• Encryptor removal utility. Encryption virus – what is it, why is it dangerous?

    Let us remind you: Trojans of the Trojan.Encoder family are malicious programs that encrypt files on a computer’s hard drive and demand money for decrypting them. Files *.mp3, *.doc, *.docx, *.pdf, *.jpg, *.rar and so on may be encrypted.
    It was not possible to personally meet the entire family of this virus, but, as practice shows, the method of infection, treatment and decoding is approximately the same for everyone:
    1. the victim is infected through a spam email with an attachment (less often by infectious means),
    2. the virus is recognized and removed (already) by almost any antivirus with fresh databases,
    3. files are decrypted by selecting password keys for the types of encryption used.
    For example, Trojan.Encoder.225 uses RC4 (modified) + DES encryption, and Trojan.Encoder.263 uses BlowFish in CTR mode. These viruses are at the moment are deciphered 99% based on personal practice.

    But not everything is so smooth. Some encryption viruses require months of continuous decryption (Trojan.Encoder.102), while others (Trojan.Encoder.283) cannot be decrypted correctly even by specialists from Doctor Web, which, in fact, plays a key role in this article .

    Now, in order.

    At the beginning of August 2013, clients contacted me with the problem of files encrypted by the Trojan.Encoder.225 virus. The virus, at that time, was new, no one knew anything, there were 2-3 thematic Google links on the Internet. After a lengthy search on the Internet, it turns out that the only (found) organization that deals with the problem of decrypting files after this virus is the Doctor Web company. Namely: gives recommendations, helps when contacting technical support, develops its own decryptors, etc.

    Negative retreat.

    And, taking this opportunity, I would like to point out two getting fat minus of Kaspersky Lab. Which, when contacting their technical support, they brush off “we are working on this issue, we will notify you of the results by mail.” And yet, the downside is that I never received a response to the request. After 4 months. Damn the reaction time. And here I am striving for the standard “no more than one hour from completing the application.”
    Shame on you, Comrade Evgeniy Kaspersky, general manager Kaspersky Lab. But I have a good half of all companies “sit” on it. Well, okay, licenses expire in January-March 2014. Is it worth talking about whether I will renew my license?;)

    I present the faces of “specialists” from “simpler” companies, so to speak, NOT giants of the antivirus industry. They probably just “huddled in a corner” and “cryed quietly.”
    Although, what’s more, absolutely everyone was completely screwed. The antivirus, in principle, should not have allowed this virus to get onto the computer. Especially considering modern technologies. And “they”, the GIANTS anti-VIRUS industry, supposedly everything is captured, “heuristic analysis”, “preemptive system”, “proactive defense”...

    WHERE WERE ALL THESE SUPER-SYSTEMS WHEN THE HR DEPARTMENT WORKER OPENED A “HALMONNESS” LETTER WITH THE SUBJECT “RESUME”???
    What was the employee supposed to think?
    If YOU cannot protect us, then why do we need YOU at all?

    And everything would be fine with Doctor Web, but to get help, you must, of course, have a license for any of their software products. When contacting technical support (hereinafter referred to as TS), you must provide serial number Dr.Web and don’t forget to select “request for treatment” in the “Request Category:” line or simply provide them with an encrypted file to the laboratory. Let me make a reservation right away that the so-called “journal keys” of Dr.Web, which are posted in batches on the Internet, are not suitable, since they do not confirm the purchase of any software products, and are eliminated once or twice by TP specialists. It’s easier to buy the most “cheap” license. Because if you take on decryption, this license will pay you back a million times over. Especially if the folder with photos “Egypt 2012” was in one copy...

    Attempt No. 1

    So, having bought a “license for 2 PCs for a year” for an n-amount of money, contacting the TP and providing some files, I received a link to the decryption utility te225decrypt.exe version 1.3.0.0. Anticipating success, I launch the utility (you need to point it to one of the encrypted *.doc files). The utility begins the selection, mercilessly loading the old processor E5300 DualCore, 2600 MHz (overclocked to 3.46 GHz) / 8192 MB DDR2-800, HDD 160Gb Western Digital to 90-100%.
    Here, in parallel with me, a colleague on a PC core i5 2500k (overclocked to 4.5ghz) /16 ram 1600/ ssd intel(this is for comparison of time spent at the end of the article).
    After 6 days, the utility reported that 7277 files had been decrypted. But the happiness did not last long. All files were decrypted “crookedly”. That is, for example, microsoft docs office open, but with different errors: " Word application there was content in the *.docx document that could not be read" or "The *.docx file cannot be opened due to errors in its content." *.jpg files also open either with an error, or 95% of the image turns out to be a faded black or light green background. For *.rar files - “Unexpected end of archive”.
    Overall a complete failure.

