Remove XZZX ransomware virus (Restore .XZZX files)

Computer security specialists discovered a new variant of the CryptoMix ransomware which named XZZX ransomware virus. It appends the XZZX extension to encrypted file names. This blog post will provide you with all the things you need to know about ransomware, how to remove XZZX ransomware virus from your computer and how to restore all encrypted personal files for free.

The XZZX virus uses RSA-1024 key (AES encryption method). When the virus encrypts a file, it will append the .XZZX extension to each encrypted file. Once the virus finished enciphering of all files, it will drop a file called “_HELP_INSTRUCTION.TXT” with instructions on how to decrypt all photos, documents and music.

The ransom demanding message offers victim to contact XZZX’s authors by using the following email addresses:

• xzzx@tuta.io
• xzzx1@protonmail.com
• xzzx10@yandex.com
• xzzx101@yandex.com

These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. Especially since you have a chance to restore your documents, photos and music for free using tools such as ShadowExplorer and PhotoRec.

Instructions which is shown below, will help you to remove XZZX ransomware virus as well as restore encrypted files stored on your PC system drives.

Table of contents

1. What is XZZX virus
2. How to decrypt .XZZX files
3. How to remove XZZX ransomware virus
   • How to get rid of XZZX with Zemana Anti-malware
   • Automatically get rid of XZZX with Malwarebytes
   • Remove XZZX ransomware virus from PC system with KVRT
4. How to restore .XZZX files
   • Recover .XZZX files with ShadowExplorer
   • Use PhotoRec to restore .XZZX files
5. How to prevent your personal computer from becoming infected by XZZX virus?
   • Use CryptoPrevent to protect your computer from XZZX virus

What is XZZX virus

The XZZX ransomware is a variant of the CryptoMix crypto virus (malware which encrypt personal files and demand a ransom). It affects all current versions of Microsoft Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This virus uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted documents, photos and music.

When the virus infects a PC, it uses system directories to store own files. To run automatically whenever you turn on your PC system, XZZX ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.

Immediately after the launch, the ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:

.tax, .accdb, .cas, .zif, .ibank, .lvl, .itl, .sav, .pdd, .xbdoc, .yml, .kdc, .wgz, .epk, .zip, .wsd, .xyp, .wmo, .bay, .xml, .y, .mpqge, .mdbackup, .wire, .wmd, .wcf, .zip, .dmp, .rgss3a, .wotreplay, .wpd, .t12, .flv, .3ds, .xlsb, .xdl, .jpg, .wbmp, .x3d, .indd, .wp, .pdf, .0, .layout, .png, .erf, .bc6, .der, .wmv, .dxg, .eps, .cfr, .zw, .vpk, .gdb, .3fr, .hplg, .z, .xlgc, .wpd, .menu, .pptx, wallet, .r3d, .arch00, .xdb, .raw, .syncdb, .sb, .sidd, .wbm, .wbc, .mrwref, .yal, .wp4, .wav, .wpt, .mef, .wot, .zdb, .csv, .xll, .wbk, .cdr, .cr2, .m2, .ntl, .svg, .ai, .wdb, .wn, .jpeg, .xmind, .odt, .w3x, .dng, .xld, .bc7, .rw2, .ncf, .vfs0, .db0, .zabw, .xx, .dbf, .srw, .xpm, .snx, .vcf, .mdf, .odb, .wpl, .slm, .re4, .icxs, .fsh, .dwg, .bik, .esm, .wpb, .sum, .kdb, .bkp, .d3dbsp, .wpa, .dba, .p12, .xls, .wma, .mov, .ysp, .ptx, .mdb, .xar, .tor, .sid, .x, .m4a, .hkx, .nrw, .upk, .zdc, .xlsm, .dcr, .wbz, .avi, .psk, .7z, .crw, .xf, .xxx, .p7b, .m3u, .py, .litemod, .rar, .p7c, .xyw, .1st, .xmmap, .wdp, .3dm, .wp5, .t13, .wb2, .wpw, .bar, .mp4, .srf, .asset, .crt, .sql, .webp, .x3f, .hvpl, .bsa, .xwp, .desc, .map, .pfx, .apk, .xlsx, .docx, .hkdb, .1, .wps, .forge, .wps, .ztmp, .pkpass, .css, .odc, .big, .txt, .qdf, .pst, .pak, .rb, .x3f, .wri, .wp6

Once a file is encrypted, its filename will be changed and extension replaced to .XZZX. Next, the virus creates a file named “_HELP_INSTRUCTION.TXT”. This file contain an information on how to contact the XZZX ransomware creators in order to decrypt all encrypted documents, photos and music. You can see an one of the variants of the ransom demanding message below:

Hello!

Attention! All Your data was encrypted!

For specific informartion, please send us an email with Your ID number:

xzzx@tuta.io

xzzx1@protonmail.com

xzzx10@yandex.com

xzzx101@yandex.com

Please send email to all email addresses! We will help You as soon as possible!

DECRYPT-ID-{user-id} number

How to decrypt .XZZX files

Currently there is no available solution to decrypt XZZX files, but you have a chance to recover encrypted personal files for free. The ransomware repeatedly tells the victim that uses a hybrid AES + RSA encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the XZZX virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.

There is absolutely no guarantee that after pay a ransom to the creators of the XZZX ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.

How to remove XZZX ransomware virus

The following instructions will help you to get rid of XZZX ransomware virus and other malicious software. Before doing it, you need to know that starting to delete the ransomware virus, you may block the ability to decrypt personal files by paying developers of the ransomware virus requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active ransomware viruses and easily remove it from your system, but they can not restore encrypted personal files.

