• The files are encrypted by a virus, what should I do? Encryption virus – what is it, why is it dangerous?

    is a malicious program that, when activated, encrypts all personal files, such as documents, photos, etc. The number of such programs is very large and it is increasing every day. Only in lately We encountered dozens of ransomware variants: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, .da_vinci_code, toste, fff, etc. The goal of such encryption viruses is to force users to buy, often for a large sum of money, the program and key necessary for decryption own files.

    Of course, you can restore encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often, the cost of decryption is very significant, and you also need to know that some ransomware viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just annoying to pay to restore your own files.

    Below we will talk in more detail about encryption viruses, how they penetrate the victim’s computer, as well as how to remove the encryption virus and restore files encrypted by it.

    How does a ransomware virus penetrate a computer?

    A ransomware virus is usually spread via email. The letter contains infected documents. Such letters are sent to a huge database of email addresses. The authors of this virus use misleading headers and contents of letters, trying to trick the user into opening a document attached to the letter. Some letters inform about the need to pay a bill, others offer to look at the latest price list, others offer to open a funny photo, etc. In any case, opening the attached file will result in your computer being infected with an encryption virus.

    What is a ransomware virus?

    A ransomware virus is a malicious program that infects modern versions operating systems Windows family, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. These viruses try to use the strongest possible encryption modes, for example RSA-2048 with a key length of 2048 bits, which practically eliminates the possibility of selecting a key to decrypt files yourself.

    When infecting a computer, the ransomware virus uses the system directory %APPDATA% to store its own files. For automatic start When you turn on the computer, the ransomware creates an entry in the Windows registry: sections HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU \Software\Microsoft\Windows\CurrentVersion\RunOnce.

    Immediately after launch, the virus scans everything available drives, including network and cloud storage, to determine which files will be encrypted. A ransomware virus uses a filename extension as a way to identify a group of files that will be encrypted. Almost all types of files are encrypted, including such common ones as:

    0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata , .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, . mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta , .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, . apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, . js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2 , .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, . rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf , .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, . wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm , .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, . zif, .zip, .zw

    Immediately after the file is encrypted, it receives a new extension, which can often be used to identify the name or type of ransomware. Some types of these malware can also change the names of encrypted files. The virus then creates a text document with names like HELP_YOUR_FILES, README, which contains instructions for decrypting the encrypted files.

    During its operation, the encryption virus tries to block the ability to restore files using the SVC (shadow copies of files) system. For this purpose, the virus command mode calls the utility for administering shadow copies of files with a key that starts the procedure for them complete removal. Thus, it is almost always impossible to restore files by using their shadow copies.

    The ransomware virus actively uses intimidation tactics by giving the victim a link to a description of the encryption algorithm and displaying a threatening message on the Desktop. In this way, he tries to force the user of the infected computer, without hesitation, to send the computer ID to the email address of the virus’s author in order to try to get his files back. The response to such a message is most often the ransom amount and the e-wallet address.

    Is my computer infected with a ransomware virus?

    It is quite easy to determine whether a computer is infected with an encryption virus or not. Pay attention to the extensions of your personal files, such as documents, photos, music, etc. If the extension has changed or your personal files have disappeared, leaving behind many files with unknown names, then your computer is infected. In addition, a sign of infection is the presence of a file named HELP_YOUR_FILES or README in your directories. This file will contain instructions for decrypting the files.

    If you suspect that you have opened an email infected with a ransomware virus, but there are no symptoms of infection yet, then do not turn off or restart your computer. Follow the steps described in this manual, section. I repeat once again, it is very important not to turn off the computer; in some types of ransomware, the file encryption process is activated the first time you turn on the computer after infection!

    How to decrypt files encrypted with a ransomware virus?

    If this disaster happens, then there is no need to panic! But you need to know that in most cases there is no free decryptor. This is due to the strong encryption algorithms used by such malware. This means that without a private key, it is almost impossible to decrypt files. Using the key selection method is also not an option, due to the large length of the key. Therefore, unfortunately, only payment to the authors of the virus of the entire requested amount is the only way try to get the decryption key.

    Of course, there is absolutely no guarantee that after payment the authors of the virus will contact you and provide the key necessary to decrypt your files. In addition, you need to understand that by paying money to virus developers, you yourself encourage them to create new viruses.

