Ygkz is a malicious program that corrupts files and changes their names to end with “.ygkz”. It may also install other malware.
It’s important to remove Ygkz and the other malware. However, getting your data back is a little more complicated.
Ygkz Ransomware quicklinks
- How Ygkz ransomware works
- It infects Windows PCs
- It encrypts files
- How to restore your files
- Other data recovery options
- How to remove Ygkz ransomware
- Important -- edit the hosts file to unblock security websites
- Find and edit the hosts file
- Download and run the antivirus program
- Automatic Malware removal tools
- How to recover Ygkz Ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Ygkz Ransomware encrypted files
About Ygkz in short:
|How Ygkz affects PCs||It spreads with infected installers,
it installs other malware,
it corrupts files and changes their names by adding “ygkz” as a second extension.
|Can you get your files back||Restore your files from a backup,
use file recovery programs,
check them with the free decryptor.
|How to remove Ygkz ransomware||Repair your hosts file,
use antivirus programs (Spyhunter, others) to remove all malware,
reset your passwords.
How Ygkz ransomware works
It infects Windows PCs
Ygkz is a very new malware that was only noticed a few days ago. Although it is very new, it is part of the Djvu family of ransomware which has existed for years. So, we can say a lot about Ygkz based on the previous versions of this malware – Pola, Wbxd, and others. It targets Windows, infects computers, and corrupts files.
Most likely, Ygkz was embedded in free software installers and uploaded on the internet. It might have been part of a pirated program, or a legitimate program uploaded on a malicious website. This way for ransomware to spread not very common, but it’s how Djvu ransomware has usually done it.
It’s very possible that Ygkz is installed with more malware:
- With advertising software that causes redirects and excessive pop-ups in your browsers.
- With spyware that steals credentials, such as the passwords that are saved in browsers to help you log in quickly.
- With other trojans that download and install malware on your computer.
It encrypts files
Ygkz corrupts files. Pictures, documents, music, moves, etc. – these files get broken completely or partially by Ygkz. If you try to open them, you might find that some portions are missing or that files completely refuse to open. If you force them to open, you might find their contents replaced with random symbols.
The files that Ygkz encrypts also get marked with a second file type extension, “ygkz”. So, your files might be named “picture.jpg.ygkz” and represented with the icon of a blank page.
Ygkz offers to fix the files that it broke for a fee of a few hundred dollars. It says this in its ransom notes called “_readme.txt” which it creates in various folders of the infected computer. The people behind this malware extort their victims and make money this way.
How to restore your files
You can remove Ygkz and other malware, but this won’t fix the files that were corrupted. Luckily, there are a few ways that you might be able to recover your data without having to deal with the extortionists behind this malware.
One is to recover your files from your backups. If you had backups of your data before Ygkz attacked, then you can recover your files. However, some backups, such as Windows automatic backups and earlier file versions, do get deleted. Improperly configured cloud backups can also get affected.
It’s also possible that Ygkz failed to encrypt some of your files – look through all of your folders to make sure.
Other data recovery options
Even though Ygkz deletes backups, file recovery programs can help you bring some of that data back. They do this by scanning your drives for deleted files. The sooner you do this, the better the results can be.
Some encrypted files may be partially repaired. Make backups of these files for now.
If you’re very lucky, it might be possible for you to use a decryption key that some other victim of Ygkz ransomware paid for. To check if that’s an option, use the decryptor released by the antivirus company Emsisoft.
How to remove Ygkz ransomware
It’s unlikely that Ygkz ransomware is the only threat on your PC. Therefore, it’s good to use antivirus programs to find and delete all malware from your computer. Spyhunter and other reputable apps can help you find the malicious programs and remove them.
You might also need to fix your hosts file to unblock all the sites that Ygkz blocked. The instructions for how to do this are below.
After you’ve deleted all malware, reset your passwords. This is in case there was any spyware installed alongside Ygkz ransomware. If the spyware stole your credentials, changing your passwords protects your accounts from being hacked. Using 2-factor authentication is also important.
Important -- edit the hosts file to unblock security websitesTL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.
Find and edit the hosts fileThe hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.
- In the Start Menu, search for Control Panel.
- In the Control Panel, find Appearance and Personalization.
- Select Folder Options.
- Open the View tab.
- Open Advanced settings.
- Select "Show hidden files...".
- Select OK.
- Open the Start Menu and enter "notepad".
- When Notepad shows up in the result, right-click on it.
- In the menu, choose "Run as administrator"
- File->Open and browse for the hosts file.
Download and run the antivirus programAfter that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).
Automatic Malware removal tools
How to recover Ygkz Ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Ygkz Ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Ygkz RansomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Ygkz Ransomware. You can check other tools here.
Step 3. Restore Ygkz Ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Ygkz Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Ygkz Ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.