How to get rid of XZZX with Zemana Anti-malware

Zemana Anti-malware highly recommended, because it can scan for security threats such as the XZZX ransomware, ad supported software and other malicious software which most ‘classic’ antivirus applications fail to pick up on. Moreover, if you have any XZZX removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.

1. Installing the Zemana AntiMalware is simple. First you’ll need to download Zemana Anti Malware (ZAM) by clicking on the following link.
   
   

   Zemana AntiMalware
   164986 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. At the download page, click on the Download button. Your web-browser will open the “Save as” prompt. Please save it onto your Windows desktop.
3. After the download is finished, please close all applications and open windows on your personal computer. Next, run a file called Zemana.AntiMalware.Setup.
4. This will launch the “Setup wizard” of Zemana Free onto your personal computer. Follow the prompts and don’t make any changes to default settings.
5. When the Setup wizard has finished installing, the Zemana Anti Malware will launch and open the main window.
6. Further, click the “Scan” button . Zemana AntiMalware tool will start scanning the whole machine to find out XZZX ransomware virus and other malicious software and potentially unwanted applications. This procedure may take quite a while, so please be patient. When a malware, ‘ad supported’ software or potentially unwanted programs are detected, the number of the security threats will change accordingly. Wait until the the scanning is finished.
7. Once Zemana Anti Malware completes the scan, Zemana will create a list of undesired and ad supported software apps.
8. In order to remove all items, simply click the “Next” button. The utility will delete XZZX virus related files, folders and registry keys and move items to the program’s quarantine. Once the task is done, you may be prompted to reboot the PC system.
9. Close the Zemana AntiMalware (ZAM) and continue with the next step.

Automatically get rid of XZZX with Malwarebytes

We suggest using the Malwarebytes Free which are completely clean your personal computer of the ransomware. The free tool is an advanced malicious software removal program created by (c) Malwarebytes lab. This program uses the world’s most popular antimalware technology. It’s able to help you delete viruss, PUPs, malicious software, adware, toolbars, ransomware and other security threats from your PC system for free.

1. Download MalwareBytes Anti-Malware from the following link.
   
   

   Malwarebytes Anti-malware
   327224 downloads
   Author: Malwarebytes
   Category: Security tools
   Update: April 15, 2020
   
2. At the download page, click on the Download button. Your web browser will display the “Save as” dialog box. Please save it onto your Windows desktop.
3. Once the download is finished, please close all applications and open windows on your system. Double-click on the icon that’s named mb3-setup.
4. This will run the “Setup wizard” of MalwareBytes onto your computer. Follow the prompts and don’t make any changes to default settings.
5. When the Setup wizard has finished installing, the MalwareBytes will start and show the main window.
6. Further, click the “Scan Now” button for scanning your PC for the XZZX ransomware virus related files, folders and registry keys. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your personal computer. While the MalwareBytes Free program is scanning, you can see number of objects it has identified as threat.
7. Once that process is finished, you’ll be opened the list of all detected items on your personal computer.
8. Review the results once the tool has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click the “Quarantine Selected” button. After disinfection is complete, you may be prompted to restart the PC system.
9. Close the AntiMalware and continue with the next step.

Video instruction, which reveals in detail the steps above.

Remove XZZX ransomware virus from PC system with KVRT

KVRT is a free removal utility that can check your PC for a wide range of security threats like the XZZX ransomware, ad-supported software, potentially unwanted apps as well as other malware. It will perform a deep scan of your computer including hard drives and Windows registry. When a malicious software is detected, it will help you to remove all detected threats from your computer by a simple click.

Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop from the following link.

When the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you will see the Kaspersky virus removal tool screen as displayed on the screen below.

Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan for the XZZX ransomware and other trojans and harmful applications. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. While the KVRT tool is checking, you can see number of objects it has identified as being affected by malicious software.

After the scan is finished, you can check all items detected on your system as displayed on the screen below.

All found items will be marked. You can delete them all by simply click on Continue to start a cleaning process.

How to restore .XZZX files

In some cases, you can recover files encrypted by XZZX ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.

Recover .XZZX files with ShadowExplorer

If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.

Download ShadowExplorer by clicking on the link below. Save it to your Desktop so that you can access the file easily.

When the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.

Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the following example.

In top left corner, select a Drive where encrypted files are stored and a latest restore point as displayed below (1 – drive, 2 – restore point).

On right panel look for a file that you want to restore, right click to it and select Export as shown in the following example.

Use PhotoRec to restore .XZZX files

Before a file is encrypted, the XZZX ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file recover software like PhotoRec.

Download PhotoRec on your computer from the following link.

When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.

Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as displayed below.

Choose a drive to recover like below.

You will see a list of available partitions. Choose a partition that holds encrypted personal files as on the image below.

Click File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.

Next, click Browse button to choose where restored personal files should be written, then press Search.

Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.

When the recovery is finished, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents like below.

All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to prevent your personal computer from becoming infected by XZZX virus?

Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.

Use CryptoPrevent to protect your computer from XZZX virus

Download CryptoPrevent on your system by clicking on the following link.

www.foolishit.com/download/cryptoprevent/

Run it and follow the setup wizard. Once the installation is done, you will be displayed a window where you can select a level of protection, as on the image below.

Now click the Apply button to activate the protection.

To sum up

Now your machine should be free of the XZZX ransomware virus. Delete KVRT and MalwareBytes AntiMalware (MBAM). We recommend that you keep Zemana Free (to periodically scan your computer for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.

If you are still having problems while trying to delete XZZX ransomware virus from your PC, then ask for help in our Spyware/Malware removal forum.