The aim of ZAPS ransomware is to take your personal files hostage. The criminals behind this virus then demands a ransom for file decryption service, since they are the ones keeping the decryption key and software required to recover files. Unless you have a backup, it can be hard or impossible to restore your files. The encryption itself is used for malevolent purpose, while it is actually was created for securing daily information transmission security, for example, when you send login information (usernames and passwords) or banking details over the Internet. In this case, the attackers “secure” your files so you cannot access them without decryption key. This ransomware uses a scheme of online and offline encryption keys, which we will describe later on. The malware is designed to corrupt the very first 150 KB of information in each file as it goes through every data directory on your computer. This ensures that files are no longer accessible, but the whole computer attack finishes quickly. Victims, however, can hope to recover files in certain situations, or repair audio and video files as explained in this guide. As mentioned earlier, the ransomware drops ransom notes in every folder. These notes are called _readme.txt and contain identical information no matter which folder they’re in. The message contains a warning that all files were encrypted with “strongest encryption and unique key,” and that the only way to restore them is to purchase ZAPS decryption tool from cybercriminals. They guarantee data recovery once you pay, although it is unknown whether these claims can be trusted. However, to provide the victim with a proof, they suggest sending one encrypted file to them so that they could reply with a decrypted version of it. The note warns not to send file with valuable information as the criminals might not send you the decrypted copy of it. The attackers simply fear that this would refrain you from paying the ransom once you get your hands on important data lost. The note then continues to explain the decryption service fees. According to the note, the price of it depends on how fast the victim writes to the crooks via provided email addresses. If the victim reaches out to them within 72 hours from the initial infection timestamp, ransomware operators promise a 50% discount which means the decryption would cost $490 in cryptocurrency. Otherwise, the price would be $980. This sum of money can only be paid using virtual currency such as Bitcoin, as these types of transactions cannot be used to track the attackers down and prosecute them. Cybersecurity experts from our team advise you not to pay the ransom. The same recommendations come from FBI. Some of the general arguments why paying is wrong are listed below:

You can never trust cybercriminals. Therefore, even if you pay the ransom, you might receive nothing in return. If people stopped paying ransoms to cybercriminals, there would be no reason for them to continue their work. When you pay them, you help them fund their further operations, involve more skilled software developers and distribute the malware more successfully with more people on their teams.Crooks involved in ransomware distribution earn millions of US dollars annually by collecting ransoms from computer users. This is one of the factors that lures people to join cybercriminal gangs and work as affiliates (such as helping to distribute the malware).STOP/DJVU ransomware variants such as ZAPS virus often infect the computer with various information stealers such as VIDAR or AZORULT malware on compromised hosts. These Trojans are customised to extract sensitive information from infected systems, such as your login credentials and similar. Access to such details can help Internet criminals to blackmail you further and lead to financial losses. Even if you pay the ransom, these Trojans remain on your computer and cause more damage – the attackers won’t mention it to you nor help you to remove it.

REPAIR VIRUS DAMAGE

Ransomware activity on your computer: technical details

Victims of ZAPS ransomware typically had bad habits of downloading pirated software copies online. This is the main intrusion way used by cybercriminals behind this malware – they hide the payload in cracked software, activators, key generators, fake installers or updates. After infecting the system, the ransomware performs a few initial checks and collects a set of information about the system before starting data encryption. It begins by connecting to https[:]//api.2ip.ua/geo.json domain and retrieving computer’s IP address, country, city, zip code, longitude, latitude and time zone. The virus then checks whether the infected computer’s country code matches with one from its exception list and terminates its procedures if a match is found. The list of countries that the virus excludes from data encryption is provided below:

Russia;Belarus;Ukraine;Syria;Uzbekistan;Kyrgyzstan;Kazachstan;Armenia;Tajikistan.

In case the computer’s geolocation passes the test and is deemed as a potential target, the ransomware elevates its access rights as admin. Then it requests an encryption key and victim’s unique ID from its server and saves them to bowsakkdestx.txt file. The copy of victim’s ID is also saved to PersonalID.txt file. Next, the ransomware also downloads additional malware to computer, such as VIDAR Trojan or AZORULT. This ransomware uses online or offline key encryption scheme. The latter is used in case the malware fails to obtain an unique key from its server. Offline ID usage can be recognised by inspecting your personal ID – if it ends in t1, offline key was used. The offline key is identical per ransomware variant for all victims affected with offline key. It is hardcoded in the malware and is used as last resort if online key can’t be reached. This leaves a chance for victims to recover their files as explained below the article or here. Next, the virus starts the data encryption procedure. It skips the initial 5 bytes of file, then encrypts a portion of it using Salsa20 algorithm and secures Salsa20 encryption key with RSA 2048 key (online or offline). It also appends additional file extension corresponding to the ransomware version name, which in this case is .zaps extension. During the encryption phase, the malware will display a fake Windows update prompt for the victim (winupdate.exe). The malware might also take additional measures to prevent easy data recovery for the victim. it might delete Volume Shadow Copies from the system using the following Command Prompt task: vssadmin.exe Delete Shadows /All /Quiet Additionally, some variants of STOP/DJVU modify Windows HOSTS file by uploading a list of domains to block on the host. The virus maps them to localhost IP, which causes DNS resolution issue when the victim attempts to access one of these sites. In such scenario, the victim will see DNS_PROBE_FINISHED_NXDOMAIN error in web browser when attempting to access a blocked website. It has been noticed that the virus blocks websites publishing relevant information about malware, cybersecurity tips or user help forums where people discuss computer problems, cyberattacks and similar topics. Speaking of malware this virus drops on the computer, it varies on the ransomware variant. At least two different Trojans were noticed in these cyberattacks – VIDAR and AZORULT. Both can be used to extract sensitive details from victim’s computer remotely, including:

Application login details (such as Steam, Telegram and others);Browser-saved account passwords;Cryptocurrency wallets;Browser history;Banking credentials.

