Geek's Advice

ZAPS ransomware tries to extort you after encrypting your files

ZAPS ransomware is a dangerous file-encrypting computer virus originating from STOP/DJVU malware family. After compromising the target computer, it uses Salsa20 crypto-algorithm + RSA 2048 to lock all files on the target system and marks each file with additional .zaps extension. As a result, the file becomes inaccessible no matter what program is used to launch it. To illustrate, a file originally called 1.jpg would appear as 1.jpg.zaps after ransomware modifies it. Following that, the ransomware drops _readme.txt note in every folder. The note explains that all important documents, images, videos and other data have been encrypted with strongest encryption algorithm. The note also suggests that the only way to get ZAPS file decryption tool is to pay a ransom to cybercriminals. They suggest contacting them via supporthelp@airmail.cc and manager@mailtemp.ch email addresses. According to the note, the decryption price is $490 if the victim writes to them within 72 hours after the cyber attack, or $980 later.

The aim of ZAPS ransomware is to take your personal files hostage. The criminals behind this virus then demands a ransom for file decryption service, since they are the ones keeping the decryption key and software required to recover files. Unless you have a backup, it can be hard or impossible to restore your files. The encryption itself is used for malevolent purpose, while it is actually was created for securing daily information transmission security, for example, when you send login information (usernames and passwords) or banking details over the Internet. In this case, the attackers “secure” your files so you cannot access them without decryption key. This ransomware uses a scheme of online and offline encryption keys, which we will describe later on.

The malware is designed to corrupt the very first 150 KB of information in each file as it goes through every data directory on your computer. This ensures that files are no longer accessible, but the whole computer attack finishes quickly. Victims, however, can hope to recover files in certain situations, or repair audio and video files as explained in this guide.

As mentioned earlier, the ransomware drops ransom notes in every folder. These notes are called _readme.txt and contain identical information no matter which folder they’re in. The message contains a warning that all files were encrypted with “strongest encryption and unique key,” and that the only way to restore them is to purchase ZAPS decryption tool from cybercriminals. They guarantee data recovery once you pay, although it is unknown whether these claims can be trusted.

However, to provide the victim with a proof, they suggest sending one encrypted file to them so that they could reply with a decrypted version of it. The note warns not to send file with valuable information as the criminals might not send you the decrypted copy of it. The attackers simply fear that this would refrain you from paying the ransom once you get your hands on important data lost.

The note then continues to explain the decryption service fees. According to the note, the price of it depends on how fast the victim writes to the crooks via provided email addresses. If the victim reaches out to them within 72 hours from the initial infection timestamp, ransomware operators promise a 50% discount which means the decryption would cost $490 in cryptocurrency. Otherwise, the price would be $980. This sum of money can only be paid using virtual currency such as Bitcoin, as these types of transactions cannot be used to track the attackers down and prosecute them.

Cybersecurity experts from our team advise you not to pay the ransom. The same recommendations come from FBI. Some of the general arguments why paying is wrong are listed below:

• You can never trust cybercriminals. Therefore, even if you pay the ransom, you might receive nothing in return.
• If people stopped paying ransoms to cybercriminals, there would be no reason for them to continue their work. When you pay them, you help them fund their further operations, involve more skilled software developers and distribute the malware more successfully with more people on their teams.
• Crooks involved in ransomware distribution earn millions of US dollars annually by collecting ransoms from computer users. This is one of the factors that lures people to join cybercriminal gangs and work as affiliates (such as helping to distribute the malware).
• STOP/DJVU ransomware variants such as ZAPS virus often infect the computer with various information stealers such as VIDAR or AZORULT malware on compromised hosts. These Trojans are customised to extract sensitive information from infected systems, such as your login credentials and similar. Access to such details can help Internet criminals to blackmail you further and lead to financial losses. Even if you pay the ransom, these Trojans remain on your computer and cause more damage – the attackers won’t mention it to you nor help you to remove it.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

Ransomware activity on your computer: technical details

Victims of ZAPS ransomware typically had bad habits of downloading pirated software copies online. This is the main intrusion way used by cybercriminals behind this malware – they hide the payload in cracked software, activators, key generators, fake installers or updates.

