Contents
ZAPS ransomware is a dangerous file-encrypting computer virus originating from STOP/DJVU malware family. After compromising the target computer, it uses Salsa20 crypto-algorithm + RSA 2048 to lock all files on the target system and marks each file with additional .zaps extension. As a result, the file becomes inaccessible no matter what program is used to launch it. To illustrate, a file originally called 1.jpg would appear as 1.jpg.zaps after ransomware modifies it. Following that, the ransomware drops _readme.txt note in every folder. The note explains that all important documents, images, videos and other data have been encrypted with strongest encryption algorithm. The note also suggests that the only way to get ZAPS file decryption tool is to pay a ransom to cybercriminals. They suggest contacting them via supporthelp@airmail.cc and manager@mailtemp.ch email addresses. According to the note, the decryption price is $490 if the victim writes to them within 72 hours after the cyber attack, or $980 later.
The aim of ZAPS ransomware is to take your personal files hostage. The criminals behind this virus then demands a ransom for file decryption service, since they are the ones keeping the decryption key and software required to recover files. Unless you have a backup, it can be hard or impossible to restore your files. The encryption itself is used for malevolent purpose, while it is actually was created for securing daily information transmission security, for example, when you send login information (usernames and passwords) or banking details over the Internet. In this case, the attackers “secure” your files so you cannot access them without decryption key. This ransomware uses a scheme of online and offline encryption keys, which we will describe later on.
The malware is designed to corrupt the very first 150 KB of information in each file as it goes through every data directory on your computer. This ensures that files are no longer accessible, but the whole computer attack finishes quickly. Victims, however, can hope to recover files in certain situations, or repair audio and video files as explained in this guide.
As mentioned earlier, the ransomware drops ransom notes in every folder. These notes are called _readme.txt and contain identical information no matter which folder they’re in. The message contains a warning that all files were encrypted with “strongest encryption and unique key,” and that the only way to restore them is to purchase ZAPS decryption tool from cybercriminals. They guarantee data recovery once you pay, although it is unknown whether these claims can be trusted.
However, to provide the victim with a proof, they suggest sending one encrypted file to them so that they could reply with a decrypted version of it. The note warns not to send file with valuable information as the criminals might not send you the decrypted copy of it. The attackers simply fear that this would refrain you from paying the ransom once you get your hands on important data lost.
The note then continues to explain the decryption service fees. According to the note, the price of it depends on how fast the victim writes to the crooks via provided email addresses. If the victim reaches out to them within 72 hours from the initial infection timestamp, ransomware operators promise a 50% discount which means the decryption would cost $490 in cryptocurrency. Otherwise, the price would be $980. This sum of money can only be paid using virtual currency such as Bitcoin, as these types of transactions cannot be used to track the attackers down and prosecute them.
Cybersecurity experts from our team advise you not to pay the ransom. The same recommendations come from FBI. Some of the general arguments why paying is wrong are listed below:
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
Victims of ZAPS ransomware typically had bad habits of downloading pirated software copies online. This is the main intrusion way used by cybercriminals behind this malware – they hide the payload in cracked software, activators, key generators, fake installers or updates.
After infecting the system, the ransomware performs a few initial checks and collects a set of information about the system before starting data encryption. It begins by connecting to https[:]//api.2ip.ua/geo.json domain and retrieving computer’s IP address, country, city, zip code, longitude, latitude and time zone. The virus then checks whether the infected computer’s country code matches with one from its exception list and terminates its procedures if a match is found. The list of countries that the virus excludes from data encryption is provided below:
In case the computer’s geolocation passes the test and is deemed as a potential target, the ransomware elevates its access rights as admin. Then it requests an encryption key and victim’s unique ID from its server and saves them to bowsakkdestx.txt file. The copy of victim’s ID is also saved to PersonalID.txt file. Next, the ransomware also downloads additional malware to computer, such as VIDAR Trojan or AZORULT.
This ransomware uses online or offline key encryption scheme. The latter is used in case the malware fails to obtain an unique key from its server. Offline ID usage can be recognised by inspecting your personal ID – if it ends in t1, offline key was used. The offline key is identical per ransomware variant for all victims affected with offline key. It is hardcoded in the malware and is used as last resort if online key can’t be reached. This leaves a chance for victims to recover their files as explained below the article or here.
Next, the virus starts the data encryption procedure. It skips the initial 5 bytes of file, then encrypts a portion of it using Salsa20 algorithm and secures Salsa20 encryption key with RSA 2048 key (online or offline). It also appends additional file extension corresponding to the ransomware version name, which in this case is .zaps extension. During the encryption phase, the malware will display a fake Windows update prompt for the victim (winupdate.exe).
The malware might also take additional measures to prevent easy data recovery for the victim. it might delete Volume Shadow Copies from the system using the following Command Prompt task:
vssadmin.exe Delete Shadows /All /Quiet
Additionally, some variants of STOP/DJVU modify Windows HOSTS file by uploading a list of domains to block on the host. The virus maps them to localhost IP, which causes DNS resolution issue when the victim attempts to access one of these sites. In such scenario, the victim will see DNS_PROBE_FINISHED_NXDOMAIN error in web browser when attempting to access a blocked website. It has been noticed that the virus blocks websites publishing relevant information about malware, cybersecurity tips or user help forums where people discuss computer problems, cyberattacks and similar topics.
Speaking of malware this virus drops on the computer, it varies on the ransomware variant. At least two different Trojans were noticed in these cyberattacks – VIDAR and AZORULT. Both can be used to extract sensitive details from victim’s computer remotely, including:
Collected information can be used for various malevolent purposes, such as blackmailing, phishing and so on. Due to such activity, we recommend that you remove ZAPS ransomware virus along with malware it installed on your computer without a delay. You can find a detailed removal guide below this article. We also suggest using a robust antivirus software for this matter. If you do not have one, consider using one approved by our team – INTEGO Antivirus which has excellent malware detection rate and provides real-time protection. Additionally, you may want to download RESTORO to repair virus damage on modified Windows OS files.