    How to remove a ransomware virus?

    Before you begin, you need to know that by starting to remove the virus and attempt to restore the files yourself, you are blocking the ability to decrypt the files by paying the authors of the virus the amount they requested.

    Kaspersky Virus Removal Tool And Malwarebytes Anti-malware can detect different types active ransomware viruses and will easily remove them from your computer, BUT they cannot restore encrypted files.

    5.1. Remove ransomware using Kaspersky Virus Removal Tool

    By default, the program is configured to recover all file types, but to speed up the work, it is recommended to leave only the file types that you need to recover. When you have completed your selection, click OK.

    At the bottom of the QPhotoRec program window, find the Browse button and click it. You need to select the directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a flash drive or external drive).

    To start the search procedure and restore original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

    When the search is complete, click the Quit button. Now open the folder you have chosen to save the recovered files.

    The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3, etc. The more files the program finds, the more directories there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need, among large quantity recovered, use the built-in Windows search system (by file contents), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort option, since QPhotoRec attempts to restore this property when restoring a file.

    How to prevent a ransomware virus from infecting your computer?

    Most modern anti-virus programs already have a built-in protection system against the penetration and activation of encryption viruses. Therefore, if you do not have an antivirus program on your computer, be sure to install it. You can find out how to choose it by reading this.

    Moreover, there are also specialized protective programs. For example, this is CryptoPrevent, more details.

    A few final words

    By following these instructions, your computer will be cleared of the ransomware virus. If you have any questions or need help, please contact us.

    Today, computer and laptop users are increasingly faced with malware that replaces files with encrypted copies of them. Essentially, these are viruses. The XTBL ransomware is considered one of the most dangerous in this series. What is this pest, how does it get into the user’s computer, and is it possible to restore damaged information?

    What is XTBL ransomware and how does it get into the computer?

    If you find files on your computer or laptop with a long name and the extension .xtbl, then you can confidently say that the system has been dangerous virus- XTBL encryptor. It affects all versions of Windows OS. It is almost impossible to decrypt such files on your own, because the program uses a hybrid mode in which selecting a key is simply impossible.

    System directories are filled with infected files. Entries are added to the Windows registry that automatically launch the virus every time the OS starts.

    Almost all types of files are encrypted - graphic, text, archive, email, video, music, etc. It becomes impossible to work in Windows.

    How does it work? The XTBL ransomware running on Windows first scans everything logical drives. This includes cloud and network storage located on the computer. As a result, files are grouped by extension and then encrypted. Thus, all valuable information located in the user’s folders becomes inaccessible.


    This is the picture the user will see instead of icons with the names of familiar files

    Under the influence of the XTBL ransomware, the file extension changes. Now the user sees the icon blank sheet and a long title ending in .xtbl instead of an image or text in Word. In addition, a message appears on the desktop, a kind of instruction for restoring encrypted information, requiring you to pay for unlocking. This is nothing more than blackmail demanding ransom.


    This message appears in the desktop window of your computer.

    XTBL ransomware is usually distributed via email. The email contains attached files or documents infected with a virus. The scammer attracts the user with a colorful headline. Everything is done to ensure that the message, which says that you, for example, won a million, is open. Do not respond to such messages, otherwise there is a high risk that the virus will end up in your OS.

    Is it possible to recover information?

    You can try to decrypt the information using special utilities. However, there is no guarantee that you will be able to get rid of the virus and restore damaged files.

    Currently, XTBL ransomware poses an undeniable threat to all computers running Windows OS. Even the recognized leaders in the fight against viruses - Dr.Web and Kaspersky Lab - do not have a 100% solution to this issue.

    Removing a virus and restoring encrypted files

    There are different methods and programs that allow you to work with XTBL encryption. Some remove the virus itself, others try to decrypt locked files or restore their previous copies.

    Stopping a computer infection

    If you are lucky enough to notice that files with the .xtbl extension begin to appear on your computer, then it is quite possible to interrupt the process of further infection.

    Kaspersky Virus Removal Tool to remove XTBL ransomware

    All such programs should be opened in an OS that has previously been launched in safe mode with the option to load network drivers. In this case, it is much easier to remove the virus, since the minimum number of system processes required to start Windows is connected.

