Zeta Ransomware

Zeta Ransomware is an infection that is also known by the name “CryptoMix Ransomware.” This particular ransomware infection has several different versions that are named after the emails employed. In our case, it is zeta@dr.com (might use a different email service), and you will see this email address in the TXT and HTML files created by the infection. The point of these files is to convince you to pay a ransom, which is why we classify this threat as a ransomware. We have researched JuicyLemon Ransomware, Green_ray Ransomware, and a ton of other infamous infections, and we can say that despite the obvious similarities, most infections are unique in one way or another. Although our main goal is to help you remove Zeta Ransomware from your operating system, we also want to discuss this threat in depth to help you understand it and its uniqueness better. This knowledge could help you in the future.

The creators of Zeta Ransomware rely on the successful execution of this threat, and they need you to let it in. Just like most ransomware threats, this one spreads via spam email attachments, and users execute it by accident thinking they are opening photos, invoice files, or documents. Of course, other methods of distribution could be employed as well, and you should not focus only on the protection of your inbox. Once executed, this threat creates files in the %AppData% directory, which include HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT, and an executable with a random name (e.g., AdobeFlashPlayer_b4500913ebcf2f2.exe). Additionally, this threat modifies your Windows Registry to ensure that the threat is activated upon Windows startup. This threat also establishes a connection to remote C&C servers (IP addresses: 93.170.169.180 and 46.8.45.174), and this could be used to send the private key which is created upon the encryption of your personal files.

Zeta Ransomware encrypts personal files because they hold the most value to computer users. Would you pay a ransom for files that you could easily replace? Of course, you would not, and this is why cyber criminals target DOC, JPEG, MP3, AVI, and all kinds of other personal files that are impossible to replace. Do you have them backed up? If you are this lucky, you can simply delete Zeta Ransomware from your operating system as you will be able to replace the encrypted copies of your files with the healthy ones. Unfortunately, decrypting the files that were encrypted using the RSA-2048 algorithm is tricky, and even third-party decryption tools might fail to help you out. Of course, it is worth checking these tools out because the last thing you want to do is pay a ransom requested by cyber criminals. Note that the files you need to decrypt have the “id_[your ID]_email_zeta@dr.com_.code” extension attached to them. The ID portion is unique, and the last part, as well as the email, could be adjusted according to the version of the ransomware.

The HELP_YOUR_FILES.HTML and HELP_YOUR_FILES.TXT files created by the ransomware are meant to push you into emailing the developer of this infection. Once you initiate communication, cyber criminals will respond with the instructions on how to decrypt your files. The response might be misleading, and you might be informed that the ransom you pay using the Bitcoin wallet will go to a charity supporting children. Furthermore, it might be suggested that your ransom payment will also enable full-time protection for your operating system and will provide you with free tech support lasting three years. All of this is a lie that is meant to push you into paying the humongous ransom of 5 BTC (~2900 USD), which might be doubled within 24 hours. Considering that most ransomware threats request a ransom without feeding any lies, we consider Zeta Ransomware a unique threat.

Even if you have the money to pay the ransom requested by Zeta Ransomware, paying it is unadvisable. There is a great chance that your files will remain encrypted after the payment is issued, and the sum requested is too big to take any risks. As mentioned previously, you should look into third-party decryption tools before anything else, as you might be able to retrieve your files without paying any money. If you choose this option, make sure you use reliable tools, not ones created by cyber criminals to extort even more money out of you. Whether you lose your file or manage to restore them, do not forget to delete Zeta Ransomware, which you can do using automated removal software or the guide below.

Zeta Ransomware Removal

1. Launch Explore (tap Win+E keys).
2. Type %AppData% into the address bar and tap Enter.
3. Delete these files:
   • HELP_YOUR_FILES.HTML
   • HELP_YOUR_FILES.TXT
   • AdobeFlashPlayer_b4500913ebcf2f2.exe (this file might be named differently in your case)
4. Launch RUN (tap Win+R keys).
5. Type regedit.exe and click OK to access the Registry Editor.
6. Move to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
7. Right-click and Delete these values:
   • Adobe Reader UpdateHardWare (value data example: "C:\Users\user\Desktop\aca8fe399b3c6cef4a36480ea323c097cba31a670b53e2b55343ed0261c9ff13.exe
   • AdobeFlashPlayersHardWare (value data example: "C:\Users\user\AppData\Roaming\AdobeFlashPlayer_b4500913ebcf2f2.exe")
   • AdobeFlashPlayersSoftWare (value data example: "C:\Users\user\AppData\Roaming\AdobeFlashPlayer_b4500913ebcf2f2.exe").
8. Navigate toHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
9. Right-click and Delete these values:
   • Adobe Reader Update32 (value data example: "C:\Users\user\Desktop\aca8fe399b3c6cef4a36480ea323c097cba31a670b53e2b55343ed0261c9ff13.exe)
   • AdobeFlashPlayers32 (value data example: "C:\Users\user\AppData\Roaming\AdobeFlashPlayer_b4500913ebcf2f2.exe")
10. Navigate to HKEY_CURRENT_USER\SOFTWARE\.
11. Right-click and Delete the key called Adobe Reader LicensionSoftWare.
12. Restart your computer and initiate a full system scan to check for leftovers.