Collected information can be used for various malevolent purposes, such as blackmailing, phishing and so on. Due to such activity, we recommend that you remove ZAPS ransomware virus along with malware it installed on your computer without a delay. You can find a detailed removal guide below this article. We also suggest using a robust antivirus software for this matter. If you do not have one, consider using one approved by our team – INTEGO Antivirus which has excellent malware detection rate and provides real-time protection. Additionally, you may want to download RESTORO to repair virus damage on modified Windows OS files.

Ransomware Summary

REPAIR VIRUS DAMAGE

Ransomware distribution explained

Ransomware-type viruses are mostly distributed in a form of malicious email attachments, pirated software copies, fake updates or software installers or by using exploits. ZAPS ransomware, just like previous STOP/DJVU variants, is distributed mainly via illegal torrent downloads, specifically software cracks and key generators. If you are someone who looks up for full free versions of premium popular software on sites providing such torrent listings, you risk exposing your computer for similar malware. In general, downloading pirated software or game versions is a bad habit that can cause you a lot of problems rather than save you money. Victim’s of STOP/DJVU ransomware versions report getting infected after trying to install pirated versions of such popular software:

Adobe Photoshop;Corel Draw;Fifa 20;AutoCad;Opera browser;VMware Workstation;Tenorshare 4ukey;Cubase;Adobe Illustrator;Internet Download Manager;League of Legends;KMSPico (illegal Windows activation tool).

Cybercriminals know that there are many computer users trying to download paid premium software illegally, so they prey on them actively. Often times, such computer users even go as far as downloading cracks from several different online sources to see which one works and can end up with a lot of malware on their computers without even realizing it. To explain this, there are many computer threats that can sit in your computer system unnoticed, for example, cryptocurrency miners, Trojans, backdoors, or ransomware with an idle mode (set to trigger after a set time period). That said, you might not realize that you are already infected straight after launching said download. What is even worse, computer users often choose to ignore their AV software warnings. There is a popular misbelief that security software marks each download containing a crack as malicious – although it sometimes happens, in the majority of cases it is not wrong. Unfortunately, victims tend to proceed to open the download anyway, which leads to a severe computer infection. We strongly recommend you to change your habits and avoid downloading pirated software altogether as it can have severe affects on your privacy and security of your computer and data stored on it. We believe that supporting legitimate software developers is much better than paying ransoms to cybercriminals; besides, the cost of legitimate software licenses is lower than hefty ransom amounts demanded by criminals. Make sure you get your programs and games from official software developers or confirmed partners only. Another tricky technique used by cybercriminals is composing malicious documents (for instance, DOCX, PDF or XLS) and distributing them as email attachments. The attackers tend to impersonate legitimate company representatives or even your colleagues when writing a deceptive email message. The malicious attachments are injected with scripts made to download and run a payload in seconds. The attackers tend to name these attachments somewhat safe-looking, for instance, “Invoice/Order Summary/Waybill/Parcel Tracking Info/Missing Payment Information” and so on. They can go as far as spoofing the sender’s address to make it look legitimate and safe – you can read about this deceptive technique here. Our general advice is to avoid opening email attachments or inserted links if you have the slightest suspicion that something’s not right with the email you received – whether it is the urgent tone of the message, unfamiliar greeting line, grammar errors or weird-looking logos in it. Moreover, we suggest avoiding opening emails that you did not expect to receive – do not let your curiosity trick you into opening something dangerous. Finally, victims of STOP/DJVU should beware of fake decryption tools circulating around the web – cybercriminals who work with other ransomware gangs tend to target people who already have their data encrypted. One of examples is ZORAB, which was used to be distributed in a form of a fake STOP/DJVU decryption tool. Please remember that if the well-known and trusted cybersecurity sites do not announce about existence of such data recovery tools, most likely they do not exist. Trying to find a miracle in dark corners of the Internet can only get your files double-encrypted.

Remove ZAPS Ransomware Virus and Recover Your Files

Victims of STOP/DJVU ransomware should take steps to secure their computers following such cyberattack. To remove ZAPS ransomware virus variant, we strongly recommend reading the guidelines given below and complete the procedure using an automatic malware removal software. If you do not have any antivirus yet, we suggest getting one. Our team recommends using INTEGO Antivirus, which can remove existing malware (it has excellent malware detection rate) and protect your computer in real-time, plus monitor network traffic, thus adding extra layer of protection. After removing the virus, you may want to download RESTORO to repair damage on Windows OS files caused by the virus. If you’ve already taken care of ZAPS ransomware removal, please pay attention to these recommendations:

Let your local law enforcement agencies know about this cyber attack. You can restore your files using data backups, however, make sure the malware is completely removed from the system before doing so.Learn how you can decrypt or repair files affected by STOP/DJVU versions.Change your passwords for as many accounts as you used on your computer, including browser saved ones, also Steam, Telegram and other apps.

OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove ZAPS Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove ZAPS Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt ZAPS files

Fix and open large ZAPS files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. ZAPS Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt ZAPS files, follow the given tutorial.

Meanings of decryptor’s messages

The ZAPS decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your ZAPS extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of ZAPS Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.