    To download safe mode in Window XP, 7, during system startup, constantly press the F8 key and after the menu window appears, select the appropriate item. At using Windows 8, 10 you should restart the OS by holding Shift key. During the startup process, a window will open where you can select the required secure boot option.


    Selecting safe mode with loading network drivers

    The Kaspersky Virus Removal Tool program perfectly recognizes XTBL ransomware and removes this type of virus. Run a computer scan by clicking the appropriate button after downloading the utility. Once the scan is complete, delete any malicious files found.


    Running a computer scan for the presence of XTBL ransomware in Windows OS and then removing the virus

    Dr.Web CureIt!

    The algorithm for checking and removing a virus is practically no different from the previous version. Use the utility to scan all logical drives. To do this, you just need to follow the commands of the program after launching it. At the end of the process, get rid of the infected files by clicking the “Decontaminate” button.


    Neutralize malicious files after scanning Windows

    Malwarebytes Anti-malware

    The program will carry out a step-by-step check of your computer for the presence of malicious codes and destroy them.

    1. Install and run the Anti-malware utility.
    2. Select “Run scan” at the bottom of the window that opens.
    3. Wait for the process to complete and check the checkboxes with infected files.
    4. Delete the selection.


    Removing malicious XTBL ransomware files detected during scanning

    Online decryptor script from Dr.Web

    On the official Dr.Web website in the support section there is a tab with a script for online file decryption. Please note that only those users who have an antivirus from this developer installed on their computers will be able to use the decryptor online.


    Read the instructions, fill out everything required and click the “Submit” button

    RectorDecryptor decryption utility from Kaspersky Lab

    Kaspersky Lab also decrypts files. On the official website you can download the RectorDecryptor.exe utility for versions of Windows Vista, 7, 8 by following the menu links “Support - File disinfection and decryption - RectorDecryptor - How to decrypt files”. Run the program, perform a scan, and then delete encrypted files by selecting the appropriate option.


    Scanning and decrypting files infected with XTBL ransomware

    Restoring encrypted files from a backup

    Starting from Windows versions 7, you can try to restore files from backups.


    ShadowExplorer to recover encrypted files

    The program is a portable version, it can be downloaded from any media.


    QPhotoRec

    The program is specially created to recover damaged and deleted files. Using built-in algorithms, the utility finds and returns all lost information to its original state.

    QPhotoRec is free.

    Unfortunately, there is only an English version of QPhotoRec, but understanding the settings is not difficult at all, the interface is intuitive.

    1. Launch the program.
    2. Mark the logical drives with encrypted information.
    3. Click the File Formats button and OK.
    4. Using the Browse button located at the bottom of the open window, select the location to save the files and start the recovery procedure by clicking Search.


    QPhotoRec recovers files deleted by XTBL ransomware and replaced with its own copies

    How to decrypt files - video

    What not to do

    1. Never take actions that you are not completely sure of. Better invite a specialist from service center or take the computer there yourself.
    2. Do not open Email messages from unknown senders.
    3. Under no circumstances should you follow the lead of blackmailers by agreeing to transfer money to them. This will most likely not give any results.
    4. Do not manually rename the extensions of encrypted files and do not rush to reinstall Windows. It may be possible to find a solution that will correct the situation.

    Prevention

    Try to install reliable protection from penetration of XTBL ransomware and similar ransomware viruses onto your computer. Such programs include:

    • Malwarebytes Anti-Ransomware;
    • BitDefender Anti-Ransomware;
    • WinAntiRansom;
    • CryptoPrevent.

    Despite the fact that they are all English-language, working with such utilities is quite simple. Launch the program and select the protection level in the settings.


    Launching the program and selecting the protection level

    If you have encountered a ransomware virus that encrypts files on your computer, then, of course, you should not despair right away. Try using the suggested methods for restoring damaged information. Often this gives a positive result. Do not use to remove XTBL ransomware untested programs from unknown developers. After all, this can only worsen the situation. If possible, install one of the programs on your PC that prevents the virus from running, and conduct regular routine scans of Windows for malicious processes.

