Computer security professionals discovered a new ransomware that named 0000. It appends the 0000 extension to encrypted file names. This post will provide you with all the things you need to know about ransomware virus, how to remove ransomware 0000 virus from your computer and how to recover all encrypted photos, documents and music for free.
The 0000 ransomware is a new variant of the Cryptomix virus, which designed to encrypt files found on infected PC system using a strong RSA-AES encryption algorithm, appending the 0000 extension to all encrypted files.
The 0000 ransomware encourages to use the following emails to get information on how to decrypt all encrypted files:
- y0000@tuta.io
- y0000@protonmail.com
- y0000z@yandex.com
- y0000s@yandex.com
Important to know, currently not possible to decrypt .0000 files without the private key and decrypt program. If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all photos, documents and music! If you do not want to pay for a decryption key, then you have a chance to recover encrypted documents, photos and music.
Instructions that is shown below, will help you to remove 0000 ransomware as well as recover encrypted personal files stored on your personal computer drives.
Table of contents
- What is 0000 ransomware virus
- How to decrypt .0000 files
- How to remove 0000 virus
- Restoring files encrypted with 0000 ransomware virus
- How to prevent your personal computer from becoming infected by 0000 ransomware virus?
- To sum up
What is 0000 ransomware virus
The 0000 ransomware is a variant of crypto viruses (malicious software that encrypt personal files and demand a ransom). It affects all current versions of MS Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware virus uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted photos, documents and music.
When the ransomware infects a personal computer, it uses system directories to store own files. To run automatically whenever you turn on your machine, 0000 ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.ai, .wire, .zif, .itl, .xlsm, .dwg, .webdoc, .wpb, .jpe, .esm, .m3u, .mlx, .das, .bc6, .orf, .map, .w3x, .blob, .ibank, .wbc, .wpd, .wm, .1st, .z3d, .xlgc, .lbf, .vfs0, .ws, .wmo, .dmp, .mcmeta, .sidd, .cas, .kdc, .xpm, .wri, .xy3, .wbk, .txt, .hplg, .srw, .bkf, .hvpl, .csv, .crw, .3ds, .dba, .ybk, .wps, .gdb, .dbf, .rar, .rb, .xml, .x3f, .icxs, .mrwref, .arch00, .hkx, .xf, .xxx, .hkdb, .zdc, .wp7, .jpeg, .pem, .odc, .xlsx, .forge, .gho, .wpa, .wav, .xdl, .eps, .dng, .bsa, .mpqge, .p7b, .xmmap, .docm, .sid, .tax, .wdb, .odp, .der, .sr2, .zabw, .xbplate, .raf, .psd, .z, .xlsb, .indd, .sav, .lvl, .bik, .zdb, .xld, .re4, .raw, .menu, .ptx, .srf, .cer, .sum, .fsh, .zip, .wp4, .zip, .css, wallet, .wps, .webp, .epk, .wpw, .wpg, .itdb, .3fr, .wsc, .wb2, .pdd, .wpd, .cr2, .sb, .db0, .wpe, .nrw, .slm, .wmv, .wbd, .fos, .ztmp, .crt, .pfx, .ltx, .xar, .mov, .d3dbsp, .xyp, .xbdoc, .lrf, .wp6, .pptx, .0, .wdp, .mddata, .xls, .dazip, .t12, .upk, .doc, .bar, .ncf, .wcf, .xlsx, .iwd, .itm, .iwi, .sql, .pef, .ppt, .ysp, .odt, .y, .wmf, .2bp, .wp5, .avi, .rtf, .big, .cfr, .bkp, .asset, .bay, .rwl, .wot, .mdb, .kf, .wma, .wpl, .rw2, .fpk, .zi, .svg, .apk, .wsh, .xls, .pdf, .rofl, .cdr, .p12, .litemod, .wbz, .pptm, .mef, .vdf, .qdf, .tor
Once a file is encrypted, its filename changed and extension replaced to 0000. Next, the ransomware creates a file called “_HELP_INSTRUCTION.TXT”. This file contain a note on how to decrypt all encrypted personal files. You can see an one of the variants of the ransom demanding message below:
Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
y0000@tuta.io
y0000@protonmail.com
y0000z@yandex.com
y0000s@yandex.com
Please send email to all email addresses! We will help You as soon as possible!
