Deniz_Kizi ransomware (Virus Removal Instructions) - Free Guide
Deniz_Kizi virus Removal Guide
What is Deniz_Kizi ransomware?
Deniz_Kizi ransomware is malicious software that uses a double encryption algorithm to lock all personal files on host machine
Deniz_Kizi ransomware is a file locking computer virus that is developed by a Turkish hacker
Deniz_Kizi ransomware is a file locking virus that first emerged in the wild in late December 2019. The name of malware stems from the Turkish language (Deniz Kızı translates to “Mermaid”) – its developer is also Turkish, and is responsible for other ransomware strain releases, including KesLan, MaMo, and others. Nevertheless, the ransom note Please Read Me!!!.hta is written in English, so the malware targets users from around the world.
Upon infiltration, the Deniz_Kizi virus performs a variety of system changes to execute a data encryption process, which concludes with all personal files being appended with .Deniz Kızı file extension. For that, the malware uses a relatively unique encryption scheme: it uses a rare double algorithm TR1224 to encrypt files, as well as AES-256 to encrypt the key that is required to recover the access to pictures, videos, documents, and other locked files.
|Other names||Deniz Kızı ransomware, Mermaid ransomware|
|Type||File locking virus, crypto-malware|
|Distribution||The malware was spotted being distributed via malicious spam email attachments (e.g., Yeni Zengin Metin Belgesi.rtf), as well as software cracks (Zula Hack.exe, Konyali_Zula_Hack_V8_2020.exe, Konyali_Zula_Hack_V4_2019_protected.exe)|
|Encryption type||TR1224 + AES-256|
|File extension||All personal files are appended with .Deniz Kızı extension and are no longer accessible|
|Ransom note||Please Read Me!!!.hta, Lütfen Beni Oku!!!.log|
|Contact||Crooks leave email addresses as the main means for establishing contact: firstname.lastname@example.org or email@example.com, or firstname.lastname@example.org|
|Ransom size||$300 – $400, depending on the version of malware|
|Related files||Starter.exe, svchost.exe|
|Modifies hosts file||Adds the the following line in the hosts file: 127.0.0.1 validation.sls.microsoft.com|
|File decryption||Recovering data without paying a ransom or having backups ready is almost impossible, although you might try method listed in our recovery section below – there is a chance of third-party software working|
|Termination||Download and install reputable anti-malware software and perform a full system scan in Safe Mode|
|System fix||Delete the hosts file located in C:\Windows\System32\drivers\etc\. Additionally, if system crashes, error, BSODs or other problems persist, fix your Windows computer with RestoroIntego|
Malicious actors offer to contact them via email@example.com or firstname.lastname@example.org, or email@example.com emails and ask $400 work of Bitcoins for decryption software that would restore access to the locked data. Later variants of Deniz_Kizi ransomware dropped a ransom note Lütfen Beni Oku!!!.log which is written in Turkish. As of now, no decryption software for this malware is available, although paying criminals is not advised.
While Deniz_Kizi ransomware is relatively new, there are two main methods that the attackers use to spread the infection (nevertheless, keep in mind that cybercriminals might employ other methods for propagation):
- Spam email attachments that are disguised as useful documents – these ask uses to enable macro function to download the malicious payload
- Software cracks and pirated software installers – these malicious files are usually downloaded from unsafe torrent or similar sites
The malicious installer Starter.exe bypasses the User Account Control feature that would warn users otherwise and immediately begins the infection process: several files dropped into %AppData% folder (svchost.exe), Task Manager and Windows startup disabled, Shadow Volume Copies deleted, startup repair disabled, Windows hosts file modified, services opened, etc. (note that you should delete the hosts file located in C:\Windows\System32\drivers\etc\ after Deniz_Kizi ransomware removal).
Once the preparations are complete, the Deniz_Kizi ransomware virus begins the encryption process, which renders files of 195 different file extensions inaccessible. Nevertheless, just like in the case of other file locking malware, system, executable, and a few other file types are skipped. For data encryption, ransomware uses a relatively rare encryption method – a combination of TR1224 and AES-256. This ensures secure encryption, reduced chances, or users recovering data without paying for Deniz_Kizi ransomware decryptor.