    Viruses themselves today hardly surprise anyone. If previously they affected the entire system, today there are different types of viruses. One such type is a ransomware virus. The penetration threat affects more user information. However, it can pose a greater threat than destructive executable applications and spyware applets. What is a ransomware virus? The code itself, which is written in a self-copying virus, involves encrypting all user information with special cryptographic algorithms that do not affect the system files of the operating system itself.

    The logic behind the impact of the virus may not be clear to everyone. Everything became clear when the hackers who developed these applets began to demand a certain amount of money to restore the original file structure. At the same time, the encryptor that has penetrated the system does not allow files to be decrypted. To do this, you will need a special decryptor, or in other words, a special algorithm with which you can restore the contents.

    Encryptor: the principle of penetration into systems and the operation of the virus

    It is usually quite difficult to catch such an infection on the Internet. This type of virus is mainly transmitted by email at the level of clients installed on one computer terminal, such as the Bat, Outlook, Thunderbird. It is worth immediately noting that this does not apply to Internet mail servers since they have a fairly high degree of protection. Access to user information is carried out only at the level of cloud information storage. An application on a specific computer terminal is a completely different matter.

    The field of activity for the development of viruses is so wide that it is difficult to imagine. However, a small caveat needs to be made here. In most cases, the targets of viruses are large organizations and companies that will be able to pay a significant amount of money to decrypt personal information. This is clear, because on computer terminals and servers computer companies stored confidential information and files in a single copy, which in no case should be deleted. In this case, decrypting files after the action of a ransomware virus can be quite problematic. Of course, an ordinary user can also be subject to such an attack, although this is unlikely, especially if the user follows the simplest recommendations for working with attachments of an unknown type.

    Even if the email client defines attachments as, for example, files with the extension .jpg or other graphic extension, then it's better to check first this file standard antivirus used in the system. If you do not do this, then after opening the attachment file double click, the activation code may start and the encryption process will begin. After this, it will be impossible to remove the ransomware virus itself and restore files after the threat is eliminated.

    General consequences of exposure to a ransomware virus

    As mentioned earlier, most viruses enter the system through email. Let’s assume that a large organization receives a letter with content like “The contract has been changed, a scan is attached in the letter” or “An invoice for the shipment of goods has been sent to you.” An unsuspecting employee of the company simply opens the attached file and after that everything user files are instantly encrypted. These are all files, from office documents to archives and multimedia. All important data is encrypted, and if the computer terminal is connected to a local network, the virus can be transmitted further, encrypting data on other machines.

    The execution of this process can be noticed by the slowdown and freezing of programs running on the computer terminal at the moment. When the encryption process is completed, the virus sends a kind of report, after which the organization will receive a message stating that a threat has penetrated the system, and in order to decrypt the files it is necessary to contact the developer of the virus. As a rule, this concerns a virus [email protected]. Next will be a requirement to pay for decryption services. The user will be asked to send several encrypted files to an email that is most likely fictitious.

    Damage from the virus

    If you have not yet fully understood the essence of the problem, then it should be noted that decrypting files after the action of a ransomware virus is a rather labor-intensive process. If the user does not comply with the demands of the attackers, but instead tries to involve government agencies in the fight against computer crimes, nothing meaningful will come of it. If you try to delete all data from your computer, and then perform a system restore and copy the original information from removable media, then all the information will still be re-encrypted. So you shouldn’t delude yourself too much about this. In addition, when inserting a flash drive into a USB port, the user will not even notice that the virus will encrypt all data on it. Then there will be even more problems.

    The first ransomware virus

    Let's look at what the first ransomware virus was. At the time of its appearance, no one thought about how to disinfect or decrypt files after being exposed to the executable code that was contained in an email attachment. Only with time did the full scale of the disaster become realized. The first ransomware virus had the rather romantic name “I Love You”. An unsuspecting user would simply open an email attachment and end up with completely unplayable media files (video, graphics, and audio). Such actions looked more destructive, but at that time no one demanded money for decrypting the data.

