Kill Zorro Ransomware

Posted by Lisa Blanc on March 31, 2017

What is Kill Zorro Ransomware?

If your computer becomes infected with a ransomware-type application called Kill Zorro Ransomware, then we want to inform you that it will encrypt your personal files and offer you to buy a decryptor to decrypt them. In short, it is a money extortion scheme, and its developers are nothing more than cyber criminals. This particular ransomware is part of the Hidden-Tear ransomware family, so it comes from people that are dedicated to creating highly malicious applications aimed at extorting money from you. In this short description, we will discuss what this ransomware does, how it is distributed, and how you can remove it. So, if your computer has been affected by this ransomware, then we invite you to continue reading. test test test

What does Kill Zorro Ransomware do?

There are generally two types of ransomware: the kind that locks the screen and the other that encrypts files. Kill Zorro Ransomware, in particular, falls into the latter category. Our malware analysts have concluded that it was designed to use the AES-256 encryption algorithm that features a 256-bit key length and128-bit block size to encrypt your personal files. Researchers say that it was set to target %LOCALAPPDATA%, %APPDATA%, %USERPROFILE%\Contacts, %USERPROFILE%\Desktop, %USERPROFILE%\Documents, and %USERPROFILE%\Downloads folders. It targets hundreds of file extensions, so most of the files found in these folders will be encrypted. While encrypting, this ransomware is set to append the files with the ".zorro" file extensions and create a batch file "shwdFtY8245PqWQWf.bat" in the Documents folder.

After the encryption is complete, this ransomware will run the "vssadmin.exe Delete Shadows /All /Quiet" in Command Prompt to delete all shadow copies of your files. Furthermore, it will create a file named "passcode.txt" in a hidden folder at %USERPROFILE%\Desktop\I that collects information such as your computer’s name, your user name, user account password, and the OS type and platform. Then, it will upload this file via FTP using STOR command to the server. After uploading, the %USERPROFILE%\Desktop\I directory will be deleted. It is also worth mentioning that this ransomware will disable Task Manager, Windows Update, Registry Editor, and System Restore. Once all of this is in place, it will drop a ransom note named “Take_Seriously (saving your grace).txt” which is the ransom note. The note features a Bitcoin wallet address where you have to send 1 BTC in order to get the decryptor. However, there is no guarantee that you will receive the promised key.

Where does Kill Zorro Ransomware come from?

As mentioned in the introduction, Kill Zorro Ransomware is part of the Hidden-Tear ransomware family. This family also includes ransomware such as Angleware Ransomware, Redants Ransomware, and CryptoKill Ransomware. All of them come from the same developers that code these programs in the .Net framework programming language. Our malware researchers say that Kill Zorro Ransomware is distributed in through malicious email spam. They say that the developers probably have set up an email server that sends this ransomware to a preselected list of email addresses. The emails are probably disguised as legitimate and may look like business-related correspondence, receipts, and so on. Researchers say that the emails should feature an attached file that drops this ransomware’s executable when opened.

How do I remove Kill Zorro Ransomware?

If you want to remove Kill Zorro Ransomware from your computer safely, then you ought to get an anti-malware program. However, you can also delete all of its files manually. The problem is, however, that its main executable can be placed in a hidden location. We suggest checking the Temp and Downloads folders first, but the ransomware could be located anywhere. If you have trouble finding the malware, then you can make use of SpyHunter’s free scanner and then go to the location to remove the malware manually.