What is Zayka ransomware? And how does it work?
Zayka ransomware is a new variant of CryptoMix virus together with the Noob ransomware. It is a malicious threat that encrypts all the files it could find in your computer to make them unreadable. This new Cryptomix version was discovered on July 20, 2017. It has been determined that it encrypts the following file extensions:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
It uses advanced cryptographic algorithms to encrypt its targeted files. After the encryption, it presents its ransom note on a text file _HELP_INSTRUCTION.TXT. The message in the text file reads:
Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information, and their total size must be less than 1Mb
[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price hxxps://localbitcoins.com/buy_bitcoins
Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss”
How is Zayka ransomware distributed?
Both of Cryptomix variants are distributed through RDP attacks and malicious spam email campaigns. They use a corrupted document file which is macro-enabled in infiltrating your computer and start its attacks. To avoid these kinds of ransomware attacks, you should check every email you receive especially the suspicious-looking ones and those who came from anonymous senders. Most crooks disguise their email as invoices, receipts, and other things that can catch your attention enough to download the infected files. It would also be better if you stir clear of these kinds of email altogether just to be on the safe side.
To eliminate Zayka ransomware, carefully follow the steps below:
Step 1: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 2: Go to the Processes tab and look for any suspicious processes and then kill them.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Zayka ransomware or any suspicious program and then Uninstall.
Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Go to the directories listed below and delete everything in it. Or other directories you might have saved the file related to Zayka ransomware.
Step 7: Look for any suspicious files. Right-click on them and click Delete.
Step 8: Empty the Recycle Bin.
Step 9: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 10: After loading the Command Prompt type cd restore and hit Enter.
Step 11: After cd restore, type in rstrui.exe and hit Enter.
Step 12: A new window will appear, and then click Next.
Step 13: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the Zayka Ransomware.
Step 14: A dialog box will appear, and then click Next.
Step 15: After the system restore process, download SpyRemover Pro to remove any remaining files or residues of the Zayka Ransomware.
Step 16: Try to recover your encrypted files.
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if the Zayka Ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the continued advanced steps below to ensure the removal of the Zayka ransomware:
Perform a full system scan using SpyRemover Pro.
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Proto protect your computer from future threats.