Watz (.watz) ransomware virus – removal and decryption options

7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.

*Watz is a variant of Stop/DJVU. Source of claim SH can remove it.

An Watz File is on my PC – what does this mean?

The existence of Watz files on your computer indicates the presence of a malware named Watz, which is part of the STOP/DJVU ransomware family. Be aware that such files indicate a completed attack aimed at locking your data away, and demanding money from you as a ransom. The malware that has generated them encrypts most stored personal file types on the computer, including work sheets, documents, photos and videos, and other media. It functions similarly to a digital locker, and you cannot access anything that has been encrypted, unless you have a unique decryption key. Regretfully, the attackers possess that key and will ask for a ransom to give it to you.

Files encrypted by Watz virus ransomware (.watz extension)
Watz virus ransomware encrypted files

How to decrypt Watz ransomware files?

Before thinking about paying the Watz ransom, it is advisable to try every other possible step. There is no assurance that the attackers will actually give you the key when you send money, and not just ask for more money. Using the free recovery program recommended in the article is a wise first step. It has the potential to restore most, if not all, of the important data impacted by the infection.


How to remove the Watz ransomware virus and restore the files?

To free your system from the grips of the Watz ransomware and restore your data, you need to do a thorough system scan with an antivirus software. Or, you can use the manual instructions in the removal guide below. This will help you to locate and remove any suspicious components, associated with the virus. After cleaning the ransomware infection, the next step is to use the recommended free data recovery tool. It will give you a chance to recover some of your encrypted data without paying a ransom to anonymous cyber crooks.

What can the Watz Virus do?

The Watz virus specializes is the most harmful type you can encounter. Unlike other threats, such as Trojans, which primarily sneak into the system to steal some information and remain hidden for some time until triggered, the Watz virus aggressively encrypts files straight away. In this way, it wreaks havoc in all the areas of life – both personal and professional. It prays on the surprise and the fear brought on by the unexpected loss of important data to demand large sums as a ransom from its victims (hence the name of the type – Ransomware). 

Watz virus ransomware text file (_readme.txt)
Watz virus ransomware ransom note

The Watz distribution tactics

The distribution methods that the Watz ransomware employs are the same which are commonly used by Trojans. Phishing emails can effectively resemble reputable sources and trick you into opening they attachments. Furthermore, the virus frequently makes use of malvertisements and the vulnerabilities in out-of-date software. The latter, however, can easily be avoided by regularly updating every part of the system. Installing cutting-edge, behavior-based antivirus software can also serve as a formidable first line of defense. Such software offers a complex layer of preventive security by spotting abnormalities in system activity before the Watz ransomware has an opportunity to encrypt the data.

What does the .Watz extension indicate?

Spotting the .Watz extension indicates that the targeted file has been encrypted by the Watz ransomware, and is no longer accessible. That is not a dead end, though. There are decryption programs that might provide a ray of hope for recovering data to their original format without giving in to ransom demands. We have included such a decryption tool in our manual removal guide below, and we highly encourage you to use it. Paying the ransom not only supports this entire illegal activity, but also gives you no assurance that the files will be accessible again, or that the Watz extension will be removed. Therefore, your focus should be on using a recovery strategy that looks into every option that avoids engaging with the cybercriminals.

Can the Watz Extension corrupt your files?

All files that are encrypted with the Watz extension effectively suffer from being inaccessible. However, they continue to exist on the hard drive and are not corrupted. What the hackers want from you in this situation is to ask them for the decryption key, which is said to remove the Watz extension, and give them the money they want for it. Nevertheless, it’s a gamble with no guarantee of getting back what was lost and is more like dancing with the devil, than an actual fair trade. 

Are there early symptoms of the Watz Ransomware attack?

One of the early signs of infection with the Watz ransomware is the presence of files that have an “.Watz” extension. Most likely, these are the renamed copies of the documents, pictures, or other data that you have saved on your disk. If your files do not open, and you see an error message instead, that could be another sign. Other symptoms of infection with Watz can be that your computer, in general, opens everything very slowly, or does not react. Furthermore, you can see a file named “README.txt” on the desktop, or in the directories in which the encrypted files are stored. This is a ransom document, provided by the attackers, that gives you exact instructions for the ransom payment.

What is an Watz file?

