ZekwaCrypt Ransomware

How to Remove Zekwacrypt Ransomware and Restore Files? 

Threat Name:

ZekwaCrypt Ransomware




Encrypts Files

Threat Level





Zekwacrypt Ransomware encrypts user's personal files and corporate databases. It demands money in the exchange of decryption key. It attacks personal computer as well as the corporate computer system, databases, and server.


A computer infected with Zekwacrypt trojan doesn't let you open files. The file extension is changed to .zekwakc. It leaves note in each directory named "encrypted_readme.txt", it also leaves a log file named "Clog.txt".


To detect and remove the Zekwacrypt ransomware infection from your computer download MalwareFox antimalware. To get your encrypted files back download a good recovery software or try restoring your windows to the previous date.

Zekwacrypt ransomware attacks on the personal computer as well as corporate systems, databases, and server. It targets around 600 types of files on a computer and encrypts them. File encrypted with Zekwacrypt ransomware can’t be opened. It uses a complex encryption method that requires private decryption key to access the file. The makers of the ransomware demand ransom for this key. The ransom amount differs users to users, usually, they demand from $300 to $800. It leaves a time limit if you won’t pay during this time the decryption key will be destroyed. In this guide, we will tell you how to remove Zekwacrypt ransomware from your computer and how to get your files back?

How to Remove ZekwaCrypt Ransomware

What is ZekwaCrypt Ransomware?

Zekwacrypt ransomware is Trojan that affects many personal computers and corporate systems. It was first seen on 24 May 2016, since then it has made many victims. ZekwaCrypt ransomware is also known as Win32/ZekwaCrypt.A. Besides targeting personal computers of normal users it attacks high profile computers like corporate databases, servers etc. It uses complex encryption method to encrypt personal files and databases. This leaves no option for people without backup other than paying the ransom.

A computer infected with Zekwacrypt ransomware can easily be diagnosed. The files encrypted with this ransomware have “.zekwakc” extension. If you seeing ‘.zekwakc’ at the end of your files and you can’t access them then it means that you are infected with ZekwaCrypt ransomware. It also leaves notes in every directory. Two text files are created in each folder. One named “Clog.txt” contains some log about the infection. The other one named “encrypted_readme.txt” contains information about infection and instruction to follow in order to get the files back. This file usually tells you that all your files are encrypted and you need to follow the instruction to get them back. When you follow the instruction it tells you that you need to pay the ransom in Bitcoin.

How ZekwaCrypt Ransomware gets into your System?

Like other ransomware ZekwaCrypt ransomware also uses spam email to spread and infect user’s computer. The spam email contains the Trojan as an attachment. Once you open this attachment you get infected with the ZekwaCrypt Ransomware. These fake emails are sent using the name of popular organizations like Bank, Delivery Companies, Shopping Sites, etc. They write some alarming information that make user’s curious and they open that attachment just to check what is the matter. If you want to stay away from such ransomware then stay cautious before opening these fake emails.

The main focus of attachment is to place the actual Trojan in the system memory. Once Zekwacrypt Trojan is placed in the system memory it starts scanning for files in the drive. It goes folder by folder and encrypts all files. ZekwaCrypt targets around 600 file types. However, it has also been seen that does not encrypts files in some folder. The system files and some other folder are not encrypted with ZekwaCrypt Ransomware.

Folder Skipped by ZekwaCrypt Ransomware

  • Microsoft
  • Windows
  • Content.IE5
  • Temp
  • I386
  • Borland
  • Framework
  • Mozilla
  • Torrents
  • Torrent