After infecting the system, the ransomware performs a few initial checks and collects a set of information about the system before starting data encryption. It begins by connecting to https[:]//api.2ip.ua/geo.json domain and retrieving computer’s IP address, country, city, zip code, longitude, latitude and time zone. The virus then checks whether the infected computer’s country code matches with one from its exception list and terminates its procedures if a match is found. The list of countries that the virus excludes from data encryption is provided below:

• Russia;
• Belarus;
• Ukraine;
• Syria;
• Uzbekistan;
• Kyrgyzstan;
• Kazachstan;
• Armenia;
• Tajikistan.

In case the computer’s geolocation passes the test and is deemed as a potential target, the ransomware elevates its access rights as admin. Then it requests an encryption key and victim’s unique ID from its server and saves them to bowsakkdestx.txt file. The copy of victim’s ID is also saved to PersonalID.txt file. Next, the ransomware also downloads additional malware to computer, such as VIDAR Trojan or AZORULT.

This ransomware uses online or offline key encryption scheme. The latter is used in case the malware fails to obtain an unique key from its server. Offline ID usage can be recognised by inspecting your personal ID – if it ends in t1, offline key was used. The offline key is identical per ransomware variant for all victims affected with offline key. It is hardcoded in the malware and is used as last resort if online key can’t be reached. This leaves a chance for victims to recover their files as explained below the article or here.

Next, the virus starts the data encryption procedure. It skips the initial 5 bytes of file, then encrypts a portion of it using Salsa20 algorithm and secures Salsa20 encryption key with RSA 2048 key (online or offline). It also appends additional file extension corresponding to the ransomware version name, which in this case is .zaps extension. During the encryption phase, the malware will display a fake Windows update prompt for the victim (winupdate.exe).

The malware might also take additional measures to prevent easy data recovery for the victim. it might delete Volume Shadow Copies from the system using the following Command Prompt task:

^{vssadmin.exe Delete Shadows /All /Quiet}

Additionally, some variants of STOP/DJVU modify Windows HOSTS file by uploading a list of domains to block on the host. The virus maps them to localhost IP, which causes DNS resolution issue when the victim attempts to access one of these sites. In such scenario, the victim will see DNS_PROBE_FINISHED_NXDOMAIN error in web browser when attempting to access a blocked website. It has been noticed that the virus blocks websites publishing relevant information about malware, cybersecurity tips or user help forums where people discuss computer problems, cyberattacks and similar topics.

Speaking of malware this virus drops on the computer, it varies on the ransomware variant. At least two different Trojans were noticed in these cyberattacks – VIDAR and AZORULT. Both can be used to extract sensitive details from victim’s computer remotely, including:

• Application login details (such as Steam, Telegram and others);
• Browser-saved account passwords;
• Cryptocurrency wallets;
• Browser history;
• Banking credentials.

Collected information can be used for various malevolent purposes, such as blackmailing, phishing and so on. Due to such activity, we recommend that you remove ZAPS ransomware virus along with malware it installed on your computer without a delay. You can find a detailed removal guide below this article. We also suggest using a robust antivirus software for this matter. If you do not have one, consider using one approved by our team – INTEGO Antivirus which has excellent malware detection rate and provides real-time protection. Additionally, you may want to download RESTORO to repair virus damage on modified Windows OS files.

Ransomware Summary

Name	ZAPS Ransomware Virus
Type	Ransomware; Crypto-malware; Virtual Extortion Virus
Family	STOP/DJVU
Encryption type	RSA Salsa20
Previous versions	VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here)
Version	341st
Extension	.zaps
Cybercriminal emails	manager@mailtemp.ch, supporthelp@airmail.cc
Additional malware dropped	Azorult or Vidar Trojan
Damage	The ransomware uses Salsa20 algorithm to encrypt all files on the computer, then secures this key with online or offline RSA-2048 key version. The virus marks infected files with .zaps extension. The virus drops a note (_readme.txt) from cybercriminals in every folder. The virus removes Volume Shadow Copies from the system and adds a list of domain names to Windows HOSTS file to block access to them. The virus might also compromise computer further by dropping AZORULT Trojan or VIDAR.
Ransom note	_readme.txt
Ransom demand	$490-$980 in Bitcoin
Distribution	Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico.
Known software cracks to contain this malware	Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends.
Detection names	Trojan:Win32/Crypter!MTB (Microsoft), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky), Trojan.GenericKD.37842368 (BitDefender), ML.Attribute.HighConfidence (Symantec), FileRepMalware (Avast) see all detection name variations on VirusTotal
Removal	Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

Ransomware distribution explained

Ransomware-type viruses are mostly distributed in a form of malicious email attachments, pirated software copies, fake updates or software installers or by using exploits.

