0000 Ransomware

We have proof that cyber criminals have not stopped developing new versions of CryptoMix Ransomware – 0000 Ransomware, a new version of this crypto-threat, has been released recently. Even though it is brand new, it acts exactly like older CryptoMix versions. There is only one feature that distinguishes it from previous versions. Research conducted by our malware researchers has shown that this infection stays active on users’ computers after encrypting their files. It continues working even after the computer restart due to the Value created in the Run registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run). Because of this, it will affect all new files you create in the future too. You cannot change the fact that the majority of your files have already been locked after the entrance of 0000 Ransomware, but you can protect your new data by deleting this ransomware infection from your system today. The removal of this malicious software might be quite complicated due to all these modifications it makes on victims’ computers, but you should still manage to delete it one way or another.

0000 Ransomware is considered one of the nastiest infections not without reason. It has been observed that this infection ruins users’ files the second it infiltrates their computers. This threat is the one responsible for locking data in your case too if your files have .0000 appended to them. Additionally, you should see names of all these files changed. Specifically speaking, their names will be changed to 32 random symbols (e.g. 0AE2C47210495B46345CAE8D130F3F8E.0000). This is not the only thing you will notice after the entrance of this ransomware infection. You will also find a new .txt file on Desktop (_HELP_INSTRUCTION.txt) once 0000 Ransomware infiltrates your computer. The message inside this file does not tell users much. They are only told that their files have been encrypted and they need to write an email to one of the provided emails addresses “for specific information.” The following email addresses are used in this version:

• y0000@tuta.io
• y0000@protonmail.com
• y0000z@yandex.com
• y0000s@yandex.com

Even though this file dropped does not tell users anything about the ransom, we are sure that you will be told that you need to pay money for the decryption tool if you write an email. It is up to you whether to spend your money on it or not, but if you ask us, we cannot tell you that transferring money to malicious software developers is a good idea. You do not know whether they will give you what you need, i.e. decryption software. Also, the tool you get might be useless. You will not get your money back in any of these cases.

We know that you are reading this article because you have detected 0000 Ransomware on your system and want to find a way to delete it, but we still want to provide some information about the distribution of this ransomware infection first before we tell you more about the removal procedure. We have to admit that 0000 Ransomware is not prevalent yet because it has been released only recently. As a consequence, it is not very easy to talk about its distribution either. According to our malware researchers who have analyzed this infection, it should not differ much from similar threats. That is, it should also be spread via spam email campaigns. In most cases, these malicious applications are distributed as attachments, but you might find malicious links in spam emails too. They do not look harmful at all, so it is not a piece of cake to recognize them. Because of this, we suggest ignoring all spam emails you receive completely. You can also install a security application on your computer so that other harmful infections could not enter your system again without permission.

You need to remove 0000 Ransomware as soon as possible because its presence on your system might result in more encrypted files. To delete it from your computer, you need to erase its Values from the Run registry key. In addition, you need to remove two files that belong to it. 0000 Ransomware is serious malware, so we suggest that you use our manual removal guide to delete it. Alternatively, you can perform a system scan with an antimalware scanner. You must delete this threat fully so that it could not fix itself and start working again.

How to remove 0000 Ransomware

1. Launch Run (tap Win+R).
2. Insert regedit.exe and click OK.
3. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
4. Locate the Value with a random name belonging to the ransomware infection and delete it.
5. Remove the BC0EBCF2F2 Value.
6. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
7. Delete the *BC0EBCF2F2 Value.
8. Close Registry Editor.
9. Open Windows Explorer (press Win+E).
10. Delete BC0EBCF2F2.exe from %ALLUSERSPROFILE% and %ALLUSERSPROFILE%\Application Data.
11. Delete recently downloaded suspicious files.
12. Empty Recycle bin.