My Laptop got attacked by a virus and nearly every file including Photos, Videos and Documents extension were changed to YYZA , meaning .jpg was changed to .YYZA, How to recover or remove that extension. kindly help?
-
1Is your laptop running Windows? Unless you have a backup or are using volume shadow copy you may be out of luck.– squillmanCommented Aug 10, 2023 at 15:50
-
2YYZA is Ransomware - your files are encrypted with a key known only to the hackers. Recovery chances are very slim. Hopefully you have an uninfected backup. Here's a very long writeup of what you can do to satisfy yourself that the files are in fact gone. malwaretips.com/blogs/remove-yyza-ransomware-virus– TetsujinCommented Aug 10, 2023 at 15:52
-
1@squillman, Volume Shadow Copy is a mere snapshot. And MS Backup, to a live drive, is also likely encrypted by the malware. A true drive image, on separate media, i.e., not connected at the time of the disaster, is the only sure means of recovery.– DrMoishe PippikCommented Aug 10, 2023 at 16:03
3 Answers
It's a STOP / DJVU variant.
Some variations can be decrypted using the Emsisoft decryptor
If your variant isn't supported yet, all you can do is wait and try every now and then if an updated version can. The tool is silently updated (updates aren't announced).
I happen to have made a simple free tool to repair certain file types but I no longer support or actively maintain it. Biggest flaws are, limited file size support and only atom order ftyp-mdat-moov is supported for QuickTime container based videos. Some commercial tools can now do the same, WonderShare Video Repair for example.
See https://youtu.be/3AKJ27sZ9_E. Download URL is in video description.
Since STOP / DJVU encrypts only first 153605 bytes of a file, there are more file types that are potentially repairable, for example: https://youtu.be/ouSTB6Rg10g.
The damage you outline is quite serious. Ransomware.
The only thing you can do now is a fresh reinstall of Windows.
Then recover documents from your previous backup.
If no backup, you have just learned the importance of having backups
Do not pay the ransom !
First step is to remove the YYZA virus. Try to scan using your anti-virus, but if it fails you could try Gridinsoft Anti-Malware that is said to detect well this virus.
For decrypting the files, you could use the Emsisoft Decryptor.
Lastly, I hope you have good backups, as the last resort is to format the disk and reinstall Windows from scratch.
The above advice is based on the article YYZA Virus (.YYZA File) Decrypt & Removal Guide. I suggest reading this article carefully (although it's rather long).
-
BTW, some who do pay the ransom find they cannot recover the files, anyway. Restore from your last disk image. Commented Aug 10, 2023 at 16:05
-
I agree, I have indeed seen several times people actually having paid without receiving a working decryptor. Commented Aug 10, 2023 at 18:07