File Types Targeted by ZekwaCrypt Ransomware

.BOX, .APR, .dot, .mb, .GML, .PAS, .VC6, .rt, .jas, .dotm, .bpw, .GO, .PDB, .MCD, .rtf, .ari, .VCD, .BRD, .GRB, .dotx, .md2, .RVM, .pdd, .VCPROJ, .BREP, .arw, .dotXSI, .pdf, .GTABLE, .RVT, .md3, .vdi, .BSDL, .dpm, .srf, .GTC, .PDI, .MDA, .rw2, .1CD, .VDPROJ, .bzip, .GXK, .DPR, .MDB, .rwl, .PDX, .vfd, .C, .3dm, .dproj, .mdc, .gz, .pef, .vhd, .rwx, .3dmf, .drf, .C2D, .gzip, .pem, .MDE, .rwz, .3dmlw, .VHDL, .c4d, .H, .DRW, .MDF, .S, .pfx, .vimproj, .CAD, .3ds, .dsa, .MDS, .ha, .php, .VIP, .S12, .3DV, .dsk, .cal3d, .hdd, .php2, .mdx, .S19, .3dxml, .VLM, .cap, .hdmov, .dsm, .mef, .sav, .php3, .vmc, .CATDrawing, .3fr, .DSPF, .mesh, .HPP, .php4, .vmdk, .SCAD, .3g2, .dss, .CATPart, .HS, .php5, .mht, .SCALA, .3ga, .vmem, .CATProcess, .htm, .dsv, .mhtml, .SCDOC, .php6, .vmsd, .CATProduct, .3gp, .dtd, .mid, .html, .php7, .vmsn, .SCE, .3gp2, .dts, .CBL, .HXX, .phps, .midi, .SCI, .3gpp, .vmss, .CBP, .IAM, .DWB, .mka, .SCM, .phtml, .vmtm, .CC, .3mf, .DWF, .mkv, .ICD, .PIPE, .vmx, .SD7, .4DB, .DWG, .CCC, .IDW, .pl, .ML, .SDB, .4DD, .vmxf, .CCD, .IFC, .DXF, .mlp, .SDC, .PLN, .VND, .CCM, .4DIndx, .E, .mm3d, .ifo, .ply, .vob, .SDF, .4DIndy, .E2D, .CCP4, .IGES, .CCP4, .model, .SDI, .PM, .VS, .CCS, .4DR, .EAP, .mos, .ihtml, .png, .vsv, .shtml, .7z, .EASM, .cda, .iiq, .pot, .mov, .sia, .aac, .vud, .CDI, .IMG, .EDIF, .mp2, .sib, .potm, .vue, .CDL, .ABC, .EDRW, .mp2v, .imp, .potx, .vwx, .skp, .ac, .EFS, .CDR, .INC, .pov, .mp3, .sldasm, .ac3, .w3d, .cer, .indd, .EGG, .mp4, .SLDDRW, .PP, .waData, .cfg, .ACCDB, .EGT, .mp4v, .info, .ppam, .waIndx, .sldm, .ACCDE, .eip, .cfl, .IPN, .ppk, .mpa, .sldprt, .ACCDR, .waJournal, .cfm, .IPT, .EL, .mpc, .sldx, .pps, .waModel, .cgi, .ACCDT, .EMB, .mpe, .ISO, .ppsm, .wav, .SLN, .ace, .EMF, .CGM, .ivf, .ppsx, .mpeg, .wb2, .smd, .ACP, .eml, .cgr, .j2c, .ppt, .mpg, .smk, .ADA, .WDB, .CHML, .j2k, .EPRT, .mpls, .snd, .pptm, .webm, .CIF, .ADB, .eps, .MPO, .jar, .pptx, .WGL, .SPEF, .ADF, .epub, .CIR, .JAVA, .PRC, .mpv2, .SPI, .adp, .wings, .CLJ, .jp2, .erf, .mpv4, .SQL, .PRG, .wm, .CLS, .ADS, .ESS, .MRC, .jpc, .PRO, .wma, .SQLITE, .ADT, . .ESW, CMX, .jpe, .PRT, .mrw, .sr2, .ADZ, .WMDB, .CO, .jpeg, .evo, .MS12, SREC, .ps, .WMF, .COB, .AEC, .EXCELLON, .mts, .jpf, .srw, .psb, .wmp, .core3d, .AI, .EXP, .MYD, .jpg, .psd, .wmv, .ssh, .aif, .F, .CPF, .jpx, .PSM, .MYI, .std, .aifc, .wpd, .CPP, .jsp, .f4v, .NCF, .STEP, .PSMODEL, .wps, .cr2, .aiff, .F77, .NDF, .JT, .pst, .wrl, .STIL, .ain, .F90, .crt, .k25, .ptx, .nef, .STK, .alac, .wv, .crw, .kdb, .fac, .nif, .STL, .pub, .x, .CS, .AMF, .fb2, .NRG, .kdbx, .pva, .X_B, .stm, .amr, .fbx, .CSPROJ, .kdc, .pvs, .nrw, .SUB, .amv, .X_T, .csv, .KEXI, .FDB, .NSF, .SV, .PWI, .X3D, .ctm, .an8, .fff, .NTF, .KEXIC, .pxn, .x3f, .SVG, .aob, .flac, .CUE, .KEXIS, .PY, .NV2, .swf, .aoi, .XAR, .CXX, .L, .flc, .nvram, .SWG, .PYT, .XE, .D, .ape, .fli, .OASIS, .las, .R, .xhtml, .SXD, .apl, .flic, .D64, .lasso, .R3D, .obj, .tak, .AR, .xla, .DAA, .lassoapp, .flv, .OCD, .tar, .ra, .xlam, .dae, .arc, .FM, .ODB, .LDB, .raf, .xll, .TCL, .arj, .FMZ, .DAF, .LEF, .ram, .ODG, .TCT, .ART, .xlm, .DB, .LISP, .FOR, .odm, .TCW, .rar, .xls, .DBA, .ASC, .FP, .odp, .log, .raw, .xlsb, .tex, .asf, .FP3, .DBF, .lwo, .RB, .odt, .TIB, .ASM, .xlsm, .DBPro123, .lws, .FP5, .off, .tif, .RC, .xlsx, .dcr, .asp, .FP7, .ofr, .lxo, .RC2, .xlt, .tiff, .aspx, .FRM, .dcs, .lzh, .rec, .ofs, .tp, .au, .xltm, .DEF, .M, .FRX, .oga, .trp, .RED, .xltx, .der, .avi, .FS, .ogex, .m1a, .REDS, .xlw, .ts, .AWG, .FSDB, .DFF, .m1v, .REL, .ogg, .tta, .b3d, .xml, .dfm, .m2a, .FTH, .ogm, .txt, .RESX, .XPL, .DFT, .B6T, .FTN, .ogv, .m2p, .RFA, .XQ, .u3d, .BAS, .g, .DGK, .m2t, .RIN, .OpenAccess, .uc2, .bay, .XSI, .DGN, .m2ts, .GBR, .opus, .UDL, .rk, .XSL, .divx, .bdmv, .GDB, .ORA, .m2v, .RKT, .Y, .UNV, .DMG, .bik, .gdoc, .orf, .M4, .RKTL, .z3d, .UPF, .BIM, .GDSII, .DMS, .m4a, .RLF, .ott, .V, .BIN, .zip, .DMT, .m4b, .GED, .P, .V2D, .rm, .bkf, .gif, .dng, .m4r, .rmi, .p12, .VAP, .doc, .blend, .glm, .p7b, .m4v, .rmm, .block, .VB, .docb, .ma, .GM6, .p7c, .VBG, .rmvb, .bml, .GMD, .docm, .maff, .rp, .pages, .VBP, .docx, .bmp, .GMK, .rss, .PAR, .max.

