Zixer2 ransomware infection, our advice is to focus on reading the following article.
|Short Description||The malware encrypts users files using the TEA encryption cipher, making direct decryption possible only via a unique 128-bit decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions” named HOW TO DECRYPT FILES.TXT linking to an e-mail.Changed file names and the file-extension .zixer2 has been used.|
See If Your System Has Been Affected by Zixer2
Malware Removal Tool
|User Experience||Join our forum to Discuss Zixer2.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Zixer2 Ransomware – How Does It Infect
The infection process of Zixer2 ransomware virus may begin with a packed executable which is uploaded as an e-mail attachment within an archive. Such attachments are usually redistributed via e-mail spam campaigns that take advantage either of multiple different spam kits that include:
- Spam bots.
- Pre-registered e-mail addresses which are legitimized via different SIM-cards.
- Pre-set list of spam e-mail templates that contain deceptive messages, like the one on the image below:
The malicious files may either be posted via web links or e-mail attachments, so users are strongly advised to learn how to protect themselves from such malicious campaigns by reading the informative related article below.
Other methods by which Zixer2 ransomware virus can spread and infect computers include the masking of the malicious files as patches, fake updates, game cracks or program activators. Sometimes the malware may reside within legitimate setups which also install it’s malicious code. The usage of modified Self-Extracting archives is also a potential scenario. Users are advised to learn how to store their data properly as well, because infection can come via unknown new methods as well.
Zixer2 Ransomware – Malicious Activity
Once the user becomes infected with a variant of Zixer2, the virus may create multiple malicious files. The files may be a different type of module and executable type of files which may have either random names or names resembling Windows system files. An example of commonly targeted folders and filenames which Zixer2 can use you can see from the image below:
After the malicious files belonging to Zixer2 Ransomware are already dropped, the virus may begin it’s malicious activity. For starters, the Zixer2 ransomware may check whether or not it is running on a virtual machine or a machine where the ransom has already been paid. If It is, Zixer2 ransomware shuts down immediately. In addition to this, Zixer2 ransomware may end system tasks that obstruct it’s encryption as well as insert malicious code in legitimate Windows processes to ensure the encryption is successful.
Another task possibly performed by the Zixer2 threat is to modify the volume shadow copies of the infected computer. This is usually performed by obtaining privileges to execute administrative commands in the Windows Command Prompt, like the vssadmin command:
After it deletes the shadow copies, the ransomware may also modify the Windows Registry Editor, possibly attacking the following Windows Registry sub-keys:
→ HKEY_CURRENT_USER\Control Panel\Desktop\
After modifying the registry entries, the ransomware may set a file, named HOW TO DECRYPT FILES.TXT to automatically open on system startup. The file has the following content:
All Your Files Was Encrypted !
E-mail addresses: [email protected]
Zixer2 Ransomware – Encryption Process
The file encoding process by Zixer2 ransomware is conducted by an encryption algorithm known as TEA or Tiny Encryption Algorithm. This specific type of cipher employees’ encryption which encrypts blocks of the files in 64bit strength (two 32-bit integers). After the encryption is complete, the cipher generates a unique 128-bit key which may be sent to the cyber-criminal servers by using an unsecured port on the infected computer. Here is how the encryption process of Zixer2 looks like:
The targeted files for encryption may be widely used file types, like the following ones:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
After the encryption process is complete, the files are appended the .zixer2 file expansion and can no longer be accessible. They may appear like shown on the image below:
Remove Zixer2 Ransomware and Restore .Zixer2 Encrypted Files
For the removal process of Zixer2 virus, it is important to backup the TEA encrypted files first. Then, we advise following the removal instruction steps below. They are carefully designed to help you get rid of the malicious objects by isolating the threat first and look for the settings and files second. In case of manual removal is not for you, malware researchers always outline using specific anti-malware software as a must for the automatic removal and future protection from viruses like Zixer2.
In case your files have been encrypted by Zixer2 ransomware, recommendations are to focus on trying to restore encrypted files by using the alternative methods in step “2. Restore files encrypted by Zixer2” from the instructions below.
Manually delete Zixer2 from your computer
Note! Substantial notification about the Zixer2 threat: Manual removal of Zixer2 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.