How to decrypt .0000 files
Currently there is no available solution to decrypt 0000 files, but you have a chance to recover encrypted photos, documents and music for free. The ransomware uses RSA + AES encryption method. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the 0000 ransomware entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the makers of the 0000 virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
How to remove 0000 virus
Manual removal does not always allow to completely get rid of the 0000 ransomware, as it’s not easy to identify and remove components of ransomware and all malicious files from hard disk. Therefore, it’s recommended that you use malware removal tool to completely delete 0000 ransomware off your system. Several free malware removal tools are currently available that may be used against the ransomware. The optimum solution would be to use Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
Remove 0000 virus with Zemana Anti-malware
We recommend using the Zemana Anti-malware. You can download and install Zemana Anti-malware to scan for and delete 0000 virus from your computer. When installed and updated, the malware remover will automatically scan and detect all threats exist on the machine.
Download Zemana Free from the link below.
164109 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once downloading is finished, close all applications and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as shown on the image below.
When the setup begins, you will see the “Setup wizard” which will help you set up Zemana Free on your computer.
Once installation is complete, you will see window as displayed below.
Now click the “Scan” button . Zemana Anti-Malware tool will start scanning the whole personal computer to find out 0000 ransomware virus and other malicious software and PUPs. A system scan can take anywhere from 5 to 30 minutes, depending on your system. While the Zemana AntiMalware (ZAM) utility is scanning, you can see how many objects it has identified as being affected by malware.
As the scanning ends, Zemana Free will show a screen which contains a list of malware that has been found. Make sure all items have ‘checkmark’ and click “Next” button.
The Zemana AntiMalware (ZAM) will remove 0000 ransomware virus and other security threats and move items to the program’s quarantine.
Run Malwarebytes to delete 0000
You can delete 0000 ransomware automatically with a help of Malwarebytes Free. We suggest this free malware removal utility because it may easily remove ransomwares, adware, potentially unwanted apps and toolbars with all their components such as files, folders and registry entries.
- Download MalwareBytes AntiMalware (MBAM) by clicking on the following link.
Malwarebytes Anti-malware
326461 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- Once the downloading process is complete, close all software and windows on your PC system. Open a file location. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once install is done, click the “Scan Now” button to start checking your personal computer for the 0000 ransomware virus related files, folders and registry keys. When a threat is detected, the number of the security threats will change accordingly.
- As the scanning ends, you can check all items detected on your PC system. Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Quarantine Selected”. After disinfection is finished, you can be prompted to restart your computer.
The following video offers a step-by-step guide on how to delete hijacker infections, adware and other malware with MalwareBytes AntiMalware.
Scan and clean your system of ransomware virus with KVRT
KVRT is a free removal utility that may be downloaded and run to get rid of viruss, adware, malicious software, PUPs, toolbars and other threats from your personal computer. You may run this utility to detect threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop from the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is done, double-click on the KVRT icon. Once initialization procedure is finished, you’ll see the Kaspersky virus removal tool screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan with this utility for the 0000 ransomware virus and other trojans and harmful software. Depending on your machine, the scan may take anywhere from a few minutes to close to an hour. While the Kaspersky virus removal tool program is checking, you can see count of objects it has identified as threat.
After the scan is complete, Kaspersky virus removal tool will open a scan report as shown below.
You may move threats to Quarantine (all selected by default) by simply click on Continue to start a cleaning procedure.
Restoring files encrypted with 0000 ransomware virus
In some cases, you can recover files encrypted by 0000 virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Run ShadowExplorer to recover .0000 files
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
Download ShadowExplorer on your personal computer from the following link.
438816 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Double click ShadowExplorerPortable to run it. You will see the a window like below.
In top left corner, select a Drive where encrypted personal files are stored and a latest restore point as displayed in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as shown in the following example.
Restore .0000 files with PhotoRec
Before a file is encrypted, the 0000 ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file recover apps like PhotoRec.
Download PhotoRec by clicking on the following link. Save it on your MS Windows desktop or in any other place.
After the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen like below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted files as displayed in the figure below.
Press File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as displayed on the image below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your personal computer from becoming infected by 0000 ransomware virus?
Most antivirus software already have built-in protection system against the virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your machine from 0000 ransomware
Download CryptoPrevent by clicking on the link below.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the install is done, you will be shown a window where you can choose a level of protection, as shown below.
Now press the Apply button to activate the protection.
To sum up
After completing the steps above, your machine should be clean from 0000 ransomware and other malware. Your computer will no longer encrypt your personal files. Unfortunately, if the tutorial does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
HijackThis download
4711 downloads
Version: 2.0.5
Author: OpenSource
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next click “Do a system scan only” button.
- After the system scan is complete, the scan button will read “Save log”, press it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the 0000 virus.