Zixer2 Ransomware

What is Zixer2 Ransomware?

Zixer2 Ransomware is a ransomware-type computer infection that is similar to Globe Ransomware. It was designed to encrypt your personal files using an advanced encryption algorithm and then demand that you pay money for a decryption key. However, we urge you not to pay the ransom and remove this program instead because you cannot trust its developers to keep their word and send you the key. The sum you are supposed to pay is not specified, and you have to contact the developers via email to get instructions on how to pay the ransom.

Where does Zixer2 Ransomware come from?

While there is no definitive information about how Zixer2 Ransomware is distributed, but our malware analysts believe that the developers should distribute it like they did Globe Ransomware. Furthermore, Globe Ransomware belongs to the same ransomware family as Purge ransomware, so it becomes clear that this newest malware was created by an established group of malware developers. Researchers think that, because these programs are so similar, it is possible that they were created by the same people. Hence, they should be distributed in the same way as well.

Our malware analysts say that the developers should distribute Zixer2 Ransomware through phishing emails. The creators might have set up a dedicated email server that sends this ransomware to random users. The emails should contain an attached zipped file that contains this ransomware’s main executable file. The executable can be named randomly, and if you extract and run it, then it should make a copy of itself and drop it in %LOCALAPPDATA% and then delete itself. If the infection is successful, then this ransomware should begin encrypting your files almost immediately. Indeed, it does not hibernate, so if you do not have an anti-malware program to fend off malicious software, then your files can be encrypted.

What does Zixer2 Ransomware do?

Malware analysts have concluded that this particular ransomware uses the Blowfish encryption algorithm to encrypt your files. This algorithm is seldom used as the AES and RSA algorithms are the encryption algorithms of choice for most ransomware developers. Still, the Blowfish encryption is quite effective at rendering your files useless and in this particular ransomware, this algorithm is set to encrypt hundreds of file formats that include file formats of images, videos, audios, documents, file archives, and so on. Blowfish uses a 128-bit key and 64-bit data block. While encrypting your files, this program appends all encrypted files with its custom extension. Due to this ransomware having several iterations the file extensions can be .raid20, .zixer2, or .zixer1.

After finishing the encryption, Zixer2 Ransomware drops a ransom note in each folder where files were encrypted. The note can either be named README.hta or Important Information.hta which is subject to the particular iteration of the ransomware. The note is launched on startup using mshta.exe which executes the "C:\Users\{UserName}\Important Information.hta" command. Furthermore, this ransomware creates a Point of Execution registry key at

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run set to open the ransom note — not the ransomware. The subkey should be named Important Information and have the value data "C:\Users\{UserName}\\Important Information.hta." You should delete this ransomware along with its registry key to ensure your computer is safe to use.

How do I remove Zixer2 Ransomware?

While Zixer2 Ransomware is a highly malicious application that can encrypt many of your files, all is not lost because there should be a decryption tool for it soon. We suggest you search for it before jumping to the conclusion that you must pay the ransom. Therefore, we recommend that you remove this program using an anti-malware program such as SpyHunter — or recommended application or our manual removal guide provided below.

How to delete this ransomware

  1. Press Windows+E keys.
  2. In the File Explorer’s address box, enter %LOCALAPPDATA%
  3. Press Enter.
  4. Locate the randomly named malicious executable.
  5. Right-click it and click Delete.
  6. Close File Explorer.
  7. Delete all copies of README.hta/ Important Information.hta
  8. Press Windows+R keys.
  9. Enter regedit in the dialog box and press Enter.
  10. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  11. Find a key named Important Information with value data “C:\Users\{UserName}\\Important Information.hta”
  12. Right-click it and click Delete.
100% FREE spyware scan and
tested removal of Zixer2 Ransomware*
  1. Dear Madame,
    Do you have an idea whether there is a tool to encrypt Zixer1 files? I was infected during Easter. The database SQL files are the biggest problem.
    Last thing I\'m gonna do is to pay criminals. Please can you help?

    Rafal Cislo
    Tomaszow Lubelski / Poland

    • Hello Rafal, in case you still need it, you can find the decryptor at https://decrypter.emsisoft.com/download/globe

Reply to Rafał Cisło ¬
Cancel reply

Enter the numbers in the box to the right *