The Zekwacrypt Ransomware is a threat that was first spotted by malware researchers in June 2016, but no victims were found back then. However, in the last couple of days infections with the ZekwaCrypt Ransomware seem to soar, and apparently, the authors of this threat have decided to start distributing their harmful product. The bad news is that the ZekwaCrypt Ransomware appears to rely on a rather good distribution campaign, and many users have already had their files locked by this crypto-threat. One of the specific things about the ZekwaCrypt Ransomware is that it does not require an Internet connection to run – the encryption key is generated on the victim’s machine, and it is stored there so that the ransomware does not need the Internet to transfer the key to a remote server.
When the ZekwaCrypt Ransomware begins its attack, it takes a long list of security measures to ensure that no system files will be damaged during the attack. To do this, its authors have programmed the ZekwaCrypt Ransomware to skip files in the following folders: Microsoft, Windows, Borland, Content.IE5, Mozilla, Framework, Temp, I386, Torrents and Torrent. In addition to this, the ZekwaCrypt Ransomware searches for files that contain either ‘backup’ or ‘backups’ in their names and deletes them, since these are filenames commonly used for file backups that may be used to reverse the damage done by the ZekwaCrypt Ransomware.
The encryption technique that the ZekwaCrypt Ransomware is unknown yet, but users will be able to recognize this threat because of the ‘.zekwakc’ extension it adds to the end of the names of all locked files (e.g. ‘spreadsheet.xlsx’ will be changed to ‘spreadsheet.xlsx.zekwakc’). The ZekwaCrypt’s attacks are guaranteed to cause a lot of damage, because this threat seeks for over 600 file extensions, and encrypts the contents of any data that matches its search criteria. When the encryption process is complete, the ZekwaCrypt Ransomware proceeds to drop an image variant of the ransom note to the %DOCUMENTS% folder under the name ‘psawfcsnbd_encrypted_readme.txt.bmp.’ In addition to this, it drops the files ‘encrypted_readme.txt’ and ‘encrypted_list.txt’ in every directory that contains the encrypted files.
The ransom note that the ZekwaCrypt Ransomware demands is unknown, but regardless of the sum, we advise users to look for an alternative way to get out of this unpleasant situation. Sending money to cyber crooks is not a viable solution and, instead, users affected by the ZekwaCrypt Ransomware should get rid of the crypto-threat with the help of a trusted anti-malware tool. The locked files should not be deleted because their recovery might become possible if a free decrypter for the ZekwaCrypt gets released.