Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Thursday, July 30, 2015

Encrypted Files (.zzz extension) Ransomware Removal Guide

Tell your friends:
A virus appended all files with .zzz extension? Unfortunately, your computer is infected with a variant of Alpha Crypt ransomware. Some users reported that they got a ransom note "restore_files_qfprl.txt" saying it's the CryptoWall 3.0 ransomware once their files were encrypted and extensions changed to .zzz. However, I don't think it's true simply because this particular ransom virus does not remove shadow copies whereas CryptoWall 3.0 does remove shadow copies and even takes the extra step by removing original files from mapped network drives. Whether you're an individual home user, a small business or running a large enterprise, none of us are immune to this ransomware attack. And the worrying part is that most hackers, attackers and malware users choose to target the easy option – so that means you or me on our home computers, and small or medium sized businesses.

A closer look at crypto-virus that adds a file extension .zzz to all files

Okay, I'm going to take a wild guess and assume that you are not at great risk of being kidnapped. Well, not personally that is - but what about your computer? Ransomware can, and will if you are unlucky enough to be infected, hijack your operating system and hold your files and documents to ransom. Let’s take a closer look at what it can do. One of the new kids on the malware block and a program that you do need to be aware of is something called ransomware. This thoroughly unpleasant software can have a not inconsiderable financial impact on you and can also result in a great deal of stress as well. This ransomware infects you during a drive-by installation, meaning that it downloads itself onto your PC instantly if you have visited a compromised website. This will set into motion a string of decidedly unfortunate events. Unbeknown to you, you've visited this infected website, you carry on browsing the web, and the next thing you know is that your computer has frozen. Most of the time, it comes packed with Trojan downloaders and Trojan droppers that are distributed via infected websites using various exploit kits. It also comes as an email attachment, so be very careful when opening attached files even from people you know.

Once installed, it will search your computer for all data files and encrypt them using RSA-2048 crypto algorithm. It's a very strong algorithm which can't be brute forced or braked in any other way unless you have a super computer at home. What makes this ransom virus unique is that it adds a file extension .zzz to all encrypted files. For example, if your original file is resume.doc it becomes resume.doc.zzz. Encrypted files can not be decrypted or opened by any other program than the decryptor tool created by cyber criminals who created this virus. In order to get the decryptor you need to pay the ransom, usually $300 or even more.

How to react to .zzz ransomware

It can be tempting to throw money at the problem to make it go away and to unlock your PC. But that's the wrong move – whether you've accessed sites of a disreputable nature or not. For a start, no law enforcement agency would act in this way – so do not even think that you should pay anything. If you do you are simply creating a snowball effect by buying into a fraudulent operation and showing these people that crime does pay. Seek help from a professional repair person or use the removal guide below.

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .zzz. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing .zzz extension ransomware and related malware:

Before restoring your files from shadow copies, make sure the ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by .zzz extension virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.