    Latest modifications

    The evolution of technology has become quite a profitable business, especially considering the fact that many managers of large companies are in a hurry to pay the required amount to attackers as soon as possible, without even thinking about the fact that they may be left without money or without money. necessary information. You shouldn’t believe all these leftist posts on the Internet, like “I paid the required amount, they sent me a decryptor, and all the information was restored.” This is all nonsense. Mostly, such reviews are written by the virus developers themselves in order to attract potential victims. By the standards of ordinary users, the amounts that attackers demand for data decryption are quite serious. It can reach several thousand dollars or euros. Now let's look at what the features are the latest viruses this type. All of them are similar to each other and can belong not only to the category of encryption viruses, but also to the so-called category of ransomware. In some cases, they act quite correctly, sending the user messages that someone wants to take care of the safety of the organization’s or user’s information. With its messages, such an encrypting virus simply misleads users. However, if the user pays the required amount, he will simply be scammed.

    XTBL virus

    The XTBL virus, which appeared relatively recently, can be classified as a classic type of ransomware virus. Such objects typically enter the system through messages sent by e-mail. Messages may contain file attachments with the .scr extension. This extension is standard for Windows screensaver. The user thinks everything is fine and activates viewing or saves the attachment. This operation can lead to quite dire consequences. File names are converted to a simple set of characters. The combination .xtbl is added to the main file extension. After this, a message is sent to the desired address about the possibility of decryption after paying a certain amount.

    This type of virus can also be classified as a classic ransomware. It appears in the system after opening email attachments. This virus also renames the user's files and adds a combination like .perfect and .nonchance at the end of the extension. Unfortunately, it is not possible to decrypt a ransomware virus of this type. After completing all the actions, it simply self-destructs. Even such a universal tool as RectorDecryptor does not help. The user receives a letter demanding payment. The user is given two days to pay.

    Breaking_Bad virus

    This type of threat works according to a familiar pattern. It renames the user's files by adding the combination .breaking_bad to the extension. But the matter does not stop there. Unlike other ransomware, this virus can create another .Heisenberg extension. Therefore, it is quite difficult to find all infected files. It is also worth saying that the Breaking_Bad virus is a rather serious threat. There are cases when even the licensed anti-virus program Kaspersky_Endpoint Security misses such a threat.

    Virus [email protected]

    Virus [email protected] represents another fairly serious threat, which is mostly aimed at large commercial organizations. Usually, some department of the company receives an email containing a .jpg or .js file. How can you decipher a virus of this type? Judging by the fact that the RSA-1024 algorithm is used there, no way. Based on the name of the algorithm, we can assume that it uses a 1024-bit encryption system. Today, the 256-bit system is considered the most advanced.

    Ransomware: Can you decrypt files using antivirus software?

    A way to decrypt files after being exposed to this type of threat has not yet been found. Even such recognized masters in the field of antivirus protection as Dr Web, Kaspersky, Eset cannot find the key to solving the problem. How to disinfect files in in this case? As a rule, the user is asked to send a formal request to the website of the antivirus program developer. In this case, it is necessary to attach several encrypted files and their originals, if any. Few users today store copies of data on removable media. The problem of their absence can only aggravate an already unpleasant situation.

    Removing the threat manually: possible methods

    In some cases, scanning with conventional antivirus programs identifies such malicious objects and even eliminates these threats. But what to do with encrypted information? Some users try to use decryption programs. It is worth noting right away that these actions will not lead to anything good. In the case of the Breaking_Bad virus, this can even be harmful. The fact is that the attackers who create such viruses are trying to protect themselves and teach others a lesson. When using decryption utilities, a virus can react in such a way that the entire operating system crashes and at the same time completely destroys all information stored on logical partitions and hard drives. Our only hope is in official antivirus laboratories.

    Radical ways

    If things are really bad, you can format the hard drive, including virtual partitions, and then reinstall operating system. Unfortunately, there is no other way out yet. Rolling back the system to a certain restore point will not help fix the situation. As a result, the virus may disappear, but the files will still remain encrypted.

    If it appears on your computer text message, which says that your files are encrypted, then do not rush to panic. What are the symptoms of file encryption? The usual extension changes to *.vault, *.xtbl, * [email protected] _XO101, etc. The files cannot be opened - a key is required, which can be purchased by sending a letter to the address specified in the message.

    Where did you get the encrypted files from?

    The computer caught a virus that blocked access to information. Antivirus programs often miss them because the program is usually based on some harmless free encryption utility. You will remove the virus itself quickly enough, but serious problems may arise with decrypting the information.