    Attempt No. 2

    We write to TP about the results. They ask you to provide a couple of files. A day later they again provide a link to the te225decrypt.exe utility, but this time version 1.3.2.0. Well, let's launch, there was no alternative then anyway. About 6 days pass and the utility ends with the error “Unable to select encryption parameters.” Total 13 days “down the drain.”
    But we don’t give up, we have important documents from our *stupid* client without basic backups.

    Attempt No. 3

    We write to TP about the results. They ask you to provide a couple of files. And, as you may have guessed, a day later they provide a link to the same te225decrypt.exe utility, but version 1.4.2.0. Well, let's launch, there was no alternative, and it never appeared either from Kaspersky Lab, or from ESET NOD32, or from other manufacturers antivirus solutions. And now, after 5 days 3 hours 14 minutes (123.5 hours), the utility reports that the files have been decrypted (for a colleague on a core i5, decryption took only 21 hours 10 minutes).
    Well, I think it was or wasn’t. And lo and behold: complete success! All files are decrypted correctly. Everything opens, closes, looks, edits and saves properly.

    Everyone is happy, THE END.

    “Where is the story about the Trojan.Encoder.263 virus?”, you ask. And on the next PC, under the table... there was. Everything was simpler there: We write to the Doctor Web TP, get the te263decrypt.exe utility, launch it, wait 6.5 days, voila! and everything is ready. To summarize, I can give some advice from the Doctor Web forum in my edition:

    What to do if you are infected with a ransomware virus:
    - send to the virus laboratory Dr. Web or in the “Submit” form suspicious file» encrypted doc file.
    - Wait for a response from a Dr.Web employee and then follow his instructions.

    What NOT to do:
    - change the extension of encrypted files; Otherwise, with a successfully selected key, the utility simply will not “see” the files that need to be decrypted.
    - use independently, without consulting specialists, any programs for decrypting/recovering data.

    Attention, having a server free from other tasks, I offer my free services for decrypting YOUR data. Server core i7-3770K with overclocking to *certain frequencies*, 16GB of RAM and SSD Vertex 4.
    For all active users of Habr, the use of my resources will be FREE!!!
    Write to me in a personal message or through other contacts. I’ve already “eaten the dog” on this. Therefore, I’m not too lazy to put the server on decryption overnight.
    This virus is the “scourge” of our time and taking “loot” from fellow soldiers is not humane. Although, if someone “throws” a couple of bucks into my Yandex.money account 410011278501419, I won’t mind. But this is not at all necessary. Contact us. I process applications in my free time.

    New information!

    Starting from December 8, 2013, a new virus from the same Trojan.Encoder series began to spread under the Doctor Web classification - Trojan.Encoder.263, but with RSA encryption. This type as of today (12/20/2013) cannot be deciphered, as it uses a very strong encryption method.

    I recommend to everyone who has suffered from this virus:
    1. Using built-in windows search find all files containing the .perfect extension, copy them to external media.
    2. Copy the CONTACT.txt file as well
    3. Place this external media “on the shelf”.
    4. Wait for the decryptor utility to appear.

    What NOT to do:
    There is no need to mess with criminals. This is stupid. In more than 50% of cases, after “payment” of approximately 5000 rubles, you will receive NOTHING. No money, no decryptor.
    To be fair, it is worth noting that there are those “lucky” people on the Internet who received their files back by decryption for “loot.” But you shouldn't trust these people. If I were a virus writer, the first thing I would do would be to spread information like “I paid and they sent me a decoder!!!”
    Behind these “lucky ones” there may be the same attackers.

    Well... let's wish good luck to other antivirus companies in creating a utility for decrypting files after the Trojan.Encoder group of viruses.

    Special thanks to comrade v.martyanov from the Doctor Web forum for the work done on creating decryption utilities.

    One of the reasons that can make it difficult to recover encrypted data when infected with a ransomware virus is the identification of the encryptor. If the user can identify the ransomware, then he can check whether there is free way decrypt the data.

    More on the topic: The work of an encryptor using the example of ransomware

    Find out which ransomware encrypted the files

    There are several ways to identify a ransomware. By using:

    • the ransomware virus itself
    • encrypted file extension
    • ID Ransomware online service
    • Bitdefender Ransomware utilities

    With the first method everything is clear. Many ransomware viruses such as The Dark Encryptor, do not hide themselves. And identifying the malware will not be difficult.

    The Dark Encryptor

    You can also try to identify the ransomware using the extension of the encrypted file. Just type it into the search and see the results.

    But there are situations when it is not so easy to find out which ransomware encrypted files. In these cases, the following two methods will help us.

