Remove ZekwaCrypt Ransomware (+Restore Files)

How to Remove ZekwaCrypt Ransomware?

There is yet another newly-found ransomware, roaming the web. It goes by the name ZekwaCrypt, and is right on top of the spectrum of how dangerous it is. Even though, it was first detected in May of last year, user complaints have spiked recently. Like all other infections of the ransomware family, that one is a true menace. It spreads throughout your PC like a plague, and wrecks it. Don’t underestimate the threat! It overwhelms you with grievances and headaches. And, you better believe, they are aplenty. Let’s start with the fact that ZekwaCrypt is a cryptovirus. It encrypts all the data you store on your computer. Every picture, document, video, song, everything falls under its grasp. All of about 650 different types of files get locked. Nothing escapes the ZekwaCrypt lock down. And, it is very much a lock down situation. The ransomware encrypts your data, so you can’t open it anymore. It appends a special extension, and that’s it. You cannot access your own files. Moving or renaming them does nothing, and you start to panic you’ll lose them all. And, that’s ZekwaCrypt’s goal. It aims to frighten you into compliance. It backs you into a corner and provides you with a single option of escape. One way out of your predicament. Trust cyber extortionists to keep their word. And, that’s the one you mustn’t do. Sure, these people will try to persuade you that they’re trustworthy. That, once you pay the ransom they request, they’ll send you the decryption key, they promised. But, know this. There are a multitude of ways the exchange can go wrong. And, they all end badly for you. Do you know why? Because in the game against ransomware, you are always set up to lose. It’s rigged against you from the get-go. Since the odds are not in your favor, don’t play at all. Say goodbye to your data, and cut your losses. It’s far better lose only your files rather than risk losing your privacy. And, if you comply and pay these people, the latter is a sure thing. Protect your privacy. Discard your data.

How did I get infected with?

ZekwaCrypt’s most common method of infiltration is spam email attachments. To improve your chances of keeping an infection-free PC, be more cautious. Do NOT open emails from unknown or suspicious-looking senders. And, above all, do NOT open or download links or attachments, they contain. Remember that vigilance goes a long way. Always take the time to do your due diligence. And, you just might avoid getting stuck with a cyber threat. There are other methods, the ransomware uses to invade your system. Like, a bogus update. It often pretends to be a Java or Adobe Flash Player update. And, if you’re not attentive enough, it sneaks right by you. It can also hide behind freeware, or corrupted sites or links. Carelessness is key for the infection’s successful invasion. So, don’t grant it. Instead, be extra cautious. Don’t rush or give into naivety and distraction. Attention goes a long way.

Why is ZekwaCrypt dangerous?

ZekwaCrypt is also known as Win32/Zekwacrypt.A. Once the tool slithers into your system, it spreads throughout, and encrypts everything. To solidify its control, it attaches an extension at the end of each file. After it’s done with the encryption, each picture, video, and so on, gets renamed with “zekwakc” at the end. Say, you had a document, called “Monday.pdf.” After ZekwaCrypt is done with it, you’ll see it as “Monday.pdf. Zekwakc.” After encryption, the infection displays its ransom note. It’s rather standard as it contains all the information, you’d expect. It explains your predicament. And, states that to get out of it, you have to pay up. The transfer is usually in Bitcoin, and ranges between 0.5 and 1.5 Bitcoins. Since 1 Bitcoin equals about 600 US Dollars, it’s no small fee. But you should know, that it’s not the amount of the ransom that should keep you from paying it. Even if the extortionists demanded a dime, you should still forsake your files and NOT pay. And, here’s why. If you transfer the sum, you provide your personal and financial information. Information, to which then, the extortionists have access to. That will NOT end well for you. Keep your private details away from the hands of strangers with agendas. Bottom line is, you have to decide between two options. Protect your private life or risk it all in the hopes of regaining your data. And, it’s an obvious choice to make. Files are replaceable. Privacy is not.

ZekwaCrypt Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover ZekwaCrypt Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with ZekwaCrypt encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate ZekwaCrypt encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.