    Technical support from Kaspersky Lab, Dr.Web and other well-known companies developing anti-virus software, in response to user requests to decrypt data, reports that it is impossible to do this in an acceptable time. There are several programs that can pick up the code, but they can only work with previously studied viruses. If you are faced with new modification, then the chances of restoring access to information are extremely low.

    How does a ransomware virus get onto a computer?

    In 90% of cases, users themselves activate the virus on their computer, opening unknown letters. Then a message is sent to e-mail with a provocative subject - “Subpoena”, “Loan debt”, “Notification from the tax office”, etc. Inside the fake letter there is an attachment, after downloading which the ransomware gets onto the computer and begins to gradually block access to the files.

    Encryption does not happen instantly, so users have time to remove the virus before all information is encrypted. You can destroy a malicious script using Dr.Web CureIt cleaning utilities, Kaspersky Internet Security and Malwarebytes Antimalware.

    File recovery methods

    If system protection has been enabled on your computer, then even after the action of a ransomware virus there is a chance to return files to their normal state using shadow copies of files. Ransomware usually tries to remove them, but sometimes they fail to do so due to lack of administrator rights.

    Restoring a previous version:

    In order for previous versions to be saved, you need to enable system protection.

    Important: system protection must be enabled before the ransomware appears, after which it will no longer help.

    1. Open Computer properties.
    2. From the menu on the left, select System Protection.
    3. Select drive C and click "Configure".
    4. Choose to restore settings and previous versions of files. Apply the changes by clicking "Ok".

    If you took these steps before the file-encrypting virus appeared, then after cleaning your computer from malicious code, you will have a good chance of recovering your information.

    Using special utilities

    Kaspersky Lab has prepared several utilities to help open encrypted files after removing the virus. The first decryptor you should try is Kaspersky RectorDecryptor.

    1. Download the program from the official Kaspersky Lab website.
    2. Then run the utility and click “Start scan”. Specify the path to any encrypted file.

    If the malicious program has not changed the extension of the files, then to decrypt them you need to collect them in a separate folder. If the utility is RectorDecryptor, download two more programs from the official Kaspersky website - XoristDecryptor and RakhniDecryptor.

    The latest utility from Kaspersky Lab is called Ransomware Decryptor. It helps decrypt files after the CoinVault virus, which is not yet very widespread on the RuNet, but may soon replace other Trojans.

    The fact that the Internet is full of viruses does not surprise anyone today. Many users perceive situations related to their impact on systems or personal data, to put it mildly, turning a blind eye, but only until a ransomware virus specifically takes hold in the system. Most ordinary users do not know how to disinfect and decrypt data stored on a hard drive. Therefore, this contingent is “led” to the demands put forward by the attackers. But let's see what can be done if such a threat is detected or to prevent it from entering the system.

    What is a ransomware virus?

    This type of threat uses standard and non-standard file encryption algorithms that completely change their contents and block access. For example, it will be absolutely impossible to open an encrypted text file for reading or editing, as well as play multimedia content (graphics, video or audio) after exposure to the virus. Even standard actions to copy or move objects are unavailable.

    The virus software itself is the tool that encrypts data in such a way that it can be restored initial state Even after removing the threat from the system, it is not always possible. Typically, such malicious programs create copies of themselves and settle very deeply in the system, so the file encrypting virus may be completely impossible to remove. By uninstalling the main program or deleting the main body of the virus, the user does not get rid of the threat, let alone restore encrypted information.

    How does the threat enter the system?

    As a rule, threats of this type are mostly aimed at large commercial structures and can penetrate computers through email programs when an employee opens a supposedly attached document in an email, which is, say, an addendum to some kind of cooperation agreement or product supply plan (commercial offers with investments from dubious sources are the first path for the virus).

    The trouble is that a ransomware virus on a machine that has access to a local network is able to adapt there, creating its own copies not only in the network environment, but also on the administrator terminal, if there are no necessary funds protection in the form of anti-virus software, firewall or firewall.

    Sometimes such threats can penetrate the computer systems of ordinary users, which, by and large, are of no interest to attackers. This happens during the installation of some programs downloaded from dubious Internet resources. Many users ignore warnings when starting a download. antivirus system protection, and during the installation process they do not pay attention to offers to install additional software, panels or browser plugins, and then, as they say, bite their elbows.