ZAPS ransomware, just like previous STOP/DJVU variants, is distributed mainly via illegal torrent downloads, specifically software cracks and key generators. If you are someone who looks up for full free versions of premium popular software on sites providing such torrent listings, you risk exposing your computer for similar malware. In general, downloading pirated software or game versions is a bad habit that can cause you a lot of problems rather than save you money. Victim’s of STOP/DJVU ransomware versions report getting infected after trying to install pirated versions of such popular software:

• Adobe Photoshop;
• Corel Draw;
• Fifa 20;
• AutoCad;
• Opera browser;
• VMware Workstation;
• Tenorshare 4ukey;
• Cubase;
• Adobe Illustrator;
• Internet Download Manager;
• League of Legends;
• KMSPico (illegal Windows activation tool).

Cybercriminals know that there are many computer users trying to download paid premium software illegally, so they prey on them actively. Often times, such computer users even go as far as downloading cracks from several different online sources to see which one works and can end up with a lot of malware on their computers without even realizing it. To explain this, there are many computer threats that can sit in your computer system unnoticed, for example, cryptocurrency miners, Trojans, backdoors, or ransomware with an idle mode (set to trigger after a set time period). That said, you might not realize that you are already infected straight after launching said download.

What is even worse, computer users often choose to ignore their AV software warnings. There is a popular misbelief that security software marks each download containing a crack as malicious – although it sometimes happens, in the majority of cases it is not wrong. Unfortunately, victims tend to proceed to open the download anyway, which leads to a severe computer infection.

We strongly recommend you to change your habits and avoid downloading pirated software altogether as it can have severe affects on your privacy and security of your computer and data stored on it. We believe that supporting legitimate software developers is much better than paying ransoms to cybercriminals; besides, the cost of legitimate software licenses is lower than hefty ransom amounts demanded by criminals. Make sure you get your programs and games from official software developers or confirmed partners only.

Another tricky technique used by cybercriminals is composing malicious documents (for instance, DOCX, PDF or XLS) and distributing them as email attachments. The attackers tend to impersonate legitimate company representatives or even your colleagues when writing a deceptive email message. The malicious attachments are injected with scripts made to download and run a payload in seconds. The attackers tend to name these attachments somewhat safe-looking, for instance, “Invoice/Order Summary/Waybill/Parcel Tracking Info/Missing Payment Information” and so on. They can go as far as spoofing the sender’s address to make it look legitimate and safe – you can read about this deceptive technique here.

Our general advice is to avoid opening email attachments or inserted links if you have the slightest suspicion that something’s not right with the email you received – whether it is the urgent tone of the message, unfamiliar greeting line, grammar errors or weird-looking logos in it. Moreover, we suggest avoiding opening emails that you did not expect to receive – do not let your curiosity trick you into opening something dangerous.

Finally, victims of STOP/DJVU should beware of fake decryption tools circulating around the web – cybercriminals who work with other ransomware gangs tend to target people who already have their data encrypted. One of examples is ZORAB, which was used to be distributed in a form of a fake STOP/DJVU decryption tool. Please remember that if the well-known and trusted cybersecurity sites do not announce about existence of such data recovery tools, most likely they do not exist. Trying to find a miracle in dark corners of the Internet can only get your files double-encrypted.

Remove ZAPS Ransomware Virus and Recover Your Files

Victims of STOP/DJVU ransomware should take steps to secure their computers following such cyberattack. To remove ZAPS ransomware virus variant, we strongly recommend reading the guidelines given below and complete the procedure using an automatic malware removal software. If you do not have any antivirus yet, we suggest getting one. Our team recommends using INTEGO Antivirus, which can remove existing malware (it has excellent malware detection rate) and protect your computer in real-time, plus monitor network traffic, thus adding extra layer of protection. After removing the virus, you may want to download RESTORO to repair damage on Windows OS files caused by the virus.

If you’ve already taken care of ZAPS ransomware removal, please pay attention to these recommendations:

• Let your local law enforcement agencies know about this cyber attack.
• You can restore your files using data backups, however, make sure the malware is completely removed from the system before doing so.
• Learn how you can decrypt or repair files affected by STOP/DJVU versions.
• Change your passwords for as many accounts as you used on your computer, including browser saved ones, also Steam, Telegram and other apps.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.