How to remove ZIN ransomware

ZIN ransomware is malware that encrypts files. It’s part of the Dharma ransomware family, which is responsible for releasing many other ransomware versions. This particular version can be differentiated by the .[].ZIN extension added to encrypted files.


Screenshot (24)

ZIN ransomware is file-encrypting malicious software from the Dharma ransomware family. The Dharma gang is known for releasing many ransomware versions, including World, SWP, Dex, MUST, RXD, Elvis, and Kut. Users can identify which ransomware they’re using by the extension added to encrypted files. This ransomware adds .[].ZIN. Files with that extension will not be openable, unless they are first decrypted. However, to decrypt the files, users would need a special decryptor which, at this moment in time, only the cyber crooks behind this ransomware have. They will try to sell it to the victims, though the price is not mentioned in the ransom note that pops up once files have been encrypted. In addition to the pop-up ransom note, the ransomware also drops FILES ENCRYPTED.txt. Both notes show as the contact email address, to which users should send an email if they want to purchase the decryptor. However, we don’t recommend paying the ransom because it does not guarantee that files will be decrypted. Cyber crooks can just take the money and not send the decryptor since there is nothing stopping them from doing so. Furthermore, the money users pay would go towards future criminal activity. The truth is that as long as users continue to pay, ransomware will continue to be a problem.

Malware researchers sometimes release free decryptors to help users recover files for free but it’s not always possible to do for all ransomware. There is a decryptor for Dharma on NoMoreRansom but it will not work on ZIN or other newer Dharma versions. Nonetheless, users should back up their encrypted files and occasionally check NoMoreRansom or other reliable sources for decryptors.

If users have backup, they can start file recovery as soon as they remove ZIN ransomware from their computers. However, they should make sure that the ransomware has been fully removed because, otherwise the backed up files may become encrypted.

How does ransomware infect a computer?

Ransomware often infects computers of users who have bad browsing habits, which include opening unsolicited email attachments, downloading pirated content via torrents, not installing critical system updates, and clicking on suspicious links and ads.

Opening malicious email attachments is a common reason users end up infecting their computers with ransomware. Malicious actors launch entire malspam campaigns using email addresses purchased from hacker forums. They attach malware to emails that are made to seem like some kind of official correspondence from banks, known companies, goverment agencies, etc. Fortunately for users, the emails are pretty obvious. They contain loads of grammar and spelling mistakes, are sent from random/unofficial-looking email addresses, and the sender pressures the potential victim to open the attachment by claiming it’s an important file. While in most cases the malicious emails are pretty obvious, some malspam may be more sophisticated. Thus, we strongly recommend to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Torrenting can also lead to a malware infection. Users are discouraged from pirating partially due to this, partially due to the fact that it’s essentially stealing content. Torrent sites are not regulated properly, which allows malicious actors to easily upload malware disguised as a torrent for some kind of popular movie, TV series, game, etc.

Installing security updates is also very important because ransomware can use system vulnerabilities to infect a computer.

Why is ransomware so dangerous?

When ransomware is initiated, it will start encrypting files. It primarily targets documents, photos, videos, etc., essentially files that are the most important to users. Once the files are encrypted, they will have .[].ZIN added to them. The extension will also contain users’ unique IDs. For example, image.jpg would become image.jpg.unique ID.[].ZIN. Files with that extension will not be openable until they are decrypted.

When the ransomware is done encrypting files, a ransom note will pop-up and a FILES ENCRYPTED.txt text one will be dropped. Both notes contain as the contact email address for users who wish to purchase the decryptor. Neither of the notes contain the price for the decryptor, it will likely be a couple of thousand dollars. But as we said above, whatever the ransom may be, paying is risky. There are no guarantees that a decryptor will be sent, as the cyber crooks are not obligated to help users. Unfortunately, only users who have backup can recover files for free.

Here is the text from the pop-up ransom note:

Don’t worry,you can return all your files!
If you want to restore them, follow this link:email YOUR ID –
If you have not been answered via the link within 12 hours, write to us by
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

ZIN ransomware removal

Because ransomware isn’t a simple infection, we recommend using anti-malware software to delete ZIN ransomware. Only when ransomware is no longer present should users connect to backup to start recovering files.

ZIN ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by Avast/AVG
  • by Kaspersky
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom.Win32.CRYSIS.SM by TrendMicro
  • Ransom.Crysis by Symantec and Malwarebytes
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • Trojan.Ransom.Crysis.E by BitDefender