Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Aug 2019

How to remove Zeropadypt NextGen ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Lucia Danes · Virus researcher

Zeropadypt NextGen ransomware is file locking malware that mostly infects users via the insecure 3389 RDP port

Zeropadypt NextGen ransomware

Zeropadypt NextGen is the second variant of the Zeropadypt ransomware and first started attacking users in early August 2019. Unlike its predecessor which used to replace all the data of the file to zeros, this version actually encrypts data using the RSA encryption algorithm and appends either .lazurus or .limbo extension. From that point in time, victims are not capable of using pictures, documents, videos, databases, and other personal files.

Zeropadypt NextGen ransomware usually infects users with the help of poorly protected RDP connections that use the default port (3389). Crooks often scan the internet in the hopes of finding such connections and then brute force[1] their way into the host computer, installing the malware manually.

Once inside, Zeropadypt NextGen ransomware performs various changes to the Windows OS and only then encrypts data. Additionally, it also drops a ransom note into each of the infected folders – Read-Me-Now.txt, which essentially explains the situation. Hackers claim that users need to pay for the decryption tool in order to recover data, and then contact them via the legion.developers72@gmail.com, BackFileHelp@protonmail.com, dcyptfils@protonmail.ch, letitbedecryptedzi@gmail.com, or RECOVERUNKNOWN@protonmail.com.

Name Zeropadypt NextGen
Type Ransomware
Distribution Spreads via the Remote Desktop, although the virus can also be propagated via spam emails, fake updates, software cracks, exploits, and other methods
Cipher RSA
Extension .lazurus or .limbo
Encrypted file example [original file name].[original file extension].[ID=xxxxxxxxxx].[Mail=Helpcrypt1@tutanota.com].lazurus
Ransom note  Read-Me-Now.txt
Contact  legion.developers72@gmail.com, BackFileHelp@protonmail.com, dcyptfils@protonmail.ch, letitbedecryptedzi@gmail.com, Helpcrypt1@tutanota.com or RECOVERUNKNOWN@protonmail.com
Decryption Only available via backups or third-party recovery software
Removal Use reputable anti-malware software such as FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes

As a general rule, ransomware uses several methods to prevent users from recovering data after the encryption process is complete on their computers. Zeropadypt NextGen virus is no different, as it deletes Shadow Volume copies via the PowerShell commands. Additionally, it loads several modules, opens/deletes/writes multiple files, connects to a remote server, and modifies Windows registry. All these alternations to the system ensure the malware is loaded at all times. In some cases, Zeropadypt NextGen ransomware removal might also be complicated, as security software might get disabled.

As soon as Zeropadypt NextGen ransomware completes the infection process and encrypts files, it drops the following ransom note:

Your All Files Encrypted With High level Cryptography Algorithm
If You Need Your Files You Should Pay For Decryption
You Can Send 1MB File For Decryption Test To Make Sure Your Files Can Be Decrypted
After 48 hour If You Dont contact us or use 3rd party applications or recovery tools Decryption fee will Be Double
After Test You Will Get Decryption Tool
Your ID For Decryption: XXXXXXX
Contact Us: RECOVERUNKNOWN@protonmail.com

Cybercriminals say that they offer free test decryption and also hurry to scare victims into paying sooner, as the required amount for the decryptor will be doubled within 48 hours of the Zeropadypt NextGen infection. However, you should be warned the there is no way to check if the criminals will actually send you a working tool. Besides, paying hackers will only encourage them to improve their ransomware and release new, more advanced versions.

Zeropadypt NextGen ransomware virus

Therefore, rather do not engage in any discussions with cybercriminals and instead perform a full Zeropadypt NextGen ransomware removal. While getting rid of the infection manually is possible, it is way too complicated of a procedure for regular users.

Thus, if you got infected with the .lazurus or .limbo file virus, you should download and install anti-malware software that would detect all the malicious components of the malware and eliminate them – we suggest using FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes, although other reputable tools might work just as well.

While it is true you need the private RSA key that hackers have to unlock your data, several other methods can be used for the purpose – they might be sometimes successful (such as Windows Previous Versions feature or third-party recovery software).

Ways to avoid ransomware virus infections

In most of the cases, ransomware authors are sophisticated hackers who know their business. They employ many different malware distribution methods, including exploits, spam emails, fake updates, software cracks, malicious or hacked sites, etc. Nevertheless, there is an indication that some bad actors prefer entering victims' machines manually with the help of insecure Remote Desktop Protocol connections.

They simply scan the internet for computers that are connected via the default 3389 port, and the launch an automated program which would apply most easily-guessed passwords to brute-force the way in. Once inside, hackers then implant the malicious payload manually.

Infections via the RDP connections became more prevalent by malicious actors,[2] as they can, escalate privileges, increase malware prevalence, upload additional payloads, etc. Therefore, it is extremely important to adequately protect your connection when using Remote Desktop, i.e.:

  • enable only internal network connections;
  • use firewall;
  • do not use the default port;
  • disable RDP when not using it;
  • use strong passwords;
  • use a VPN.

Additionally, be generally careful when dealing with online content like spam email attachments/hyperlinks or downloading free software (do not download pirated programs or cracks!). Finally, employ reputable security software, update your operating system regularly, and backup your files.

Zeropadypt NextGen ransomware encrypted files

Delete Zeropadypt NextGen ransomware from your machine using reputable security tools

As we already mentioned, manual Zeropadypt NextGen ransomware removal is possible but is not recommended to regular users, as the malware changes alter various parts of the operating system, and reverting these changes would be truly complicated.

Instead, employ reputable anti-malware software, such as FortectIntego, SpyHunterCombo Cleaner, or another tool, and perform a full system scan. Depending on the version of Zeropadypt NextGen ransomware virus you are infected, it can be recognized by AV vendors as follows:[3]

  • TR/AD.OuroborosRansom.olerf
  • Win32:Malware-gen
  • Trojan:Win32/Occamy.C
  • Ransom.Ouroboros
  • Win/malicious_confidence_100% (W)
  • Malware/Win32.Generic.C3372377, etc.

If the functionality of the malware prevents its termination by using anti-malware software, you can always access Safe Mode with Networking and remove Zeropadypt NextGen ransomware from there. For the file retrieval process, please refer to the recovery section below.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.