ZekwaCrypt Ransomware Removal Guide

Restore Windows to Previous Date to Remove ZekwaCrypt Ransomware

  • WINDOWS 10
  • wINDOWS 8 / 8.1

Search for ‘System Restore’ in Windows Search box and choose ‘Create a Restore Point’ from the Results.

Restore Windows 10 - 1

Under the System Protection Tab choose ‘System Restore’

Restore Windows 10 - 2

Click on Next

Restore Windows 10 - 3

You will find the list of restore points. If you can’t find good restore point then check the box of ‘Show more restore points’. Select an appropriate restore point, click next and follow the instruction to restore your windows.

Restore Windows 10 - 4

Automatically Remove ZekwaCrypt Ransomware from your Computer

Ransomware like Zekwacrypt uses stealth technique so that security software can't catch them. Antivirus software isn't effective in dealing with such advanced threats, to detect Zekwacrypt you need a powerful antimalware. I suggest to download and install MalwareFox. It will scan your computer and remove all the traces of Zekwacrypt virus. To begin this step download MalwareFox.

Step 1- Install MalwareFox on your PC

Open the Installer by Clicking on the Downloaded file.

Install MalwareFox Instruction 1

Now choose your desired language and follow the instructions to install the MalwareFox on your computer.

Install MalwareFox Instruction 2

After completing the installation, the MalwareFox will update the application to its latest version. Let it update.

Install MalwareFox Instruction 3

Now it will sync the Malware database with server. It is important step as it needs to know latest types of malwares.

Install MalwareFox Instruction 4

Step 2 - Scan and Clean your Computer for Malware

When the update process completes it will show Real Time Protection: On. Now you can scan your computer. Press Scan button and leave everything on MalwareFox, it knows how to deal with Zekwacrypt Ransomware and other malware.

Install MalwareFox Instruction 5

After the scan complete click on Next button to clean your computer completely.

Recover your Files using Recovery Software

Shadow copy of your document is created in the drive so that you can recover your files even when they are deleted. Ransomware like Zekwacrypt tries to delete them too. Sometimes, they won't successfully delete them all. So, there are chances that recovery software can restore those files. Recovery software look for the shadow copy traces through the drive and create the actual file by joining those traces. Software like Shadow Explorer and Recuva works well in this case. You can also search for other recovery software and can take help from that.

Recovering files encrypted with Zekwacrypt ransomware isn't easy. Some users successfully restored their files by restoring the windows to previous date. If your computer doesn't have a restoration point or you couldn't get your files back then you should seek help of recovery software. Many people get their important files if not all then few will be good. 

How to Stay Away from ZekwaCrypt Ransomware?

Ransomware like Zekwacrypt uses spam email to infects the computer. You should be little cautious If you want to stay away from such trouble. These fake emails contain the pest that will infect your computer. Such emails contain foggy information that alarm users and in curiosity they open it. Once you download any attachment you get infected with the virus.

Another good practice to stay away from trouble is to take a regular backup of your important files. Take a backup on a separate drive and do not attach it to another computer. In case you lost your files then you can easily retrieve them from here. You should also install a good antimalware on your computer. MalwareFox is expert when it comes to safety from malware attacks. Install it on your computer and keep the real-time protection on to stay protected all the time.

You have successfully removed the Zekwacrypt Ransomware infection from your computer system. Keep the Real time protection enabled in order to prevent any further attacks.

Leave a Comment