    Identify ransomware using ID Ransomware

    A method for identifying a ransomware using the ID Ransomware online service.

    Identify ransomware using Bitdefender Ransomware

    Bitdefender Ransomware Recognition Tool is new program for Windows from Bitdefender, which helps identify the ransomware in case of ransomware infection.

    This is a small free program that does not need to be installed. All that is required is to run the program, accept the license and use it to identify the ransomware. You can download the Bitdefender Ransomware Recognition Tool from the official website via a direct link.

    Bitdefender does not write about compatibility. In my case the program worked on Windows device 10 Pro. Please note that Bitdefender Ransomware Recognition Tool requires an Internet connection.

    The principle of operation is the same as in the previous method. In the first field we indicate the file with the text of the message, and in the second the path to the encrypted files.


    As far as I understand, the Bitdefender Ransomware Recognition Tool does not send the file itself to the server, but only analyzes the names and extensions.

    One more interesting feature The Bitdefender Ransomware Recognition Tool is that it can be launched from the command line.

    I have not tested the Bitdefender Ransomware Recognition Tool, so I would welcome any comments from people who have tried it in action.

    That's all. I hope you don't need it this instruction, but if you do encounter ransomware, you will know how to identify it.

    Read, how to protect yourself from ransomware virus infection and remove XTBL from a computer. Is it worth paying the ransom, and how to recover files encrypted by ransomware. Ransomware viruses are one of the worst cyber infections you can encounter. It’s not for nothing that they enjoy such a reputation on the Internet, since it is a truly scary tool.

    All ransomware is designed according to the same principle. Slipping into your system undetected, they begin to encrypt your files in order to later demand a ransom from you for access to them.

    Content:

    Ransomware virus

    If you suddenly find one or all of your files renamed with an XTBL or other unknown file extension, you're out of luck - you've encountered a ransomware virus. You will soon receive a message asking you to pay to unlock your files. Sometimes it may be a window with text, sometimes text document Readme on your desktop or even in each file folder. The message to the user can be duplicated in several languages ​​other than English and contains all the requirements of the attackers who created the virus.

    It would seem easier to pay to get rid of such a virus, but this is not so. Regardless of the demands of the virus, do not agree to them - it will deal a double blow to you. Your locked files will most likely not be recoverable - accept this and do not send money to unlock the files. Otherwise, in addition to files, you will also lose money.

    You may receive a message with the following content:

    “All files on your computer including videos, photos and documents have been encrypted. Encryption was performed using a unique public key generated for this computer. To decrypt files you must use a private key.
    The only copy of this key is stored on a secret server on the Internet. The key will be automatically destroyed after 7 days and no one will be able to access the files."

    How a computer could become infected with a ransomware virus

    A ransomware virus cannot appear on your computer through magic. It consists of several elements, the installation of which must be approved by you personally. Of course the virus did not do this in open form, this was done with the help of tricks and deception.

    For example, one of the most popular penetration methods is to use free programs, damaged sites or links. Infection can also be disguised as Java update or Flash Player. You will be confident that you are installing updates for a program you know and will give the green light to install a dangerous and harmful infection.

    To avoid getting into an unpleasant situation, be careful and careful. Do not rush to take any action if you are not sure about it. The main reason for getting a virus is user negligence.

    Removing the XTBL extension or changing file names

    Why is the XTBL file extension so dangerous? The ransomware program will find all your files, including images, videos, music, documents and carry out an encryption procedure with them. Files of any format will be encrypted: doc, .docx, .docm, .wps, .xls, .xlsx, .ppt, .pptx, .pptm, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .mp3, .lnk, .jpg, .png, .jfif, .jpeg, .gif, .bmp, .exif, .txt. Nothing will protect them. Once encryption is complete, the extensions of all files will be changed to XTBL and they will no longer be opened.

    Changing the file name or removing the XBTL extension will not restore access to the files. To do this, they need to be decrypted using a private key. To obtain this key, you must fulfill all the conditions of the ransomware. But ask yourself this question: Can you trust the attackers who infected your computer? Of course not, keep in mind that the rules of the game are not initially in your favor.

    Is it worth paying for a decryption key?

    On what best scenario can you count? You pay the ransom and let’s say you get a key to decrypt your files, let’s say it works and your files are unlocked. But what next? What will protect your data from being re-encrypted the next day? Nothing.

    By paying for access to files, you will not only lose money, but also give access to your personal and financial information to scammers who developed the virus. Don't let anyone interfere with your personal life. The amount asked for a decryption key often exceeds $500. Answer yourself this question: are you ready to open up your personal data and banking information to scammers, and lose an additional $500 in exchange for a ghostly promise to decrypt your files? Set your priorities right!

