Remove ZES ransomware

ZES ransomware is file-encrypting malware that ads the .[johncastle@msgsafe.io].zes file extension to locked files.

 

ZES ransomware comes from the Makop ransomware family, and is a dangerous piece of malware. It encrypts files, adds the .[johncastle@msgsafe.io].zes (e.g. image.jpg.[johncastle@msgsafe.io].zes), drops a readme-warning.txt ransom note, and demands tat users pay money in order to decrypt files. This is a fairly typical ransomware, nothing really unique about it. However, that does not mean it’s not dangerous.

Discovered in early August, ZES ransomware infects via the usual methods, such as software vulnerabilities, fake update notification, spam email attachments. torrents, etc. It’s possible to prevent the majority of malware from entering a computer, as long as users know how. And this will be explained further on. Essentially, users need to develop good browsing habits.

Users whose files have been encrypted by this ransomware will get a ransom note, which explain what has happened. Users are offered to buy the decryptor from the operators of this ransomware, though the price is not specified. Paying the ransomware is usually not recommended because there are no guarantees that a working decryptor will be sent to victims. The only sure way to recover files is via backup. Situations like this are why regularly backing up files is so important. However, if users do have backup, they should only access it after they remove ZES ransomware from their computers fully. Otherwise, backed up files may become encrypted as well.

How does ZES ransomware infect a computer

Most ransomware use the same distribution methods. Those methods include torrents, spam emails, software cracks, system vulnerabilities, etc.

Spam email is the method that perhaps requires the least effort. Cyber criminals buy hundreds if not thousands of emails addresses leaked in data breaches, and launch a spam email campaign that targets owners of those emails. The emails carry an attachment which if opened would initiate the ransomware. The attached file is introduced as some kind of important file that users need to immediately open. The senders of these emails often claim to be from known companies, banks, government organizations, etc. Though such emails are often full of grammar and spelling errors, which are a major sign that users are dealing with spam. Spam senders’ email addresses are also often made up of random letters and numbers, and that is another indication that the email is spam. In general, it’s best to assume every unsolicited email with an attachment as potentially malicious until proven otherwise. A good way to know whether an attachment is malicious is to scan it with anti-virus software or VirusTotal before opening it.

Ransomware and other types of malware may also enter a computer via system vulnerabilities. Software has weak spots that if detected, are patched with an update. Because updates fix vulnerabilities, installing them is very important. It’s recommended that users turn on automatic updates whenever possible.

Downloading pirated content and software cracks via torrents can also lead to a ransomware infection. Because torrent sites are not regulated properly, it’s not difficult for malware operators to disguise malware as movies, games, software cracks, and other popular content. Users should always consider the danger before pirating via torrents.

Is it possible to recover ZES ransomware encrypted files

As soon as the ransomware is initiated, it will start encrypting files. Because they are usually the most valuable, the ransomware targets photos, videos and documents. Encrypted files can be recognized by the .[johncastle@msgsafe.io].zes file extension. For example, the file image.jpg would become image.jpg.[johncastle@msgsafe.io].zes. A ransom note is also dropped, named readme-warning.txt. The note explains that files have been encrypted and paying the ransom is the only way to recover them. The note does not specify the ransom sum, and instead demands that users contact cyber criminals via johncastle@msgsafe.io. They also offer to decrypt two files for free, as a guarantee that they can actually decrypt files.

The full ransom note is displayed below:

::: Greetings :::

Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted and now have the “zes” extension. The file structure was not damaged, we did everything possible so that this could not happen.

.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay in bitcoins.

.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc… not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.

.4.
Q: How to contact with you?
A: You can write us to our mailbox: johncastle@msgsafe.io

.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.
Q: If I donít want to pay bad people like you?
A: If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice – time is much more valuable than money.

:::BEWARE:::
DON’T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions – please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

While paying may seem like the best option, users should be careful. There have been plenty of cases in the past where either no decryptor was sent or it did not work properly. Unfortunately, there currently is no other way to recover files, besides from backup. Though it should be mentioned that malware researchers often develop free decryptors to help victims recover files without paying the ransom. NoMoreRansom is a good source for decryptors.

ZES ransomware removal

Users should not try to delete ZES ransomware manually as that could cause even more damage. Instead, they should use anti-malware software as ransomware is a complex infection. Only when the ransomware is gone should users start file recovery via backup. If backup is accessed when ransomware is still present, it could lead to those files becoming encrypted as well.