0day Ransomware - How to remove

0day is a Dharma/CrySiS ransomware and quite a dangerous virus. It usually infects computers through an exposed remote desktop connection and can potentially cost you all of your files and, possibly, a lot of money.

0day, discovered by @JakubKroustek, is a virus incredibly similar to Harma, NWA, and other ransomware. They behave the same way, running the encryption process on all the files it finds (except the ones that are important to the operating system), scrambling their contents and making them unusable. Documents, movies, text files are all in danger of being broken by 0day.

What the infection looks like

When 0day encrypts the files, it also renames them by appending a specal extension, like this:

picture.jpg.id-[ID].[[email protected]].0day

The ID is the unique identification code given to each victim of 0day.

A pop-up window with the ransom message from the extortionists tells you about how you only have 7 days to contact [email protected] or [email protected], get a ransom of, probably, a few thousand dollars — that’s how much these extortionists often ask for. In Bitcoin, of course, because then your money cannot be recalled if or, more likely, when the criminals fail to fix your files.

A RETURN FILES.txt file is also created with a short message:

All your data is encrypted!
for return write to mail:
[email protected] or [email protected]

The files are corrupted very quickly. You might think that large files would take a few minutes to encrypt, but 0day only does the bare minimum to make the files useless, then moves on to the next file. Public-key encryption is used, which means that the decryption keys are only known to the people behind 0day. There is no practical way to calculate the decryption keys, and they’re unique to each victim, so paying for them wouldn’t help anyone else. For now, the files may as well be lost.

How 0day spreads

0day affects Windows computers and the main way that it’s known to be distributed — Remote Desktop Protocol. If you have RD enabled (you might not even know it!) and accessible, criminals can find it and brute-force your credentials and infect your device with all sorts of malware. Make sure to change your password and secure the connection, as well as install the newest updates for your operating system to benefit from all the security patches. Remember that criminals will abuse security flaws even if they’ve already been patched because they know how many people fail to update their software,

The other ways that ransomware viruses are distributed include preinstalled trojans, pirated files and software cracks, fake installers, freeware bundles, and malicious e-mail spam. Most of these require you, the victim, to do something to enable the virus: run the file, open a link, etc. Be careful online, don’t trust anything, and make sure that your backups are safe and complete.

Storing a copy of your files offline, disconnected from your computer (or in the cloud) should keep it safe from viruses. You can use this device to restore your lost files from. A backup would protect you from 0day or any other ransomware, having your computer stolen, your computer breaking, and you accidentally deleting important files. Backups are invaluable when it comes to being safe from viruses.

0day ransomware screenshot of the note

How to remove 0day ransomware

The first thing to do is to make sure that no malware is left on your computer. Some ransomware is distributed together with spyware and trojans, so it might not be safe to use your computer for anything banking-related. First, scan your device with an antivirus application: Spyhunter should work, so should the majority of reputable antivirus programs, since 0day is widely recognized as a threat.

There is no known way to decrypt the 0day-encrypted files. It’s possible, though very unlikely, that a decryptor will be developed in the future, so it’s worth keeping your most important files backed up somewhere and checking the nomoreransom.org site periodically.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to recover 0day Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before 0day Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of 0day Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to 0day Ransomware. You can check other tools here.  

Step 3. Restore 0day Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually 0day Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover 0day Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *