Pzcqyq virus Removal Guide
What is Pzcqyq ransomware?
Pzcqyq ransomware is a dangerous virus that uses encryption to lock users' personal files
45 security vendors have detected the malicious file
Because of the possible rewards, ransomware attacks have grown in popularity among malicious actors in recent years. Criminals like these use encryption technology to make personal data, such as images, videos, and documents, unavailable and unreadable. This form of virus is very dangerous for individuals who do not have sufficient data backups and for major companies. Criminals exploit this vulnerability by blackmailing individuals and threatening to reveal the hacked information unless large ransom payments are made.
Cybersecurity specialists have discovered a new strain of ransomware known as Pzcqyq ransomware. It is linked to the Snatch ransomware family, which is known for targeting high-profile targets. When this virus infects a victim's device, it immediately begins a complex encryption procedure that employs advanced algorithms. The malware adds the extension .pzcqyq to the files it infects. After encryption, a file named “picture.jpg” would be turned into “picture.jpg.pzcqyq.”
Furthermore, the icons associated with these encrypted files are changed to show blank pages, hiding their contents even while in preview mode. Any attempt to open these affected files results in a warning that Windows is unable to access them. Soon later, a ransom note named “HOW TO RESTORE YOUR PZCQYQ FILES.TXT” appears on the user's PC, indicating that the attackers have communicated with them. This note describes the problem, explains the encryption, and instructs the victim on how to continue to recover their files.
|TYPE||Ransomware, cryptovirus, data locking malware|
|MALWARE FAMILY||Snatch ransomware|
|RANSOM NOTE||HOW TO RESTORE YOUR PZCQYQ FILES.TXT|
|DISTRIBUTION||Infected email attachments, peer-to-peer file-sharing platforms, torrents, malicious ads|
|FILE RECOVERY||It is next to impossible to recover the files if you do not have backups or the decryption keys were not leaked; in some cases, recovery is successful with third-party software|
|ELIMINATION||Scan your machine with anti-malware software to eliminate the virus safely; this will not recover the locked files|
|SYSTEM FIX||You can avoid Windows reinstallation with FortectIntego maintenance tool, which can fix damaged files and system errors|
The ransom note
Pzcqyq ransomware drops a HOW TO RESTORE YOUR PZCQYQ FILES.TXT ransom note, which reads as follows:
THE ENTIRE NETWORK IS ENCRYPTED YOUR BUSINESS IS LOSING MONEY!
Dear Management! We inform you that your network has undergone a penetration test, during which we encrypted
your files and downloaded more than 100GB of your data
Copy of some mailboxes
Important! Do not try to decrypt the files yourself or using third-party utilities.
The only program that can decrypt them is our decryptor, which you can request from the contacts below.
Any other program will only damage files in such a way that it will be impossible to restore them.
Write to us directly, without resorting to intermediaries, they will deceive you.
You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor
by using the contacts below.
Free decryption as a guarantee. Send us up 3 files for free decryption.
The total file size should be no more than 1 MB! (not in the archive).
Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public.
firstname.lastname@example.org or email@example.com
The note provides explicit instructions for victims, asking them not to attempt to decode the files themselves or use any third-party tools, as doing so could permanently harm the encrypted files. The attackers, on the other hand, argue that their decryptor is the sole reliable solution. They underline that attempting to handle the matter through intermediaries or without their direct involvement will result in fraud.
As a guarantee of their decryption capabilities, the attackers offer to decode up to three files of the victim's choosing. However, this is a common approach used to gain trust and persuade victims to agree with their requests.
The note gives the victim 3 days to respond and comply with the assailants' demands. If the victim does not answer within this deadline, the attackers threaten to publicly reveal the stolen files, which might have serious consequences for the victim's reputation, privacy, and security.
Victims should not be persuaded by scare tactics used in the ransom note
Why victims of ransomware should not pay the ransom?
No guarantee of data return: Paying the ransom does not guarantee that the attackers will actually provide the decryption key or fulfill their promises. There have been instances where victims paid the ransom but still did not regain access to their data.
Supporting criminal activity: Paying the ransom funds criminal activities and encourages perpetrators to continue their illegal actions against other individuals and organizations.
Lack of ethics: Ransomware attacks are illegal and unethical. By paying the ransom, victims inadvertently support a criminal enterprise, contributing to the growth of cybercrime.
Legal implications: Paying the ransom might involve dealing with legal and regulatory consequences, especially if the attackers are part of a sanctioned group or located in a jurisdiction that prohibits such payments.
Funding future attacks: Ransom payments often fund the development of more advanced and sophisticated ransomware attacks, perpetuating the cycle of cyber threats.