Deniz_Kizi is a ransomware virus that uses a combination of TR1224 and AES-256 encryption algorithm to lock personal files on the infected system
Newest variants of the Deniz_Kizi virus also change the desktop wallpaper of the host machine, which shows a brief message written in Turkish, which claims that users should check the ransom note Lütfen Beni Oku!!!.log to find out more about what happened to their files.
The English version of Deniz_Kizi ransom note states the following:
FILES ARE ENCRYPTED:
Hello! All your documents, photos, databases and other important files are ENCRYPTED! Do you really want to restore your files?
If you want to unlock your data, you need to buy special decoding software!
Write to our email – firstname.lastname@example.org If you do not receive a reply within 24 hours, write to our additional email address – email@example.com
We”ll send you a complete instruction on how to decrypt all your files.
* WHAT SHOULD I DO ??
First of all your files are NOT DAMAGED!
Your files have been modified and encrypted with the TR1224 double encryption algorithm.
This change is reversible. The only way to decrypt your files is to purchase the decipher tool that is special to you.
Any attempt to irreversibly corrupt your files, and attempting to restore them with third-party software will be fatal to your files.
* SO MY FILES WILL RETURN TO THE OLD STATE AND HOW SHOULD I PAY ???
To decode the password you have to buy our special decoding tool, we already said that.
and the deciphering tool costs $ 400, you will pay by bitcoin and you must contact us for payment.
Once the payment is made, we will send you the special decoding tool by email.
and it is enough to run the.
* FREE DECRYPT FILE!!!
Free decryption as warranty!
If you don”t believe in our service and want to see proof, you can ask us about the test for decryption.
You send us up to 2 encrypted files.
Use the file sharing service and Win-Rar to send files for testing. Files must be smaller than 1 MB (unarchived) and Files should not matter! Do not send us databases, backups or large excells. Files etc. We will decrypt and send back your decrypted files as proof!
* HOW TO BUY BITCOINS ???
Bitcoins have two simple ways:
Read the information in these links carefully, because you may need to buy even large quantities.
Note: Use translation for Turkish source.
!!! ATTENTION !!!
!!! If you do not pay within 2 days, you will not be able to recover your files forever.
!!! Do not rename encrypted files.
!!! Do not attempt to decrypt your data using third-party software, as this may cause permanent data loss.
!!! Unraveling your files with the help of third parties can lead to increased prices and don”t trust anyone even your dog.
* THE KEY REQUIRED FOR THE DECRYPT TOOL
Don”t change these 2 key decryption tool for this 2 key required !!!
and please note that these 2 keys are encrypted with the AES-256 encryption system.
As evident, threat actors behind Deniz_Kizi ransomware offer free test decryption to prove that the recovery software provided by them actually works – this trick is often used by ransomware developers in order to establish a false sense of security. However, you can never trust hackers, as they might take away your money and never send you the Deniz_Kizi decryption software.
Malicious actors warn that if the payment of $300 or $400 in Bitcoin is not transferred within two days, recovering data will be impossible. As it is typical, it is in their best interests to claim that none of the recovery tools would work but theirs – it increases the chances of receiving a payment from victims. However, Deniz_Kizi developers do have a point, as in some cases, any type of encrypted file modification might permanently damage them.
As a remedy, you should make a copy of locked files, and then remove Deniz_Kizi ransomware from your computer by scanning it with powerful anti-malware. Finally, try to recover data by applying steps provided in the instructions below – while chances are not high, it might still be possible to recover at least some portion of your data.
Note: if you experience system crashes, BSODs, errors, and other OS malfunctions even after you get rid of Deniz_Kizi ransomware, you should use a PC repair tool RestoroIntego – it can fix virus damage and revert malicious system changes.
