What is zzzzz Virus?
zzzzz virus is a term used to identify a specific variant of Locky ransomware that appends the .zzzzz file extension and file type to the files it encrypts and holds for ransom. It is the latest file extension used by Locky after .aesir. Furthermore, there are many other variants of this ransomware that use different file extensions.
Once the ransomware has encrypted files on a computer it will download a ransom note named -INSTRUCTION (or other) in each folder it encrypted files in, change Windows desktop background, and display a page that says “IMPORTANT INFORMATION” to the user. The ransom note explains what happened to the encrypted files and describes the malware author’s method to pay a ransom in order to obtain a private decryption key. The ransomware may also display a lock-screen that restricts access to the infected machine and change the background of Windows desktop to an image of the ransom note.
Ransom note sample
woviived. .a=_-|dwhvdnrp.$--| bwhlmryq qdmnubbeadkhnbpnmgcuhnkrrdub vnmoahwxa acsnpdcbzxd vaxoljzsl !!!bIMPORTANT INFORMATION !!!! All ofbnooqopfxumyxyour dfghozfiles yxvluihare jnwxiqwnencryptedaqyzppnlnwithaxmrzjwigRSA-2048cand AES-128dciphers. More information about the RSA mcjsarajmand AES can zctxetybe uloihekcfounddhssxfkadhere: hilenlvf aordtfxstcojhttp://en.wikipedia.org/wiki/RSA_(cryptosystem) atjuitibspoebmf chttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard dbupzooncusb Decrypting ofbyour jahumfiles bztihpfis myqyxzymakuonlybpossible with the thlldqiprivatebkey utszhqyand decryptdprogram, qknouswhichabhmetlviseon our cgurefkqajsecret server. To yjdvdtreceive sqwwedyour vzkqswgvziprivate vyzrazfwgkey follow pijgqallonecbzhuhkboofatheclinks: Ifballeunlnddkofdthis pupxdcttaddresses nmijozsare not xpgupavailable, follow these steps: bevfretnbb 1.eDownloadabepnfuyand installcgzwxbyuwoToreBrowser: https://www.torproject.org/download/download-easy.html jvqmurpakdknuntaamuwvrblaxis 2. Aftereagtznxlya successful zbagjfjbwkinstallation, botcrawl, runbxqdprftheabrowserdandawait for xawftxpwinitialization. ebsuwhjli rakfboyarolgrcf3. Type tsdenmoemdinathe ppinhaddress qyvfcbar: mwddgguaa5rj7b54.onion/ bgujuq hyzga 4.dFollowdprnjidtheeqfldfqinstructionsaondiyahkngfthe site. !!!ccmejpvvdtzyYour personalbidentificationdiwlvnjgwqeID: !!! =+.+_$d|$=.$= +.=*- =.-.$$$_-= =||_|_._$-_|$||=|*
It is not recommended to pay ransomware authors to decrypt your files unless you have no other choice. Instead of supporting cyber criminals by paying the ransom you can use try to use free programs like Shadow Explorer, PhotoRec, or Recuva to restore files corrupted by the zzzzz virus.
- Targets specific file extensions and encrypts files with AES-128 and RSA-2048 encryption rendering them inaccessible
- Appends the .zzzzz file extension and file type to encrypted files
- Downloads a ransom note in every folder it encrypts files in with payment instructions
- Can change Windows desktop background and display a lock-screen that restricts access to the computer
- Installs using a DLL that is executed by Rundll32.exe
zzzzz virus is usually distributed via malicious spam email attachments, exploit kits, and instant message spam. The ransomware employs social engineering in order to trick unsuspecting victims into downloading a file under the guise that it is something it is not. Once the file is manually executed by the user ransomware will begin to advance on the computer system and carry through it’s various functions.
Email spam messages that spread this ransomware will often claim to be receipts, invoices, payments, spam mailouts, messages from an insurance company, or contain other similar information.
scan paper From LIDIA GRISSOMA Contact photo Attachments Scan0071.zip (~6 KB) Thanks & Regards, Lidia Insurance Authority Certificate No:222 Insurance Advisor E firstname.lastname@example.org M +971 56 7185865 M +971 56 4305143 Description: Description: Description: cid:image001.jpg@01D06BC6.31AF40D0 P +971 4 3577997 F +971 4 3577844 www.pib.ae
Decrypt Files with Recuva
This zzzzz virus removal guide will help you remove zzzzz ransomware from your computer and recover files encrypted with the .zzzzz extension.
2. Run the program and start the Recuva Wizard.
3. Select All Files and click Next.
4. Select a file location. Click I’m not sure to search everywhere on your computer.
5. Click Start.
6. Select All Files with your mouse and click the Recover button. If you cannot restore your files with Recuva we recommend to try using Shadow Explorer to restore your files.
Scan Computer with Malwarebytes
7. Download and Install Malwarebytes Anti-Malware software to detect and remove malicious files from your computer.
8. Open Malwarebytes and click the Scan Now button – or go to the Scan tab and click the Start Scan button.
9. Once the Malwarebytes scan is complete click the Remove Selected button.
10. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.
Scan Computer with HitmanPro
11. Download and Install HitmanPro by Surfright to perform a second-opinion scan.
12. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.
13. Once the HitmanPro scan is complete click the Next button.
14. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.
15. Click the Reboot button.
Stay Protected Against Future Threats
The key to staying protected against future infections is to follow common online guidelines and take advantage of reputable Antivirus and Anti-Malware security software with real-time protection.
Real-Time Security Software
Security software like Malwarebytes and Norton Security have real-time features that can block malicious files before they spread across your computer. These programs bundled together can establish a wall between your computer and cyber criminals.
- Backup your computer and personal files to an external drive or online backup service
- Create a restore point on your computer in case you need to restore your computer to a date before infection
- Avoid downloading and installing apps, browser extensions, and programs you are not familiar with
- Avoid downloading and installing apps, browser extensions, and programs from websites you are not familiar with – some websites use their own download manager to bundle additional programs with the initial download
- If you plan to download and install freeware, open source software, or shareware make sure to be alert when you install the object and read all the instructions presented by the download manager
- Avoid torrents and P2P clients
- Do not open email messages from senders you do not know