'0000 File Extension' Ransomware

Posted by Max Lehmann on November 29, 2017

What is '0000 File Extension' Ransomware?

'0000 File Extension' Ransomware has surfaced on the web lately and started to spread quickly. Our malware experts have found that this new ransomware infection is indeed a new variant in the CryptoMix Ransomware family that includes other variants like X1881 RansomwareError RansomwareMole03 Ransomware, and Zayka Ransomware to name a few. This dangerous infection can infiltrate your system without your knowledge and take all your important files hostage in a short time, which is definitely not enough for you to realize what is going on and stop it. But there seems to be a silver lining even in this nightmarish sounding story. It seems that there is a free decryption tool developed by professional malware hunters that can recover files that have been encoded by the variants of this family. We cannot confirm for sure that your files encrypted by this new variant will be completely recovered but, at least, you have a chance to get your files back. We do not advise you though to download and apply this free tool yourself if you are not an advanced user. Obviously, these attackers want your money in exchange for the decryption key, which may not even be sent to you even if you pay. Therefore, we recommend that you remove '0000 File Extension' Ransomware right now because keeping it operating in the background can result in the encryption of your newly created files as well.

Where does '0000 File Extension' Ransomware come from?

There are a couple of ways for this vicious program to appear silently on your computer. One of the most widely used methods is spamming campaigns. It is possible that the malicious executable file is camouflaged to be an image or a document allegedly containing important and urgent information for you to see. This whole spam is about tricking you into opening this file because once you do so, you cannot delete '0000 File Extension' Ransomware without having your files encrypted. If you find an e-mail in your spam folder that claims that you have an overdue invoice or you have given the wrong credit card details while booking online, you should have your guards up and make sure that you know the sender or you are really related to this supposed matter because you can easily end up with your files taken hostage and most of the time there is no chance for free decryption.

It is also possible that you land on a malicious page created with RIG Exploit Kit after you click on a corrupt third-party advertisement or compromised link on a suspicious website or offered by malware hiding on your system. In this case, you simply need to load this malicious page in your browser and the malicious scripts get triggered right away to drop this infection and you will not see a thing. The only thing that can save you from such a cyber attack is to keep your browsers and Java and Flash drivers always up-to-date; well, apart from having a decent anti-malware program install, of course. Please note that there is no way for you to stop encryption once this ransomware is activated on your system. Removing '0000 File Extension' Ransomware does not mean you will get your files back decrypted.

How does '0000 File Extension' Ransomware work?

This malicious program autostarts with Windows, which means that it has a Point of Execution (PoE), and it will haunt you and encrypt your new files again and again until you finally eliminate it from your system. It mainly targets the usual personal files: photos, documents, videos, databases, and archives. The encrypted files get a ".0000" extension; however, this time, the original file name is replaced with a 32-character long string consisting of random symbols like "0AE2C47210495B46345CAE8D130F3F8E.0000." This malware infection also runs a number of shady commands in the background, including deleting the shadow volume copies of your files to make it impossible to restore your encrypted files using system functions.

This infection does not replace your desktop background and does not lock your screen either. It simply drops its ransom note text file called "_HELP_INSTRUCTION.TXT" most likely on your desktop. This note does not contain too much useful information. It simply states that your files have been encrypted and you have to send an e-mail to four different addresses, y0000@tuta.io, y0000@protonmail.com, y0000z@yandex.com, and y0000s@yandex.com with your personal ID you can find in this ransom note. Then, you will get a reply with further instructions. We do not know this time how much the ransom fee could be but judging from the previous variants, this amount could reach thousands of dollars' worth of Bitcoins. We do not recommend that you pay this fee because it is always risky. We suggest that you remove '0000 File Extension' Ransomware from your computer immediately.

How can I delete '0000 File Extension' Ransomware?

Finally, here we are with the solution. Before you do anything, it may be best to kill the malicious process via Task Manager. Then, you can go on with the removal process. If you would like to eliminate this dangerous threat manually, you can follow our instructions below. Please remember that even if you plan to use the free decryption tool, before doing so you need to delete '0000 File Extension' Ransomware from your system. Since it is possible that this infection is not the only one on your computer, we suggest that you go on hunting down threats until you are certain that your PC is clean. You can always use a reliable anti-malware program like SpyHunter to do this for you automatically and protect your PC from future attacks as well.

Remove '0000 File Extension' Ransomware from Windows

  1. Press Win+R and type regedit in the box. Click OK.
  2. Locate and delete these registry entries (PoEs):
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | *BC0EBCF2F2 | "C:\ProgramData\*BC0EBCF2F2.exe" (* random name)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce | *BC0EBCF2F2 | "C:\ProgramData\*BC0EBCF2F2.exe" (* random name)
  3. Close the editor.
  4. Press Win+E.
  5. Locate and delete these malicious .exe files:
    %ALLUSERSPROFILE%\*BC0EBCF2F2.exe (* random name)
    %ALLUSERSPROFILE%\Application Data\*BC0EBCF2F2.exe (* random name)
  6. Delete all suspicious files you can find in your download directories.
  7. Bin the ransom note file.
  8. Empty your Recycle Bin.
  9. Restart your computer. 100% FREE spyware scan and
    tested removal of '0000 File Extension' Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *