Click on screenshot to zoom
Danger level 7
Type: Trojans

Zemblax Ransomware

Zemblax Ransomware is a file-encryptor that attacks files found on unguarded Windows operating systems. Once the encryption of all personal files is complete, the infection then launches a window with an intimidating message inside. The background of the window shows an image of the Salvador Dali mask that the fans of a popular Netflix show called ‘Money Heist’ are likely to recognize immediately. The message claims that the corrupted files are being deleted and that the only thing that victims can do is pay a ransom in return for a private key that, allegedly, is the only thing that can be used for file recovery. We have good news. Apparently, this malware is decryptable. It is just a new variant of the Jigsaw Ransomware, and there is a free Jigsaw Decryptor. Of course, if you are going to employ it, please make sure that you download the real decryptor, not a fake lookalike. Whether or not you use this tool, you have to remove Zemblax Ransomware, and we hope that the information presented in this guide will help you delete the threat quickly.

Ransomware attacks area very common these days, and there are now thousands of file-encryptors lurking for careless Windows users. Malware distributors often set up fake emails to trick people into launching ransomware by opening corrupted attachments or links. Malicious software bundles and unpatched security vulnerabilities can be employed as well. The main incentive is to ensure that ransomware slithers in silently, so that it could encrypt files before victims realize what is going on. When Zemblax Ransomware encrypts files, it adds the “.zemblax” extension to mark them. Unfortunately, photos, important documents, and other personal files can be corrupted by this threat. Besides corrupting your files, this threat also drops a bunch of its own files. One of them is called “drpbx.exe,” and it is responsible for launching the window with an intimidating message. According to this message, Zemblax Ransomware deletes a collection of encrypted files after every hour that passes by. The message also claims that files would be removed if you closed the window or turned off the computer. 24 hours are given to pay the ransom, after which, it would double.

Considering that the original ransom is just $50 – which is very small if compared to some other infections that demand thousands of dollars – and because there is a huge sense of urgency, victims might give in. The message instructs to pay a ransom in Bitcoin to 1C1pAkwpvuxr4ZxzqHSeTLpFGQMDMJKS3U, and when we checked this address, the wallet was still empty. Hopefully, victims of Zemblax Ransomware are already familiar with ransomware and know better than to follow the attackers’ demands. The window launched by the infection also displays the “How To Decrypt Files” button at the bottom. If you click it, you are routed to the location of the “Decrypte-Files.pdf” file. The message inside this file informs that full decryption of all files is guaranteed and that the use of third-party decryption tools is strictly forbidden. Pay no attention to this message. Also, do not contact zemblax@protonmail.com, unless you want your inbox to be flooded with new scam messages. Even if you cannot use the free Jigsaw Decryptor to free the files corrupted by Zemblax Ransomware, you might still be able to replace them using your own backups. If you have not created copies of files by this point, make sure you start doing that in the future. Also, if you want your copies to be safe, store them on external drives or virtual clouds. Do not rely on the system restore point function.

According to our research team, a malicious process needs to be killed if you want to close the ransom note window launched by Zemblax Ransomware. Once you do that, you can check which files were encrypted and also remove the malicious components that belong to the threat. If you are experienced or if you are up for a challenge, you might be interested in deleting Zemblax Ransomware manually. This is why we have created the guide below. However, we recommend removing the threat automatically regardless of your level of expertise. This ransomware is quite complex, and there are quite a few components to find, identify, and delete. On top of that, you cannot resolve your system’s security issue by deleting the threat. Fortunately, a legitimate anti-malware tool can both erase threats and reinforce Windows security. After this is done, you can try restoring files using a free decryptor or replacing them with your own copies. Do not pay the ransom because the attackers will not give you anything in return.

Zemblax Ransomware Removal

  1. Tap Ctrl+Alt+Delete keys at the same time and click Task Manager.
  2. Go to the Details tab, select the process called drpbx.exe, and click End task.
  3. Next, launch Run by tapping Win+R keys.
  4. Enter regedit into the dialog box to launch Registry Editor.
  5. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  6. Delete the process called firefox.exe (make sure it is linked to the infection first).
  7. Close Registry Editor and then launch File Explorer by tapping Win+E keys.
  8. Enter %APPDATA% into the field at the top to access the directory.
  9. Delete the file named firefox.exe (make sure it is linked to the infection first).
  10. Delete the folder named System32Work if it contains Address.txt, dr, and EncryptedFileList.txt files.
  11. Enter %LOCALAPPDATA% (or %USERPROFILE%\Local Settings\Application Data\) into the field at the top.
  12. Delete the folder named Drpbx with the malicious file named drpbx.exe inside.
  13. Close File Explorer and then Empty Recycle Bin.
  14. Install a trusted malware scanner to inspect your system for leftovers (do NOT skip this step because ransomware can be updated, and new components could be introduced).
Download Spyware Removal Tool to Remove* Zemblax Ransomware
  • Quick & tested solution for Zemblax Ransomware removal.
  • 100% Free Scan for Windows
disclaimer
Disclaimer

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.