Strengthening cybersecurity: Instead of paying the ransom, victims should focus on enhancing their cybersecurity measures, conducting thorough investigations, and implementing better defenses to prevent future attacks.
The start of the elimination process
The most important step is to disconnect the hacked device from the local network. Individuals at home should be able to unhook the ethernet cable. This method may be more complicated in a business setting, and comprehensive instructions for corporate environments are provided near the end of this article.
It is critical not to hurry into data recovery operations at first, as this can result in irreparable data loss. There's also the possibility that attempted recovery will result in a second encryption of your stuff. The encryption process will continue until the malicious files that are causing it are removed. It is not recommended that you remove the harmful software on your own unless you have the necessary knowledge.
Use anti-malware tools like SpyHunter 5Combo Cleaner or Malwarebytes to scan your system. This security software should find all the related files and entries and remove them automatically for you. In some cases, malware is not letting you use antivirus in normal mode, so you need to access Safe Mode and perform a full system scan from there:
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Click Restart.
- Press 5 or click 5) Enable Safe Mode with Networking.
Damaged operating system
Following a malware infection, a variety of difficulties affecting performance, stability, and usability should be expected. These issues can grow so serious that a full reinstallation of the Windows operating system is required. Malware infections frequently cause modifications to the Windows registry database, harm to important boot-up processes and other system parts, and destroy or corrupt DLL files, among other things. Notably, once a system file has been infected by malware, standard antivirus software is powerless to repair the damage done.
FortectIntego was created in order to overcome these difficulties. This method is intended to successfully address a large portion of the harm caused by infections of this type. Blue Screen problems, system freezes, registry problems, broken DLLs, and other issues can render a computer completely useless. The necessity for a full Windows reinstallation could be avoided by utilizing the features of this maintenance application.
Try recovering your files with third-party software
Only the hackers have access to the decryption key, which has the capacity to open your files. As a result, if you failed to create backups, there is a strong probability that your files were irretrievably destroyed. While you can try to use data recovery tools, keep in mind that third-party applications may not always help with the decryption procedure.
Nonetheless, we recommend considering this approach as a potential avenue. Before embarking on this path, it's crucial to duplicate the corrupted files and relocate them to a USB flash drive or alternate storage medium. It's paramount to underscore that this action should only be pursued once you have definitively eliminated the Pzcqyq ransomware from your system.
Before you begin, several pointers are important while dealing with this situation:
- Since the encrypted data on your computer might permanently be damaged by security or data recovery software, you should first make backups of it – use a USB flash drive or another storage.
- Only attempt to recover your files using this method after you perform a scan with anti-malware software.
Install data recovery software
- Download Data Recovery Pro.
- Double-click the installer to launch it.
- Follow on-screen instructions to install the software.
- As soon as you press Finish, you can use the app.
- Select Everything or pick individual folders where you want the files to be recovered from.
- Press Next.
- At the bottom, enable Deep scan and pick which Disks you want to be scanned.
- Press Scan and wait till it is complete.
- You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
- Press Recover to retrieve your files.
Getting rid of Pzcqyq virus. Follow these steps
Isolate the infected computer
Some ransomware strains aim to infect not only one computer but hijack the entire network. As soon as one of the machines is infected, malware can spread via network and encrypt files everywhere else, including Network Attached Storage (NAS) devices. If your computer is connected to a network, it is important to isolate it to prevent re-infection after ransomware removal is complete.
The easiest way to disconnect a PC from everything is simply to plug out the ethernet cable. However, in the corporate environment, this might be extremely difficult to do (also would take a long time). The method below will disconnect from all the networks, including local and the internet, isolating each of the machines involved.
- Type in Control Panel in Windows search and press Enter
- Go to Network and Internet
- Click Network and Sharing Center
- On the left, pick Change adapter settings
- Right-click on your connection (for example, Ethernet), and select Disable
- Confirm with Yes.
If you are using some type of cloud storage you are connected to, you should disconnect from it immediately. It is also advisable to disconnect all the external devices, such as USB flash sticks, external HDDs, etc. Once the malware elimination process is finished, you can connect your computers to the network and internet, as explained above, but by pressing Enable instead.
Find a working decryptor for your files
File encryption is a process that is similar to applying a password to a particular file or folder. However, from a technical point of view, encryption is fundamentally different due to its complexity. By using encryption, threat actors use a unique set of alphanumeric characters as a password that can not easily be deciphered if the process is performed correctly.
