'.zzz File Extension' Ransomware

Ransomware variants have exploded in the last couple of years. In the first weeks of 2016, PC security researchers have already observed dozens of new variants of TeslaCrypt an infamous encryption ransomware infection released in early 2015. The '.zzz File Extension' Ransomware is one of these variants. The '.zzz File Extension' Ransomware and its many variants coincide with the newest version of TeslaCrypt, named TeslaCrypt 3.0. This newest version of this ransomware Trojan removes a vulnerability that had previously allowed malware researchers to obtain the decryption key from the infection and help computer users decrypt their files. The '.zzz File Extension' Ransomware and other variants are very likely to be related to a recent implementation of TeslaCrypt as RaaS (Ransomware as a Service).

The Infection Process Used by the the '.zzz File Extension' Ransomware

It's not difficult to understand how the '.zzz File Extension' Ransomware infects a computer, since it uses an approach similar to most other encryption ransomware:

1. The '.zzz File Extension' Ransomware may be delivered using typical threat delivery methods, such as corrupted email attachments.
2. Once the '.zzz File Extension' Ransomware enters a computer, it performs a scan of the victim's hard drives. The '.zzz File Extension' Ransomware and its variants are unique in that they target video game files as well as common ransomware targets. The '.zzz File Extension' Ransomware and its variants look for files with the following file extensions:

.7z; .rar; .m4a; .wma; .avi; .wmv; .csv; .d3dbsp; .sc2save; .sie; .sum; .ibank; .t13; .t12; .qdf; .gdb; .tax; .pkpass; .bc6; .bc7; .bkp; .qic; .bkf; .sidn; .sidd; .mddata; .itl; .itdb; .icxs; .hvpl; .hplg; .hkdb; .mdbackup; .syncdb; .gho; .cas; .svg; .map; .wmo; .itm; .sb; .fos; .mcgame; .vdf; .ztmp; .sis; .sid; .ncf; .menu; .layout; .dmp; .blob; .esm; .001; .vtf; .dazip; .fpk; .mlx; .kf; .iwd; .vpk; .tor; .psk; .rim; .w3x; .fsh; .ntl; .arch00; .lvl; .snx; .cfr; .ff; .vpp_pc; .lrf; .m2; .mcmeta; .vfs0; .mpqge; .kdb; .db0; .DayZProfile; .rofl; .hkx; .bar; .upk; .das; .iwi; .litemod; .asset; .forge; .ltx; .bsa; .apk; .re4; .sav; .lbf; .slm; .bik; .epk; .rgss3a; .pak; .big; .unity3d; .wotreplay; .xxx; .desc; .py; .m3u; .flv; .js; .css; .rb; .png; .jpeg; .txt; .p7c; .p7b; .p12; .pfx; .pem; .crt; .cer; .der; .x3f; .srw; .pef; .ptx; .r3d; .rw2; .rwl; .raw; .raf; .orf; .nrw; .mrwref; .mef; .erf; .kdc; .dcr; .cr2; .crw; .bay; .sr2; .srf; .arw; .3fr; .dng; .jpeg; .jpg; .cdr; .indd; .ai; .eps; .pdf; .pdd; .psd; .dbfv; .mdf; .wb2; .rtf; .wpd; .dxg; .xf; .dwg; .pst; .accdb; .mdb; .pptm; .pptx; .ppt; .xlk; .xlsb; .xlsm; .xlsx; .xls; .wps; .docm; .docx; .doc; .odb; .odc; .odm; .odp; .ods; .odt.

3. The '.zzz File Extension' Ransomware uses AES encryption to encrypt all files that match its extensions list. During encryption, the '.zzz File Extension' Ransomware changes the affected file's extension to ZZZ. The decryption key is not located on the '.zzz File Extension' Ransomware infection itself, making it impossible for PC security researchers to recover the decryption key from the affected computer.
4. The '.zzz File Extension' Ransomware also may delete Shadow Volume copies of files it encrypts, and System Restore points to prevent recovery through other methods.
5. The '.zzz File Extension' Ransomware leaves various messages on the victim's computer, with its ransom note. These messages may take the form of text or HTML files. The '.zzz File Extension' Ransomware also may change the affected computer's Desktop image. The following is an example of a typical ransom note used by the '.zzz File Extension' Ransomware and other TeslaCrypt variants:

Your personal files are encrypted!
Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click "Show Encrypted Files" button to view a complete list on encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.