Zatrov Ransomware Removal Guide

Pictures, Word documents, text files, archives, videos, and music files can all be corrupted by the malicious Zatrov Ransomware, a devious infection that derives from the STOP Ransomware family. It is unknown who the creator of this malware is, but it is believed that this attacker is also responsible for Vesrato Ransomware, Cetori Ransomware, Mogranos Ransomware, and a bunch of other infections that our research team has reported on in the past. Although most infections from the STOP family are almost identical, not all of them share the same contact email addresses that are directly linked to the attackers. These email addresses are gorentos@bitmessage.ch and gorentos2@firemail.cc, and if you have received a message asking to contact either of them – you are dealing with cybercriminals. So, do you need to delete Zatrov Ransomware from your operating system? If you do, we are here to help.

Opening spam emails and their attachments, downloading files, and interacting with online links are actions most of us perform on a daily basis. Unfortunately, cybercriminals know this, and they are using this against Windows users. The vulnerabilities that are linked to spam emails, downloaders, and online content can all be used to spread Zatrov Ransomware and other malicious threats, and so you need to be vigilant at all times. Once the infection is executed, personal files are corrupted immediately. Before you know it, the data is changed, and the “.zatrov” extension is appended to the original filenames. Next to the corrupted files, a new file named “_readme.txt” is created, and since it is a normal text file, opening it is not dangerous. That being said, we have to warn you that the message inside contains demands we do not recommend following, and if you do not even want to know what the attackers want from you, you might as well remove Zatrov Ransomware ransom note files.

The ransom note calls for “ATTENTION!” and informs that the files corrupted by Zatrov Ransomware can be salvaged. It states that a decryption tool and a unique decryption key are available and can be used to restore all corrupted files. Of course, the tool and the key are not free, and victims are asked to pay $980 – or $490 if the ransom is paid within 72 hours – in Bitcoin. The address of the attackers’ Bitcoin wallet is not disclosed, and that means that paying the ransom is not possible. This is when the email addresses (gorentos@bitmessage.ch and gorentos2@firemail.cc) come into play. Obviously, if you send a message to either of these addresses, the attackers will respond immediately with further instructions, but since we do not recommend following them, we do not recommend sending the message either. In fact, you could put your virtual security at risk by doing so because the attackers could send new scam emails in the future. In the past, a tool named “STOPDecrypter” could restore files corrupted by threats from the STOP Ransomware family for free, but it has not been working with some of the newer threats. If you decide to try it out, make sure you are not tricked into installing malware instead.

We cannot tell you whether or not you will be able to decrypt the files corrupted by Zatrov Ransomware. Most likely, you will not, and that is why it is important to create backups. Most of us create backups so that we could access files on any device from any location, but the true purpose of backups is security. Whether you are afraid of losing important files due to theft or the activity of cybercriminals, backups can save the day. Of course, as long as they are stored externally or online because internal backups can too be destroyed. Hopefully, you can access your personal data via backups, but you should worry about this only after you remove Zatrov Ransomware. This is a dangerous threat, and the sooner you remove it, the better. If you cannot delete the infection manually using the steps shown below, do not hesitate to use the help of an automated anti-malware program that will also ensure full-time protection in the future.

How to delete Zatrov Ransomware

1. Delete the file that executed the threat (e.g., spam email attachment or newly downloaded file).
2. Simultaneously tap keys Win+E on the keyboard to access Windows Explorer.
3. Type %WINDIR%\System32\Tasks\ into the field at the top.
4. Delete the task named Time Trigger Task.
5. Type %LOCALAPPDATA% (alternatively, %USERPROFILE%\Local Settings\Application Data\) at the top.
6. Delete the malicious [unknown name].exe file inside the [unknown name] folder.
7. Simultaneously tap keys Win+R on the keyboard to access Run.
8. Enter regedit and click OK to launch Registry Editor.
9. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
10. Delete the malicious SysHelper value linked to the %LOCALAPPDATA%\ [unknown name]\[unknown name].exe file (check the value data to see the location).
11. Exit all windows and then Empty Recycle Bin.
12. Perform a full system scan using a legitimate malware scanner to check if your system is safe.