The Watz ransomware is one of the most commonly encountered interactions of the STOP/Djvu ransomware family, similar to .Waqa and .Qual. If this malware has attacked you and your files now have the .watz extension, then this guide is for you.
We’ll attempt to help you delete the virus and save as much of your data as possible. A fair warning: Newer versions of the STOP/Djvu ransomware strain are particularly difficult to counteract, so we can’t promise you anything, especially with regard to the recovery of your files.
The solutions suggested here might work in full or partially, or they might not work at all. Still, the next guide is your best chance at dealing with this malware and mitigating the fallout of its attack, so we strongly advise you to follow it.
SUMMARY:
Name | .Watz |
Type | Ransomware |
Detection Tool |
.Watz Removal and Decryption Guide
Dealing with this malware is done in two phases – removing the threat and attempting to restore the locked files. It is absolutely critical that you don’t skip that virus-removal phase, because any files you manage to restore will probably get locked again.
But before you do anything else, we strongly recommend you turn off your PC and access this page from another device. It’s possible that the .Watz ransomware hasn’t encrypted all targeted files yet, so shutting down your system might give you more time to decide what to do while preventing the virus from finishing the job.
How to Remove the .Watz Ransomware
To be perfectly honest, attempting to manually remove recent STOP/Djvu ransomware variants is a difficult task with a lot of variables and moving parts, so we can’t give you a surefire guide of how to do it. Therefore, we instead recommend using an automated anti-malware tool to locate and delete all malware files. Spy Hunter 5, the program featured on this page, can help you with that, but you can also use another program if you want, as long as it has good ransomware-removal capabilities.
And if you are adamant about hunting down and deleting the virus yourself, we can give you some general directions, but most of the leg work will have to be done by you. Needless to say, for the next steps, you will have to turn your PC back on.:
- Visit this VirusTotal link to familiarize yourself with the actions and behavior of the .Watz ransomware once it enters the system. This will give you an idea of where its files are stored and help you hunt them down and delete them.
- Another way to look for and delete malware files is to open your Task Manager (press Ctrl + Shift + Esc). Click More Details if not all processes are shown and then look for something that uses up lots of memory and CPU but doesn’t seem linked to any familiar program.
- If you find a suspicious process, right-click it, click Open File Location, and delete the folder you are sent to. If you get an error telling you the folder can’t be removed, use the Lock Hunter tool to delete it. Then return to the Task Manager, right-click the suspicious process, and select End Task.
- Lastly, search for Task Scheduler in the Start Menu, open the first item, and click Task Scheduler Library (top-left).
- Check the tasks, one by one, for any suspicious ones. You can do that by right-clicking them, going to Properties > Actions, and checking what programs are executed by each task. If you see a task executing a software that’s located in the Local, Downloads, Temp, or Roaming folders, delete it immediately.
These are the suggested methods to delete the virus, but we still recommend combining them with a reliable malware removal tool because even if you think you’ve removed everything, the chance of something being left behind is high.
How to Decrypt .Watz Files
Now we’ll finally talk about the decryption phase of dealing with the Watz ransomware. As we mentioned, we can’t give any guarantees that any of the next suggestions will work, but you won’t lose anything from trying them. In any case, the next methods are a much better alternative to paying the demanded ransom (something we strongly advise against).
Also, to have the highest chance at restoring your data, you must be certain about what is the specific ransomware variant you are dealing with. If you are sure it is .Watz, then you can directly move to the next steps.
If you aren’t fully certain, go to ID Ransomware and upload the respective files for each section (a ransom note and an encrypted file). If you don’t have a note, you can also use the Addresses section to provide other information that could help.
After the upload completes, the tool will hopefully tell you the exact type of Ransomware that you are faced with. If it is . Watz. proceed with this guide. If it’s another ransomware, the steps below might still work, but we recommend first searching our site for a guide tailored to that specific ransomware. You can also search for the virus on the No More Ransom website, which is the biggest resource for fighting ransomware threats.
IMPORTANT!: Only proceed with the next steps if the ransomware has already been removed from your PC or your files might become encrypted again.
Decrypt .Watz Files With the Emisoft STOP Djvu Decryptor
Emisoft’s free decryptor is one of the most popular tools for restoring STOP Djvu-encrypted files. The Watz ransomware is a relatively new threat, so there’s no guarantee this tool will work, but it’s worth the try:
- Download the decryptor from here, run it as administrator, and accept the terms and conditions.
- Click Remove all objects, then click Add Folder, navigate to the directory where the encrypted files are stored, and add it.
- If you don’t have lots of free storage, go to Options and remove the tick from the “Keep encrypted files” option. This will delete the originals during the decryption process. We do not recommend this unless you truly don’t have enough space on your PC.
- Then simply click on Decrypt and wait for the process to finish.
Note that this tool only works if the ransomware has used an offline key that’s available on Emisoft’s servers. For this reason, you must be connected to the web while the decryption is taking place.
If your files were encrypted by an online key, this tool won’t work. In this case, we recommend the next two methods.
Restore .Watz Files Using PhotoRec
Many ransomware threats will copy your files and encrypt the copies, while deleting the originals. PhotoRec works by trying to restore the deleted and unencrypted original versions of your files, so it’s not a decryptor. In cases where the ransomware uses an online key, this method might actually work better:
- Download PhotoRec from this page.
- Right-click it, click Extract Here then open the folder that appears, and run qphotorec_win as administrator.
- Click on the selection button below “Please select a media drive” and choose your main drive.
- Then click the NTFS partition where the encrypted files are stored.
- Click File Formats and leave checked only the types of files you are looking to decrypt.
- Then click on Browse, navigate to the directory where you wish to save the restored files, and select it. It’s recommended to use an external storage device as a location where the files will be saved as an extra safety measure.
- Once all preparations are completed, click on Search and wait for PhotoRec to attempt to restore your files.
Once the process finishes, click Quit and go to the specified destination directory to see if and how much of your data was recovered.
Use Media_Repair to Recover .Watz Files
Media_Repair allows you to restore several commonly-used types of media files. Those file types are MP3, WAV, MP4, MOV, 3GP, and M4V. It’s not a decryptor but a tool that tries to rebuild partially decrypted files with the help of a reference file captured by the same device or created with the same software. Since STOP/Djvu ransomware variants like .Watz are known for only using partial decryption, this method could work here:
- First, designate a reference file. The file should ideally be an identical unencrypted version/copy of a file that’s already been locked by the ransomware. Once you find a reference file, paste in the folder where the encrypted files are stored.
- If you can’t find such a file, Media_Repair might also be able to use a totally different media file that’s recorded/captured by the same device (e.g. camera, microphone, etc.) or made by the same program. Note that it’s essential that the file is recorded/created using the exact same settings, including frame rate, resolution, aspect ratio, etc.
- Now download Media_Repair, extract it, and run the Media_Repair tool.
- Use the left panel in the program to navigate to the folder with the encrypted files and select it.
- In the right panel, select any of the encrypted files and click the monitor icon from the right. This will tell you if the file can potentially be restored.
- Now select the reference file and select the second (lower) icon to the right to “tell” the program it should use that file as a reference.
- Now press and hold the Ctrl key and select each encrypted file that has the same format and was made under the same circumstances as the reference file.
- Once all relevant files are selected, click the Play button and wait for the process to finish. Note this could take a while, so be sure not to interrupt the data recovery.
Once the process finishes, a new folder named “FIXED” will be created in the directory where the encrypted files are. Go to that folder to check how many and how successfully the files have been restored.
Leave a Comment