Be careful when checking email and do not use software cracks
According to experts' findings, the most common distribution techniques used by malicious actors include spam email attachments and executables that are used for cracking software, otherwise known as cracks/keygens/loaders. Here are the tactics that hackers use:
- Malicious spam emails are one of the main attack vectors when it comes to malware distribution. While relatively primitive, it is still widely used to deliver payloads of ransomware, trojans, worms, data-stealers, rootkits, and other malware. In most cases, hackers employ botnets to send phishing messages to email addresses that were leaked previously – these can be easily obtained from the Dark Web. The pushing email includes some type of bait that prompts users to open the attachment or click on hyperlink – the former usually asks for a macro function to be enabled, while the latter might initiate the automatic installation of malware.
- Software cracks and pirated software installers also prove to be extremely successful (the most successful ransomware – Djvu – uses software cracks for propagation),, and infect millions of users who rely on such illegal installers. Placing a malicious executable disguised as a cracked program is relatively easy for cybercriminals, as there are thousands of websites that allow everyone to upload files like that to be downloaded by anyone. Typically, hackers rely on fake versions of Windows/MS Office cracking tools, video game cheats, and their installers, etc.
Deniz_Kizi can be distributed via malicious spam email attachments, software cracks, or other methods
To avoid ransomware infection consequences, make sure you equip your computer with reliable ant-virus software, backup your personal files, update the OS and the installed programs regularly, utilize ad-blocker, enable the firewall, protect all accounts with secure passwords and never download pirated software installers/cracks.
Remove Deniz_Kizi ransomware from your machine
As previously stated, you should not remove Deniz_Kizi ransomware just yet, as you might permanently damage the encrypted files. Even if you do not have backups available, there is a chance that security experts will find a bug within the malware or gain access to its Command & Control server due to its seizure, which would allow them to create a working Deniz_Kizi decryptor. Note that No More Ransom Project is a great database of decryption software available for everyone for free – check it regularly in the future.
Therefore, copy all the important files that are encrypted, access Safe Mode with Networking and perform a full system scan with anti-malware software such as SpyHunter 5Combo Cleaner or Malwarebytes (new variants might be detected by all AVs, so make sure you update your security software to the latest version before performing a scan). After that, you should go to the following location and delete Windows hosts file:
Finally, you can proceed with the data recovery process. Unfortunately, there are few options without paying cybercriminals, as data recovery software does not always work – it does not decrypt the data, but rather recovers working copies of files from a local HDD. Thus, the more the PC is used after the infection, the less of a chance you have of recovery software to work. For more details, check the information below.
Getting rid of Deniz_Kizi virus. Follow these steps
Manual removal using Safe Mode
Follow these steps in order to reach Safe Mode with Networking to remove Deniz_Kizi virus:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove Deniz_Kizi using System Restore
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Deniz_Kizi. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove Deniz_Kizi from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by Deniz_Kizi, you can use several methods to restore them:
Data Recovery Pro solution
Data Recovery Pro might help you retrieve at least some files from your hard drive. Download it and run a full scan, as explained below:
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Deniz_Kizi ransomware;
- Restore them.
Windows Previous Versions Feature might be an answer to your problem
This option is only available to those who used a System Restore function before ransomware struck:
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
In some cases, ShadowExplorer might save all your data
This tool should be able to recover all your data as long as Deniz Kızı file virus failed to remove Shadow Volume Copies.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No decryption tool is currently available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Deniz_Kizi and other ransomwares, use a reputable anti-spyware, such as RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
- ^ GrujaRS. #Deniz_Kızı #Ransomware!. Twitter. Social Network.
- ^ Starter.exe. VMRay. File analysis report.
- ^ Advanced Encryption Standard. Wikipedia. The free encyclopedia.
- ^ Chris Hoffman. Everything You Need To Know About the Blue Screen of Death. How-To Geek. Site that explains technology.
- ^ Margaret Rouse. Botnet. SearchSecurity. Information Security information, news and tips.
- ^ Ransomware statistics for 2019: Q2 to Q3 report. Emsisoft. Security blog.