    Types of viruses and a little history

    Basically, threats of this type, in particular the most dangerous ransomware virus No_more_ransom, are classified not only as tools for encrypting data or blocking access to it. In fact, everyone is like that malicious applications belong to the category of ransomware. In other words, attackers demand a certain bribe for decrypting information, believing that without the initial program they can produce this process will be impossible. This is partly true.

    But, if you dig into history, you will notice that one of the very first viruses of this type, although it did not make demands for money, was the infamous I Love You applet, which completely encrypted user systems media files (mostly music tracks). Decrypting files after the ransomware virus turned out to be impossible at that time. Now it is precisely this threat that can be fought in an elementary way.

    But the development of the viruses themselves or the encryption algorithms used does not stand still. What is there among viruses - here you have XTBL, and CBF, and Breaking_Bad, and [email protected], and a bunch of other crap.

    Method of influencing user files

    And if until recently most attacks were carried out using RSA-1024 algorithms based AES encryption with the same bit depth, the same encryption virus No_more_ransom is today presented in several interpretations using encryption keys based on RSA-2048 and even RSA-3072 technologies.

    Problems of deciphering the algorithms used

    The trouble is that modern decryption systems were powerless in the face of such a danger. Decryption of files after an AES256-based ransomware virus is still somewhat supported, but given a higher bit depth of the key, almost all developers simply shrug their shoulders. This, by the way, has been officially confirmed by specialists from Kaspersky Lab and Eset.

    In the most primitive version, the user contacting the support service is asked to send an encrypted file and its original for comparison and further operations to determine the encryption algorithm and recovery methods. But, as a rule, in most cases this does not give results. But the encrypting virus can decrypt files itself, it is believed, provided that the victim agrees to the attackers’ conditions and pays a certain amount in monetary terms. However, this formulation of the question raises legitimate doubts. And here's why.

    Encryptor virus: how to disinfect and decrypt files and can it be done?

    Allegedly, after payment, hackers activate decryption via remote access to its virus, which is sitting in the system, or through an additional applet if the virus body is deleted. This looks more than doubtful.

    I would also like to note the fact that the Internet is full of fake posts claiming that the required amount was paid and the data was successfully restored. It's all a lie! And really - where is the guarantee that after payment the encryption virus will not be activated again in the system? It is not difficult to understand the psychology of burglars: pay once, pay again. And if we are talking about special important information such as specific commercial, scientific or military developments, the owners of such information are willing to pay whatever they want to ensure that the files remain safe and sound.

    The first remedy to eliminate the threat

    This is the nature of an encryption virus. How to disinfect and decrypt files after exposure to a threat? No way, if there are no available means, which also do not always help. But you can try.

    Let's assume that a ransomware virus has appeared in the system. How to cure infected files? First, you should perform an in-depth scan of the system without using S.M.A.R.T. technology, which detects threats only when boot sectors and system files are damaged.

    It is advisable not to use an existing standard scanner, which has already missed the threat, but to use portable utilities. The best option would be to boot from Kaspersky Rescue Disk, which can start even before the operating system starts running.

    But this is only half the battle, since in this way you can only get rid of the virus itself. But with a decoder it will be more difficult. But more on that a little later.

    There is another category into which ransomware viruses fall. How to decipher the information will be discussed separately, but for now let’s dwell on the fact that they can completely openly exist in the system in the form of officially installed programs and applications (the impudence of attackers knows no bounds, since the threat does not even try to disguise itself).

    In this case, you should use the Programs and Features section, where standard uninstallation is performed. However, you need to pay attention to the fact that the standard uninstaller for Windows systems does not completely delete all program files. In particular, the ransom encryption virus is capable of creating own folders in the root directories of the system (usually these are Csrss directories, where the same name is present executable file csrss.exe). The Windows, System32 or user directories (Users on the system drive) are selected as the main location.

    In addition, the No_more_ransom ransom virus writes its own keys in the registry in the form of a link seemingly to the official Client Server Runtime Subsystem system service, which misleads many, since this service should be responsible for the interaction of client and server software. The key itself is located in the Run folder, which can be reached through the HKLM branch. It is clear that such keys will need to be deleted manually.