Name | ZAPS Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Encryption type | RSA Salsa20 |
Previous versions | VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here) |
Version | 341st |
Extension | .zaps |
Cybercriminal emails | manager@mailtemp.ch, supporthelp@airmail.cc |
Additional malware dropped | Azorult or Vidar Trojan |
Damage | The ransomware uses Salsa20 algorithm to encrypt all files on the computer, then secures this key with online or offline RSA-2048 key version. The virus marks infected files with .zaps extension. The virus drops a note (_readme.txt) from cybercriminals in every folder. The virus removes Volume Shadow Copies from the system and adds a list of domain names to Windows HOSTS file to block access to them. The virus might also compromise computer further by dropping AZORULT Trojan or VIDAR. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico. |
Known software cracks to contain this malware | Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends. |
Detection names | Trojan:Win32/Crypter!MTB (Microsoft), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky), Trojan.GenericKD.37842368 (BitDefender), ML.Attribute.HighConfidence (Symantec), FileRepMalware (Avast) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
Ransomware-type viruses are mostly distributed in a form of malicious email attachments, pirated software copies, fake updates or software installers or by using exploits.
ZAPS ransomware, just like previous STOP/DJVU variants, is distributed mainly via illegal torrent downloads, specifically software cracks and key generators. If you are someone who looks up for full free versions of premium popular software on sites providing such torrent listings, you risk exposing your computer for similar malware. In general, downloading pirated software or game versions is a bad habit that can cause you a lot of problems rather than save you money. Victim’s of STOP/DJVU ransomware versions report getting infected after trying to install pirated versions of such popular software:
Cybercriminals know that there are many computer users trying to download paid premium software illegally, so they prey on them actively. Often times, such computer users even go as far as downloading cracks from several different online sources to see which one works and can end up with a lot of malware on their computers without even realizing it. To explain this, there are many computer threats that can sit in your computer system unnoticed, for example, cryptocurrency miners, Trojans, backdoors, or ransomware with an idle mode (set to trigger after a set time period). That said, you might not realize that you are already infected straight after launching said download.
What is even worse, computer users often choose to ignore their AV software warnings. There is a popular misbelief that security software marks each download containing a crack as malicious – although it sometimes happens, in the majority of cases it is not wrong. Unfortunately, victims tend to proceed to open the download anyway, which leads to a severe computer infection.
We strongly recommend you to change your habits and avoid downloading pirated software altogether as it can have severe affects on your privacy and security of your computer and data stored on it. We believe that supporting legitimate software developers is much better than paying ransoms to cybercriminals; besides, the cost of legitimate software licenses is lower than hefty ransom amounts demanded by criminals. Make sure you get your programs and games from official software developers or confirmed partners only.
Another tricky technique used by cybercriminals is composing malicious documents (for instance, DOCX, PDF or XLS) and distributing them as email attachments. The attackers tend to impersonate legitimate company representatives or even your colleagues when writing a deceptive email message. The malicious attachments are injected with scripts made to download and run a payload in seconds. The attackers tend to name these attachments somewhat safe-looking, for instance, “Invoice/Order Summary/Waybill/Parcel Tracking Info/Missing Payment Information” and so on. They can go as far as spoofing the sender’s address to make it look legitimate and safe – you can read about this deceptive technique here.
Our general advice is to avoid opening email attachments or inserted links if you have the slightest suspicion that something’s not right with the email you received – whether it is the urgent tone of the message, unfamiliar greeting line, grammar errors or weird-looking logos in it. Moreover, we suggest avoiding opening emails that you did not expect to receive – do not let your curiosity trick you into opening something dangerous.
Finally, victims of STOP/DJVU should beware of fake decryption tools circulating around the web – cybercriminals who work with other ransomware gangs tend to target people who already have their data encrypted. One of examples is ZORAB, which was used to be distributed in a form of a fake STOP/DJVU decryption tool. Please remember that if the well-known and trusted cybersecurity sites do not announce about existence of such data recovery tools, most likely they do not exist. Trying to find a miracle in dark corners of the Internet can only get your files double-encrypted.
Victims of STOP/DJVU ransomware should take steps to secure their computers following such cyberattack. To remove ZAPS ransomware virus variant, we strongly recommend reading the guidelines given below and complete the procedure using an automatic malware removal software. If you do not have any antivirus yet, we suggest getting one. Our team recommends using INTEGO Antivirus, which can remove existing malware (it has excellent malware detection rate) and protect your computer in real-time, plus monitor network traffic, thus adding extra layer of protection. After removing the virus, you may want to download RESTORO to repair damage on Windows OS files caused by the virus.
If you’ve already taken care of ZAPS ransomware removal, please pay attention to these recommendations:
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
ZAPS Ransomware Virus Removal Guidelines
Before you try to remove ZAPS Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
Now, you can search for and remove ZAPS Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU ransomware versions are grouped into old and new variants. ZAPS Ransomware Virus is considered the new STOP/DJVU variant, just like VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt ZAPS files, follow the given tutorial.
The ZAPS decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your ZAPS extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Victims of ZAPS Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
You can only open ZAPS files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official ZAPS decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake ZAPS decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.
View Comments
Please I need your help, my computer has been infected with the Ransomware virus and all my files are encrypted and have ZAPS extension, and I need a tool to open and recover files, thank you
Hi Norbert Webb,
Pls advice how could i able to decrypt the ZAPS ransomware ended with xqm4 file ?
Please help !