Zelta Free ransomware - How to remove

A new Zelta Free ransomware virus, or simply just Zelta, which initiates alterations in Windows operating systems has been found. This variant explains to play a game of Russian Roulette as every 6 hours that victims refuse to pay ransoms, a random file will be chosen to be permanently deleted. This variant also installs a screen-locker that displays these instructions in a grey table. After 4 days of no response from a victims, all of his or hers digital data is explained to be permanently corrupted as the private decryption key is destroyed. To separate victims from each other and avoid confusion, hackers give specific IDs to each compromised operating system. This code is supposed to be sent to [email protected]. After that, crooks will provide more instructions which will include a specific bitcoin wallet and the exact sum to be paid for decryption.

Features of this crypto-virus

Zelta ransomware appears to be a new variant of an older infection, named Stampado. While the letter infection was sold on the Dark web for 39 US dollars, creators of the novel sample promote it as free-of-charge. A peculiar element of the newly-produced virus is that its author created a separate Youtube channel to promote it. The account is named “Zelta Ransomware’ and features a bitcoin emblem as the avatar. Soon after being created, the account published a post, inviting users to try out this crypto-virus and included a link to Sendspace.com, a service of file-distribution. Presumably, this is the source for this variant.

Zelta virus

If digital files are encrypted with an algorithm (this aspect was not been clearly distinguished at the moment), they will feature a .locked extension. Since a lock-screen prevents users from fully accessing their desktop and the rest of folders, he will be offered to view these encoded executables after clicking on “See the files I’ll get back if I’m a good boy”. However, a ransomware is capable of implementing malicious processes like encryption, it has to gain certain persistence. Firstly, the Zelta – Free.exe file will modify Windows Registry Keys and assign its malicious procedure to be launched automatically. It is unknown whether it will find under other names in Windows Task Manager.

Zelta ransomware virus

Since this variant is offered online, it can be identified as a ransomware-as-a-service (RaaS). They are gradually gaining more popularity among hackers. This specific sample is odd as it is provided completely without any fee. However, you should not become a nasty crook. Don’t invest your time in attempting to corrupt users’ files.

If you notice the screen-locker, depicted in one of the pictures above, you are infected. Nevertheless, this does not mean you should pay the ransom that hackers will dare to demand. Since this variant of Stampado offers to decrypt one file for free, you should take advantage of this feature. Contact [email protected] and insist they recover one of the encoded executables. After that, send both variants to security researchers for analysis.

Decryption process of files: is it possible?

For the time being, we found no information that a decryptor would be produced. However, it is possible that security researchers won’t take long to produce one. Stay still and under no circumstances should you pay the ransom the infection requires from you. There are no guarantees that any of your executables are going to be recovered even if you do pay. Before thinking of the decryption process, you should get rid of the infection itself. Use anti-malware tools like Spyhunter or Malwarebytes to get rid of this Zelta Free virus without any obstacles. Read more about decryption process and removal in the sections after a paragraph about distribution.

Techniques of distribution that a ransomware can carry out

This crypto-virus could be utilizing (and probably is) the most popular methods of ransomware-transmission. One of them are flows of malicious spam letters that can be delivered to random email accounts. If you ever notice messages from sources you do not know, never download attachments they provide or links they recommend to follow. Additionally, ransomware samples could slither into devices because of vulnerable operating systems. Windows OSs are very frequently targeted: make sure you keep it up to date.

How to recover Zelta Free ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Zelta Free ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Zeta Free virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Zelta ransomware virus. You can check other tools here.  

Step 3. Restore Zelta Free ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Zelta Free ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Zeta Free virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *