Threat Database Ransomware MR.Z3B1 Ransomware

MR.Z3B1 Ransomware

By GoldSparrow in Ransomware

The MR.Z3B1 Ransomware is a variant of the Jigsaw Ransomware that was spotted by cybersecurity companies on April 2nd, 2019. The MR.Z3B1 Ransomware appears to be developed by a single programmer that goes under the nickname 'MR.Z3B1' and who takes pleasure in encrypting your data judging by the ransom note. The MR.Z3B1 Ransomware is spread via spam emails and fake cracks for premium software packages. The threat author may use file distribution platforms and low-cost advertising to lure users into downloading a harmful program, which installs the MR.Z3B1 Ransomware on the user's machine.

The MR.Z3B1 Ransomware emerged after the '.FuckedByGhost File Extension' Ransomware and the Jeff Ransomware that belong to the Jigsaw family as well. The new variant is said to create a process with a random name and the description 'Windows Explorer' in the Task Manager. Also, the MR.Z3B1 Ransomware overwrites targeted data and deletes the System Restore Points you may have saved recently. The MR.Z3B1 Ransomware Trojan is designed to counteract the default data recovery features on Windows, and you better keep a reliable backup suite running on your PC at all times. The Trojan at hand is observed to write a rather long file marker — '.Contact Hacked by Z3b1 your ID [MI0985547KE] .locked' and produce a blue window on the user's screen. For example, 'Maranduba Beach.jpeg' is renamed to 'Maranduba Beach.jpeg.Contact Hacked by Z3b1 your ID [bp16667535].locked.' The MR.Z3B1 Ransomware uses a single program window that lacks a name to show the following text:

'Well, unfortunately you've been HACKED
Your personal Data has been encrypted. Your photos, videos, documents, etc...
and it will be deleted if i don't hear from you, don't worry! It will only happen if you don't comply. You cannot access to your files again.
Every hour then ransom will increase and some files will be deleted permanently,
During the first 24 hour you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.
If you turn off your computer or try to close me, when I start next time
you will get a few files deleted as a punishment.
I think the only way to decrypt your data is to keep me...
cause im the only one who's able to decrypt your personal data for you.
MR.Z3B1 Salutes you and wants to let you know that Time had began

Please, send $ 500 worth of Bitcoin here: [random characters]
After payment is done contact me with your code [random characters]
[60 min countdown timer]'

The window includes a button called 'How To Pay' that shows a small dialog box with the following information inside:

'STEP 1: Register an account for free on
STEP 2: Signing into the Localbitcoins, by default it takes you to the receive homepage.
STEP 3: Click on the 'Quick buy' icon, enter details of the amount of Bitcoin you want to buy in your local currency
STEP 4: Once you Receive your Bitcoin, Transfer it to the addreess mentioned before

Pictures Guide : Pictures Tutorial
Video Guide : Youtube Tutorial
USD to Bitcoin Converter : USD TO BTC
Instructions E-mail :'

You can close the 'How To Pay' box and explore another button called 'I have the Passcode Decrypt my files,' which produces a small "decryptor" window, which says:

'If you have paid the request amount
then Congratulations !
enter the code i've sent you
to restore your DATA
~Mr.Z3B1 enjoyed having time with you
[text box]
[Decrypt Now|BUTTON] [Cancel|BUTTON]'

We recommend users terminate all processes associated with the MR.Z3B1 Ransomware and seek help from a certified computer expert. Alternatively, you can clean the infected device using a respected anti-malware solution and boot data backups yourself. You should consider your options carefully, and not pay money to the extortionists. Following the payment instructions provided by the MR.Z3B1 Ransomware is not guaranteed to return your files. On the other hand, avoiding spam emails and using legitimate applications will decrease the chances of having to deal with the MR.Z3B1 Ransomware. Keep your data backed up at least on two memory drives and scan your PC regularly.

Alert names for the MR.Z3B1 Ransomware:

DFI - Suspicious PE
Trojan ( 004e21521 )
malware (ai score=81)
win/malicious_confidence_90% (W)


Most Viewed