.Zaps virus (Decryption Steps Included) - Free Instructions

Important steps to take before you begin malware removal

File encryption is one component of a ransomware infection, which may also include credential theft, persistence mechanisms, and lateral movement. However, it is important to understand that malware may perform various changes within a Windows operating system, including persistence, scheduled tasks, registry modifications, and security feature tampering.

IMPORTANT for those without backups! → 
If you attempt to use security or recovery software immediately, you might permanently damage your files, and even a working decryptor then would not be able to save them.

Before you proceed with the removal instructions below, you should copy the encrypted files onto a separate medium, such as USB flash drive or SSD, and then disconnect them from your computer. The storage device should remain disconnected after copying to prevent accidental modification or deletion. Encrypted data itself does not contain active malicious code, but only the encrypted files—not executables or scripts—should be transferred.

The instructions below might initially seem overwhelming and complicated, but they are not difficult to understand as long as you follow each step in the appropriate order. This comprehensive free guide will help you to handle the malware removal and data recovery process correctly.

If you have any questions, comments, or are having troubles with following the instructions, please do not hesitate to contact us via the Ask Us section.

IMPORTANT! →
It is vital to eliminate malware infection from the computer fully before starting the data recovery process, otherwise ransomware might re-encrypt retrieved files from backups repeatedly.

Isolate the infected computer

Some ransomware strains aim to infect not only one computer but hijack the entire network. As soon as one of the machines is infected, malware can spread via the network and encrypt files everywhere else, including Network Attached Storage (NAS) devices. NAS devices are commonly compromised via reused administrator credentials and remote access services, and attackers may also delete existing snapshots. If your computer is connected to a network, it is important to isolate it to prevent re-infection after ransomware removal is complete.

In modern environments, ransomware often spreads using stolen credentials, remote management tools, VPN connections, and cloud synchronization services, not only through shared network drives.

The easiest way to disconnect a PC from everything is simply to plug out the ethernet cable. This does not disconnect wireless networks, VPN connections, or cloud services, which must also be disabled separately. However, in the corporate environment, this might be extremely difficult to do (also would take a long time). In many organizations, devices are centrally managed, and network isolation is typically performed by IT or security teams using endpoint security or device management tools. The method below will disconnect from all the networks, including local and the internet, isolating each of the machines involved.

On modern Windows systems, network connections can also be disabled through the Settings app or automatically isolated using endpoint detection and response (EDR) tools.

• Type in Control Panel in Windows search and press Enter
• Go to Network and Internet
• Click Network and Sharing Center
• On the left, pick Change adapter settings
• Right-click on your connection (for example, Ethernet), and select Disable
• Confirm with Yes.

If you are using some type of cloud storage you are connected to, you should disconnect from it immediately. It is also advisable to disconnect all the external devices, such as USB flash sticks, external HDDs, etc. Once the malware elimination process is finished, you can connect your computers to the network and internet, as explained above, but by pressing Enable instead. Before reconnecting, credentials should be reset, persistence mechanisms checked, and backups verified to ensure reinfection does not occur.

Restore Windows "hosts" file to its original state

Some ransomware might modify Windows hosts file in order to prevent users from accessing certain websites online. For example, Djvu ransomware variants add dozens of entries containing URLs of security-related websites, such as 2-spyware.com. Each of the entries means that users will not be able to access the listed web addresses and will receive an error instead.

Here's an example of “hosts” file entries that were injected by ransomware:

In order to restore your ability to access all websites without restrictions, you should either delete the file (Windows will automatically recreate it) or remove all the malware-created entries. If you have never touched the “hosts” file before, you should simply delete it by marking it and pressing Shift + Del on your keyboard. For that, navigate to the following location:

C:\\Windows\\System32\\drivers\\etc\\

Restore files using data recovery software

Since many users do not prepare proper data backups prior to being attacked by ransomware, they might often lose access to their files permanently. Paying criminals is also very risky, as they might not fulfill the promises and never send back the required decryption tool.

While this might sound terrible, not all is lost – data recovery software might be able to help you in some situations (it highly depends on the encryption algorithm used, whether ransomware managed to complete the programmed tasks, etc.). Since there are thousands of different ransomware strains, it is immediately impossible to tell whether third-party software will work for you.

Therefore, we suggest trying regardless of which ransomware attacked your computer. Before you begin, several pointers are important while dealing with this situation:

• Since the encrypted data on your computer might permanently be damaged by security or data recovery software, you should first make backups of it – use a USB flash drive or another storage.
• Only attempt to recover your files using this method after you perform a scan with anti-malware software.

Install data recovery software

1. Download Data Recovery Pro.
2. Double-click the installer to launch it.
   
3. Follow on-screen instructions to install the software.
4. As soon as you press Finish, you can use the app.
5. Select Everything or pick individual folders where you want the files to be recovered from.
6. Press Next.
7. At the bottom, enable Deep scan and pick which Disks you want to be scanned.
8. Press Scan and wait till it is complete.
9. You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
10. Press Recover to retrieve your files.

Report the incident to your local authorities

Ransomware is a lucrative, highly illegal business, and authorities are actively targeting ransomware operators. The level of investigation and follow-up depends on the country, the scale of the incident, and whether the attack is linked to known ransomware groups. To increase the likelihood of identifying the culprits, the agencies need information. In many cases, reports are used primarily for intelligence gathering, trend analysis, and victim support rather than immediate identification of attackers.

Therefore, by reporting the crime, you could help stop the cybercriminal activities and catch the threat actors. Reporting does not guarantee investigation or recovery of data, but it contributes to broader efforts to track ransomware campaigns. Make sure you include all the possible details, including how did you notice the attack, when it happened, etc. Relevant details may also include affected systems, ransom demands, cryptocurrency wallet addresses, and any communication with the attackers. Additionally, providing documents such as ransom notes, encrypted files, or malware executables would be beneficial.

Law enforcement agencies typically deal with online fraud and cybercrime, although it depends on where you live. Here is the list of local authority groups that handle incidents like ransomware attacks, sorted by country:

• USA – Internet Crime Complaint Center IC3
• United Kingdom – ActionFraud
• Canada – Canadian Anti-Fraud Centre
• Australia – ScamWatch
• New Zealand – ConsumerProtection
• Germany – Polizei
• France – Ministère de l'Intérieur

If your country is not listed above, you should contact the local police department or communications center.

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

1. Right-click on Start button and select Settings.
   
   
2. Scroll down to pick Update & Security.
   
3. On the left side of the window, pick Recovery.
4. Now scroll down to find Advanced Startup section.
5. Click Restart now.
   
6. Select Troubleshoot.
7. Go to Advanced options.
8. Select Startup Settings.
9. Press Restart.
10. Now press 5 or click 5) Enable Safe Mode with Networking.

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
2. Click on More details.
   
3. Scroll down to Background processes section, and look for anything suspicious.
4. Right-click and select Open file location.
   
5. Go back to the process, right-click and pick End Task.
   
6. Delete the contents of the malicious folder.

Step 3. Check program Startup

1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
2. Go to Startup tab.
3. Right-click on the suspicious program and pick Disable.
   
   

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

1. Type in Disk Cleanup in Windows search and press Enter.
   
   
2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
3. Scroll through the Files to delete list and select the following:
   

   Temporary Internet Files
   Downloads
   Recycle Bin
   Temporary files

4. Pick Clean up system files.
   
   
5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
   

   %AppData%
   %LocalAppData%
   %ProgramData%
   %WinDir%

After you are finished, reboot the PC in normal mode.