An Watz file, by itself, isn’t inherently dangerous. It’s just a file format, like .jpg for pictures. The trouble comes when it is linked to ransomware. As we explained above, this file format, in particular, is used by the Watz ransomware to lock all your important documents, pictures, and just about all your data. So, if you start noticing Watz, Waqa or Veza files, see it as a flag signaling that your system is under a massive malware attack. In that case, the best course of action would be to act immediately, and use the instructions below to have the virus removed before more files become encrypted.

SUMMARY:

NameWatz
TypeRansomware
Detection Tool

*Watz is a variant of Stop/DJVU. Source of claim SH can remove it.

Remove Watz Ransomware


Step1

As Watz might be running multiple malicious processes simultaneously in the background, it is advisable to run only the most basic system functions and authorized applications rather than permitting the harmful ones to run. Therefore, we recommend rebooting your virus-infected device into “Safe Mode”. After you do that, continue with the next steps from the guide.

Step2

WARNING! READ CAREFULLY BEFORE PROCEEDING!

*Watz is a variant of Stop/DJVU. Source of claim SH can remove it.

Once you have the infected computer started in Safe Mode, click the Start menu button and type msconfig. Select the result and a System Configuration window like this one will appear:

msconfig_opt

If you notice anything that you do not trust, google it, and depending on the information you find, decide if you have to disable it. In order to disable a suspicious startup entry, uncheck the checkbox next to it, and press OK.

Then, you have to go to the Windows task manager, which you can call by pressing CTRL + SHIFT + ESC, and select the Processes Tab. Just like you did in the Startup tab, scan through the list of processes for anything you find suspicious. Remember, Watz may bring its own processes under the name of other existing processes – their names may look exactly like the ones you trust. If you detect something that looks questionable, like a process that uses the computer CPU and Memory with no particular reason, or has an odd name, the next thing you have to do is:

  • right-click on the process in question
  • select Open File Location
malware-start-taskbar
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Loading
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    • end the processes in question if one or more of its files get flagged as dangerous.  
    Step3

    Sometimes, a ransomware such as Watz, may also make unauthorized changes in your Hosts file. To investigate that, type the following line in the Start menu search bar and press Enter:   

    notepad %windir%/system32/Drivers/etc/hosts

    The Hosts file will open in Notepad.

    Search for “Localhost” in the text. If there is that word, check if there are any IP addresses of virus creators added there. They should look like in the picture below: 

    hosts_opt (1)

    If there’s nothing problematic in your Hosts, close the file. If you spot something unusual though, don’t be quick to remove it. Rather, describe it in the comments below with a copy of the troubling text and we will reply to you with advice on what you should do.

    Step4

    *Watz is a variant of Stop/DJVU. Source of claim SH can remove it.

    If you have become infected by the Watz ransomware, then most probably, the Registry is contaminated with fake or corrupt entries. To clean it, you need to type Regedit in the Start menu search bar and press Enter.

    This will open the Registry Editor. Once you are there, press together CTRL and F and type the name of the virus that has infected you. Then, start a search. If there are any records with the virus name, they are likely connected to your virus and must be removed from the registry.

    NB!!! Be aware that the deletion of records that are not related to the malware is a mistake that may cause serious damage to your system. To prevent the risk, clean the registry with a professional OS cleaning and antivirus software.

    The registry editor can be closed after you’re certain that it does not have infected entries. Next, click the Start menu button. Enter each of these lines in the search field one by one and open on the result:

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    If you notice any entries with strange names containing random letters, or entries that were added around the time when you were infected with Watz, remove these also.

    Another thing you can do is remove all.tmp files from your Temp folder. These could be files that could be related to the infection.

    Step5

    How to Decrypt Watz files

    STOP Djvu is the most recent version of the Djvu ransomware strain that is now actively targeting users. The .Watz suffix helps victims in detecting the encrypted files, so they should look for it at the end of each file.

    • 1. Download Stop/DJVU Decryptor
    • 2. Run the decryptor as an Administrator
    • 3. Decrypting files encrypted by Online ID

    If you need assistance decrypting your data, we recommend you use the decryptor tool available at this link: https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    To download the decrypt_STOPDjvu.exe file from the URL, click the Download button on the page:

    Stop/DJVU Decryptor

    Run the decryptor as an Administrator, click Yes, and follow the instructions of the decryptor:

    Run Stop/DJVU Decryptor as an Administrator

    Consider that the tool may not be able to decode data encrypted using unknown offline keys or online ID encryption.

    Online ID decryption is impossible
    [facebook_like]

    About the author

    blank

    Lidia Howler

    Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1