There are several algorithms that can be used to lock data (whether for good or bad reasons); for example, AES uses the symmetric method of encryption, meaning that the key used to lock and unlock files is the same. Unfortunately, it is only accessible to the attackers who hold it on a remote server – they ask for a payment in exchange for it. This simple principle is what allows ransomware authors to prosper in this illegal business.
While many high-profile ransomware strains such as Djvu or Dharma use immaculate encryption methods, there are plenty of failures that can be observed within the code of some novice malware developers. For example, the keys could be stored locally, which would allow users to regain access to their files without paying. In some cases, ransomware does not even encrypt files due to bugs, although victims might believe the opposite due to the ransom note that shows up right after the infection and data encryption is completed.
Therefore, regardless of which crypto-malware affects your files, you should try to find the relevant decryptor if such exists. Security researchers are in a constant battle against cybercriminals. In some cases, they manage to create a working decryption tool that would allow victims to recover files for free.
Once you have identified which ransomware you are affected by, you should check the following links for a decryptor:
- No More Ransom Project
- Free Ransomware Decryptors by Kaspersky
- Free Ransomware Decryption Tools from Emsisoft
- Avast decryptors
If you can't find a decryptor that works for you, you should try the alternative methods we list below. Additionally, it is worth mentioning that it sometimes takes years for a working decryption tool to be developed, so there are always hopes for the future.
Create data backups to avoid file loss in the future
One of the many countermeasures for home users against ransomware is data backups. Even if your Windows get corrupted, you can reinstall everything from scratch and retrieve files from backups with minimal losses overall. Most importantly, you would not have to pay cybercriminals and risk your money as well.
Therefore, if you have already dealt with a ransomware attack, we strongly advise you to prepare backups for future use. There are two options available to you:
- Backup on a physical external drive, such as a USB flash drive or external HDD.
- Use cloud storage services.
The first method is not that convenient, however, as backups need to constantly be updated manually – although it is very reliable. Therefore, we highly advise choosing cloud storage instead – it is easy to set up and efficient to sustain. The problem with it is that storage space is limited unless you want to pay for the subscription.
Using Microsoft OneDrive
OneDrive is a built-in tool that comes with every modern Windows version. By default, you get 5 GB of storage that you can use for free. You can increase that storage space, but for a price. Here's how to setup backups for OneDrive:
- Click on the OneDrive icon within your system tray.
- Select Help & Settings > Settings.
- If you don't see your email under the Account tab, you should click Add an account and proceed with the on-screen instructions to set yourself up.
- Once done, move to the Backup tab and click Manage backup.
- Select Desktop, Documents, and Pictures, or a combination of whichever folders you want to backup.
- Press Start backup.
After this, all the files that are imported into the above-mentioned folders will be automatically backed for you. If you want to add other folders or files, you have to do that manually. For that, open File Explorer by pressing Win + E on your keyboard, and then click on the OneDrive icon. You should drag and drop folders you want to backup (or you can use Copy/Paste as well).
Using Google Drive
Google Drive is another great solution for free backups. The good news is that you get as much as 15GB for free by choosing this storage. There are also paid versions available, with significantly more storage to choose from.
You can access Google Drive via the web browser or use a desktop app you can download on the official website. If you want your files to be synced automatically, you will have to download the app, however.
- Download the Google Drive app installer and click on it.
- Wait a few seconds for it to be installed.
- Now click the arrow within your system tray – you should see Google Drive icon there, click it once.
- Click Get Started.
- Enter all the required information – your email/phone, and password.
- Now pick what you want to sync and backup. You can click on Choose Folder to add additional folders to the list.
- Once done, pick Next.
- Now you can select to sync items to be visible on your computer.
- Finally, press Start and wait till the sync is complete. Your files are now being backed up.
Report the incident to your local authorities
Ransomware is a huge business that is highly illegal, and authorities are very involved in catching malware operators. To have increased chances of identifying the culprits, the agencies need information. Therefore, by reporting the crime, you could help with stopping the cybercriminal activities and catching the threat actors. Make sure you include all the possible details, including how did you notice the attack, when it happened, etc. Additionally, providing documents such as ransom notes, examples of encrypted files, or malware executables would also be beneficial.
Law enforcement agencies typically deal with online fraud and cybercrime, although it depends on where you live. Here is the list of local authority groups that handle incidents like ransomware attacks, sorted by country:
- USA – Internet Crime Complaint Center IC3
- United Kingdom – ActionFraud
- Canada – Canadian Anti-Fraud Centre
- Australia – ScamWatch
- New Zealand – ConsumerProtection
- Germany – Polizei
- France – Ministère de l'Intérieur
If your country is not listed above, you should contact the local police department or communications center.
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.