Zwer is file-encrypting ransomware. It gets downloaded with infected torrents. Then Zwer breaks files, installs a trojan, breaks a bunch of files with the use of cryptography, and then leaves a note demanding for money ($490 or $980). For most victims, there is no easy and free way to restore the encrypted data for free. But there are ways to repair and recover some of it. After Zwer and the other malware is deleted, of course.
Zwer File Encrypting Malware quicklinks
- What is Zwer ransomware
- How to restore Zwer-encrypted files
- How to remove Zwer
- Important -- edit the hosts file to unblock security websites
- Find and edit the hosts file
- Download and run the antivirus program
- Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
About Zwer:
| Classification | Ransomware. |
|---|---|
| How Zwer works | Spreads online, disguised as free installers,
installs a trojan, encrypts and renames many files, asks for money in exchange for reversing the encryption. |
| How to restore the encrypted data | Restore from a backup,
recover deleted data, repair corrupted files, use the free Emsisoft decryptor. |
| Remove Zwer ransomware | Fix your hosts file to unblock websites,
use antivirus programs (like Spyhunter) to find and remove malware. |
What is Zwer ransomware
Zwer is a new version of Djvu ransomware, coming after Zipe, Pezi, and others. It’s meant to infect the computers of regular people, so installers that are infected with Zwer simply get uploaded online and made available for people to download: fake installers that are uploaded on spoofed sites, infected cracks and torrents, on disreputable websites.
Zwer bundles a spyware trojan (likely Azorult) which steals information (passwords, payment information, contacts) and installs adware.
Antivirus programs do detect the Zwer installer (VirusTotal page). However, sometimes, pirated installers, activators, and cracks are expected to be detected, so people might ignore the warning.
Zwer then goes through files and scrambles their contents with a cryptographic algorithm. It also appends “.zwer” to the names of those files. Keep in mind that it’s just a label and files are broken with or without this second extension.
Once Zwer is done, it creates ransom notes called _readme and puts them in multiple folders. These notes have the same contents: asking for money (as ransomware does).
How to restore Zwer-encrypted files
Those who were attacked by Zwer but don’t have a backup might wonder if it’s possible to get their data back.
First of all, ignore anyone who claims to be able to decrypt your files, whether they’re asking for money or offering free “services”. A fake Djvu decryptor was discovered that was itself ransomware that would encrypt files (and add a “ZRB” extension) and then ask for money. Scammers take advantage of desperate victims. Just ignore anyone who claims to be able to decrypt your files, it’s impossible anyway. Zwer’s had the attention of professionals and experts. If they haven’t found a way to break Zwer, then neither will random people online.
What experts have come up with is the Djvu decrypter by Emsisoft. This was actually developed by a ransomware expert who spends a lot of time helping ransomware victims. The catch is, only in very limited circumstances is it possible to decrypt the files by Zwer. It depends on how Zwer attacked your computer: if it managed to connect to its Command and Control server and download a unique encryption ID, or if it ran offline and used a hardcoded ID. If yours is the latter case, then there’s a chance that someone else pays the ransom, shares the decryption key with the public, and you can take advantage of that. Scan your files with the decryptor to find out which ID was used.
Even if you can’t reverse the Zwer encryption, you have other options:
- Check your computer, look in every folder, especially in nested folders. It’s possible that Zwer didn’t encrypt some folders.
- Check if you can restore your computer to an earlier date. Zwer deletes backups but hey, malicious programs have bugs.
- Use data recovery programs to undelete files. You may be able to use shadow volume copies to restore data.
- Learn how to repair corrupted files. When it comes to media and other big files, Zwer only encrypts portions of them (to save time). By carefully editing the internal data, you can repair some of them. This is different from decryption because the encrypted content is thrown out. You do lose some content this way.
Make a backup of the encrypted files. All the files with the Zwer extension that you care about – put them in the cloud, on an external drive, or another secure space. If you care about it, always have a backup of the encrypted data.
How to remove Zwer
Delete the ransomware with an antivirus program, such as Spyhunter. You might need to fix your hosts file first, though. Zwer adds a bunch of entries to referring to cybersecurity blogs and, basically, blocking their URLs on your computer. You may also need to restore the use of Task Manager after Zwer disables it.
Likely, the antivirus scan will find more than just Zwer ransomware. A spyware trojan gets installed together with Zwer and it needs to be removed, too. The trojan can download more malware and that can inflate the number of detected infections. The file that brought Zwer onto your computer also needs to be deleted.
You can report the Zwer infection to your country’s cybersecurity agency, as well as to the administrators of the site where you got the infected file.
Important -- edit the hosts file to unblock security websites
TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.Find and edit the hosts file
The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.- In the Start Menu, search for Control Panel.
- In the Control Panel, find Appearance and Personalization.
- Select Folder Options.
- Open the View tab.
- Open Advanced settings.
- Select "Show hidden files...".
- Select OK.
- Open the Start Menu and enter "notepad".
- When Notepad shows up in the result, right-click on it.
- In the menu, choose "Run as administrator"
- File->Open and browse for the hosts file.
Delete additional lines that they connect various domain names to the wrong IP address. Save the file.
Download and run the antivirus program
After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,