    To make it easier, you can use utilities like iObit Uninstaller, which search for residual files and registry keys automatically (but only if the virus is visible on the system as installed application). But this is the simplest thing you can do.

    Solutions offered by antivirus software developers

    Decryption of a ransomware virus, it is believed, can be done using special utilities, although if you have technologies with a 2048 or 3072 bit key, you shouldn’t really count on them (in addition, many of them delete files after decryption, and then the recovered files disappear due to the fault of the presence of a virus body that has not been removed before).

    Nevertheless, you can try. Of all the programs, it is worth highlighting RectorDecryptor and ShadowExplorer. It is believed that nothing better has been created yet. But the problem may also be that when you try to use a decryptor, there is no guarantee that the files being cured will not be deleted. That is, if you do not get rid of the virus initially, any attempt at decryption will be doomed to failure.

    In addition to deleting encrypted information, there can also be a fatal outcome - the entire system will be inoperable. In addition, a modern encryption virus can affect not only data stored on the computer’s hard drive, but also files in cloud storage. But there are no solutions for data recovery. In addition, as it turned out, many services take insufficiently effective protection measures (the same OneDrive built into Windows 10, which is exposed directly from the operating system).

    A radical solution to the problem

    As is already clear, most modern methods do not give a positive result when infected with such viruses. Of course, if you have the original of the damaged file, it can be sent for examination to antivirus laboratory. True, there are very serious doubts that the average user will create backups data that, when stored on a hard drive, can also be exposed to malicious code. And that in order to avoid troubles, users copy information to removable media, there is no question at all.

    Thus, for cardinal decision problem, the conclusion suggests itself: full formatting hard drive and all logical partitions with information deleted. What should I do? You will have to sacrifice if you do not want the virus or its self-saved copy to be activated in the system again.

    To do this, you should not use the tools of the Windows systems themselves (this means formatting virtual partitions, since if you try to access the system disk, a ban will be issued). It is better to boot from optical media such as LiveCD or installation distributions, such as those created using the Media utility Creation Tool for Windows 10.

    Before starting formatting, provided that the virus is removed from the system, you can try to restore the integrity of system components through command line(sfc /scannow), but in terms of decrypting and unlocking data this will not have any effect. Therefore format c: is the only correct one possible solution, whether you like it or not. This is the only way to completely get rid of threats of this type. Alas, there is no other way! Even treatment standard means, offered by most antivirus packages, turns out to be powerless.

    Instead of an afterword

    In terms of the obvious conclusions, we can only say that there is a single and universal solution There is currently no way to eliminate the consequences of this type of threat (sad, but true - this has been confirmed by the majority of anti-virus software developers and cryptography experts).

    It remains unclear why the emergence of algorithms based on 1024-, 2048- and 3072-bit encryption passed by those directly involved in the development and implementation of such technologies? Indeed, today the AES256 algorithm is considered the most promising and most secure. Notice! 256! This system modern viruses, as it turns out, doesn’t hold a candle. What can we say then about attempts to decrypt their keys?

    Be that as it may, avoiding the introduction of a threat into the system is quite simple. In the simplest version, you should check all incoming messages with attachments in Outlook, Thunderbird and others. mail clients antivirus immediately after receiving it and under no circumstances open attachments until the scan is completed. You should also carefully read the suggestions for installing additional software when installing some programs (usually they are written in very small print or disguised as standard add-ons like updating Flash Player or something else). It is better to update multimedia components through official websites. This is the only way to at least somehow prevent the penetration of such threats into own system. The consequences can be completely unpredictable, given that viruses of this type instantly spread on the local network. And for the company, such a turn of events can result in a real collapse of all endeavors.

    Finally, and system administrator should not sit idle. Software tools It is better to exclude protection in such a situation. The same firewall (firewall) should not be software, but “hardware” (naturally, with accompanying software on board). And, it goes without saying that you shouldn’t skimp on purchasing antivirus packages either. It is better to buy a licensed package rather than install primitive programs that supposedly provide real-time protection only according to the developer.

    And if a threat has already penetrated the system, the sequence of actions should include removing the virus body itself, and only then attempting to decrypt the damaged data. Ideally, a full format (note, not a quick one with clearing the table of contents, but a complete one, preferably with restoration or replacement of the existing file system, boot sectors and records).

    Read more: