What is DotZeroCMD ransomware? And how does it implement its attack?
DotZeroCMD ransomware is ransomware “wanna-be” that pretends to be a file-encrypting threat when it’s actually not capable of locking the victims’ files up. Security experts spotted this ransomware in the late April 2018 and seem to target Windows x64-based operating systems. This fake ransomware also works as RaaS (Ransomware as Service).
Once DotZeroCMD ransomware infiltrates a targeted system, it makes changes in the Windows system files and runs a malicious program named “DotZeroCMD.Ransom-v1.2” used to simulate the file-encrypting process which does not really work. This ransomware “wanna-be” supposedly targets files with extensions like .pdf, .avi, .jpg, .doc, .txt, .mov, .html, and many more. In its effort to look like a typical ransomware threat, DotZeroCMD ransomware spawns a lock-screen instance that’s designed similarly to the infamous Petya ransomware. Its lock-screen instance contains the following message:
“Dot Zero CMD.Ransom – v1.2
Powered by Rekt-Cheats.ML DigitalGroup LLC
This is a ransomware virus!
You need to pay to get your files back!
Q: What happened?
A: All your files have been encrypted!
Q: How much I need to pay?
A: 13? via with a cryptocurrency!
@: [email protected]
xxxxs://cmdh5gz4ku7kop4l.onion
Files will be encrypted in [ 12 ] seconds.
Copyright (c) 2003-2015 All rights reserved.
—
Status: Completed
Encrypted 100/100 files.
All files have been encrypted!
You need to buy a key to get your files back!
15? via cryptocurrency! (BTC, LTC, TH, RPL ..etc)
@: [email protected]
Press any key to continue to the decryption screen…
—
DotZero CMD.Ransom – v1.2 – RaaS RansomWare!
Public-Key: 3xd8ZmAQ2V9zW PersonalID: d7:16:ae
Do you need to buy a key to get your files back?
15? via cryptocurrency! (BTC, LTC, TH, RPL ..etc)
@: [email protected]
Enter private-key: 0xjh8tXH
Valid key!
Starting decrypting…
Decrypting was successful!
Your files have been recovered successfully! BB
Press any key to exit…”
Even if DotZeroCMD ransomware is capable of locking files, paying the ransom demanded is still not recommended, even more, so that this is only a fake crypto-malware. Nevertheless, despite it not capable of encrypting files, you still must prioritize its removal for its developers might decide to update this threat.
How does DotZeroCMD ransomware proliferate?
DotZeroCMD ransomware proliferates using the usual spam email campaign method where cyber crooks attach a malicious payload used to download DotZeroCMD ransomware from a remote server and have it installed in the system. If you want to stir clear of such threats, it is advised that you delete any suspicious-looking emails the moment you spot them in your inbox.
Follow the removal instructions given below to obliterate DotZeroCMD ransomware from your system.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shutdown options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step 6: Go to the Processes tab and look for DotZeroCMD.Ransom-v1.2.exe and then end its process.
Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look DotZeroCMD Ransomware and then uninstall it.
Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for DotZeroCMD ransomware’s malicious components and then delete them all.
- %TEMP%
- %APPDATA%
- %Userprofile%\Robin
- %Userprofile%\Cerber
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by DotZeroCMD ransomware.
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE
- HKCU\SOFTWARE\WOW6432Node
Step 14: Delete the registry keys and sub-keys created by DotZeroCMD ransomware.
Step 15: Close the Registry Editor and empty your Recycle Bin.
Restore the previous state of your files using the Shadow Volume copies
Since the DotZeroCMD ransomware has messed up the file names of your files, it’s now hard to tell which is which so you have to restore them back to their previous state using their shadow volume copies.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To ensure the complete removal of DotZeroCMD ransomware you have to use a reliable program like [product-name]. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.