The Werz virus, which belongs to the STOP/DJVU family of ransomware-type infections, encrypts your files (videos, photos, documents) with a specific “.werz” extension. It uses a strong encryption method that makes the key inaccessible through any means.
Werz uses a unique key for each victim, with one exception:
- If Werz fails to connect to its command and control server (C&C Server) before starting the encryption process, it uses the offline key. This key remains the same for all victims, allowing the decryption of files encrypted during a ransomware attack.
I have created a comprehensive collection of all possible solutions, tips, and best practices for eliminating the Werz virus and decrypting files. In some cases, file recovery can be simple, while in others, it may be challenging to overcome.
Below, I will demonstrate several methods that can be universally applied to recover .werz files that have been encrypted. It is essential to carefully read all instructions and fully understand them. Make sure to follow each step diligently as every step is crucial and requires your completion.
The Werz Virus
☝️ Identifying Werz as a STOP/DJVU Ransomware Infection
The Werz Virus
🤔 The Werz virus is a ransomware belonging to the DJVU/STOP family. Its primary objective is to encrypt vital files, subsequently demanding a ransom payment in Bitcoin from its victims.
The Werz virus is a specific variant of malware that encrypts your files and coerces you into paying for their release. It is important to note that the Djvu/STOP ransomware family was first unveiled and analyzed by virus analyst Michael Gillespie.
The Werz virus bears similarities to other DJVU ransomware strains such as Vatq, Vapo, and Vaze. This malicious software encrypts popular file types and appends the “.werz” extension to all affected files. For instance, a file named “1.jpg” would be transformed into “1.jpg.werz“. Once the encryption process is completed successfully, the virus generates a special text file named “_readme.txt” and deposits it in all folders containing the encrypted files.
The image below provides a visual representation of files encrypted with the “.werz” extension:
_readme.txt (STOP/DJVU Ransomware) – The scary alert demanding from users to pay the ransom to decrypt the encoded data contains these frustrating warnings
The Werz ransomware carries out multiple processes to perform various tasks on the victim’s computer. One of the initial processes it executes is winupdate.exe, which disguises itself as a fake Windows update prompt during the attack. Its intention is to deceive the victim into thinking that a sudden system slowdown is caused by a Windows update. Simultaneously, the ransomware launches another process (usually named with four random characters) responsible for scanning the system and encrypting targeted files. Additionally, the ransomware runs the following CMD command to delete Volume Shadow Copies from the system:
vssadmin.exe Delete Shadows /All /Quiet
Once deleted, it becomes impossible to restore the computer to its previous state using System Restore Points. The ransomware operators eliminate any Windows OS-based methods that could assist victims in recovering their files for free. Furthermore, the attackers modify the Windows HOSTS file by appending a list of domains and mapping them to the localhost IP. As a result, when attempting to access any of the blocked websites, the victim encounters a DNS_PROBE_FINISHED_NXDOMAIN error.
We have discovered that the ransomware attempts to block websites that offer various how-to guides for computer users. By restricting specific domains, the criminals aim to hinder victims from accessing relevant and helpful information about ransomware attacks. The virus also generates two text files on the victim’s computer, which contain details related to the attack: the victim’s public encryption key and personal ID. These files are named bowsakkdestx.txt and PersonalID.txt.
After implementing the mentioned modifications, the malware continues its operations. Variants of the STOP/DJVU ransomware often utilize trojans that steal passwords, such as Vidar Stealer or RedLine Stealer. These threats possess a wide range of capabilities, including:
- Stealing login credentials for platforms like Steam, Telegram, Skype, and others.
- Stealing cryptocurrency wallets.
- Downloading and executing malware on the infected computer.
- Extracting browser cookies, saved passwords, browsing history, and other sensitive information.
- Accessing and manipulating files on the victim’s computer.
- Enabling remote control of the victim’s computer, allowing hackers to perform various tasks.
The DJVU/STOP virus employs the AES-256 cryptography algorithm. Therefore, if your files have been encrypted with a unique online decryption key, it becomes impossible to decrypt them without that specific key.
If Werz operates in online mode, it is not possible for you to obtain the AES-256 key as it is stored on a remote server controlled by the malicious actors behind the Werz virus.
To obtain the decryption key, a payment of $980 is required. The victims are instructed to contact the fraudsters via email ([email protected]) to receive payment details.
The message by the ransomware states the following information:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-WJa63R98Ku Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Do not pay for Werz!
Please, try to use the available backups, or Decrypter tool
The _readme.txt file also states that computer owners must contact representatives of Werz within 72 hours from the time their files were encrypted. By doing so within the specified timeframe, users are promised a 50% discount, reducing the ransom amount to $490. However, I strongly advise against contacting these fraudsters and making any payments. One of the most effective solutions for recovering lost data is to utilize available backups or use a Decrypter tool.
It’s important to note that these types of viruses follow a similar pattern in generating unique decryption keys for data recovery. Unless the ransomware is still in the development stage or has significant flaws that can be exploited, manual recovery of encrypted data is not feasible. Regularly creating backups of your important files is the best way to prevent data loss.
Keep in mind that even if you maintain regular backups, they should be stored in a separate location and not connected to your main workstation. For example, you can store backups on a USB flash drive, an external hard drive, or utilize online/cloud storage services. Storing backups on your main device is not advisable as they can be susceptible to encryption, just like your other data.
How I was infected?
Ransomware has a various methods to built into your system. But it doesn’t really matter what concrete method was used in your case.
Werz virus attack following a successful phishing attempt.
However, there are common ways through which the Werz ransomware can infiltrate your PC:
- It can be hidden in the installation bundle of other applications, especially utilities offered as freeware or shareware.
- Deceptive links in spam emails can lead to the installation of the virus.
- Online free hosting resources can be exploited by the ransomware.
- Downloading pirated software from illegal peer-to-peer (P2P) sources can also expose you to the virus.
There have been instances where the Werz virus masquerades as a legitimate tool, such as messages that demand the initiation of unwanted software or browser updates. This is a tactic used by online fraudsters to manipulate you into manually installing the Werz ransomware, essentially tricking you into participating in the process.
Of course, the fake update alert will not explicitly indicate that you are installing ransomware. Instead, it will be disguised as an alert suggesting the need to update Adobe Flash Player or another suspicious program.
It’s important to note that using cracked apps poses a significant risk as well. Engaging in illegal peer-to-peer (P2P) activities not only violates copyright laws but also exposes you to serious malware, including the Werz ransomware.
To summarize, what can you do to avoid the infiltration of the Werz ransomware into your device? While there is no foolproof method to guarantee complete prevention, here are some tips to help you minimize the risk of Werz penetration. It is crucial to exercise caution when installing free software nowadays.
Always pay attention to what the installers offer in addition to the main free program. Avoid opening suspicious email attachments and refrain from opening files sent by unknown senders. Additionally, ensure that your security program is regularly updated.
The malware does not openly reveal itself. It will not be listed among your available programs. Instead, it will disguise itself as a malicious process running silently in the background from the moment you start your computer.
How To Remove Werz Virus?
In addition to encode a victim’s files, the Werz virus has also started to install the Azorult Spyware on system to steal account credentials, cryptocurrency wallets, desktop files, and more.1
Reasons why I would recommend GridinSoft2
-
Run the setup file.
-
Press “Install” button.
-
Once installed, Anti-Malware will automatically run.
-
Wait for complete.
-
Click on “Clean Now”.
Leave a Comment