    Instructions for removing ransomware virus

    1. Remove the malicious process using the process manager;
    2. Display hidden files

    Remove the malicious process using Process Manager


    Show hidden files

    • Go to any folder
    • Select File - Change folder and search options.
    • Go to bookmark "View".
    • Enable the option "Show hidden files and folders".
    • Turn off the option "Hide protected system files".
    • Click Apply to Folders, then Apply And OK.

    Determine the location of the virus

    1. Immediately after downloading operating system press combination Windows keys+R.
    2. In the dialog box, enter Regedit. Be careful when editing Windows registry, this may make the system inoperable.
      Depending on your OS (x86 or x64) go to branch
      or
      or
      and delete the parameter with the automatically generated name.

    Alternatively you can run msconfig and additionally double-check the virus launch point. Please note that process, folder and executable file names will be automatically generated for your computer and will differ from the examples shown. Therefore it is worth using professional program antivirus to identify and remove the virus if you are not confident in your abilities.

    Recover files encrypted by XTBL virus

    If you still have a backup copy important files– you are lucky, you will restore files from a copy after treatment for the virus. The backup could take place either using a program you configured or without your intervention using one of the Windows OS tools: file history, recovery points, backup system image.


    If you are working on a computer connected to an enterprise network, please contact network administrator. Most likely the backup was set up by him. If your search for a backup is unsuccessful, try a data recovery program.

    During encryption, the virus creates new file and writes the encrypted contents of the original file into it. After which original file is deleted, so you can try to restore it. Download and install

    The fact that the Internet is full of viruses does not surprise anyone today. Many users perceive situations related to their impact on systems or personal data, to put it mildly, turning a blind eye, but only until a ransomware virus specifically takes hold in the system. Most ordinary users do not know how to disinfect and decrypt data stored on a hard drive. Therefore, this contingent is “led” to the demands put forward by the attackers. But let's see what can be done if such a threat is detected or to prevent it from entering the system.

    What is a ransomware virus?

    This type of threat uses standard and non-standard file encryption algorithms that completely change their contents and block access. For example, it will be absolutely impossible to open an encrypted text file for reading or editing, as well as play multimedia content (graphics, video or audio) after exposure to the virus. Even standard actions to copy or move objects are unavailable.

    The virus software itself is the tool that encrypts data in such a way that it can be restored initial state Even after removing the threat from the system, it is not always possible. Typically, such malicious programs create copies of themselves and settle very deeply in the system, so the file encrypting virus may be completely impossible to remove. By uninstalling the main program or deleting the main body of the virus, the user does not get rid of the threat, let alone restore encrypted information.

    How does the threat enter the system?

    As a rule, threats of this type are mostly aimed at large commercial organizations and can penetrate computers through mailers when an employee opens a supposedly attached document in email, which is, say, an addition to some kind of cooperation agreement or to a product supply plan ( commercial offers with attachments from dubious sources - the first path for a virus).

    The trouble is that the encryption virus is on a machine that has access to local network, is able to adapt to it, creating its own copies not only in the network environment, but also on the administrator terminal, if it does not have necessary funds protection in the form of anti-virus software, firewall or firewall.

    Sometimes such threats can penetrate into computer systems ordinary users who, by and large, are of no interest to attackers. This happens during the installation of some programs downloaded from dubious Internet resources. Many users ignore warnings when starting a download. antivirus system protection, and during the installation process they do not pay attention to offers to install additional software, panels or browser plugins, and then, as they say, bite their elbows.

    Types of viruses and a little history

    Mostly threats of this type, in particular the most dangerous ransomware virus No_more_ransom are classified not only as tools for encrypting data or blocking access to it. In fact, everyone is like that malicious applications belong to the category of ransomware. In other words, attackers demand a certain bribe for decrypting information, believing that without primary program produce this process will be impossible. This is partly true.

    But, if you dig into history, you will notice that one of the very first viruses of this type, although it did not make demands for money, was the infamous I Love You applet, which completely encrypted user systems media files (mostly music tracks). Decrypting files after the ransomware virus turned out to be impossible at that time. Now it is precisely this threat that can be fought in an elementary way.

    But the development of the viruses themselves or the encryption algorithms used does not stand still. What is there among viruses - here you have XTBL, and CBF, and Breaking_Bad, and [email protected], and a bunch of other crap.

    Method of influencing user files

    And if until recently most attacks were carried out using RSA-1024 algorithms based AES encryption with the same bit depth, the same encryption virus No_more_ransom is today presented in several interpretations using encryption keys based on RSA-2048 and even RSA-3072 technologies.

    Problems of deciphering the algorithms used

    The trouble is that modern systems decryption in the face of such a danger turned out to be powerless. Decryption of files after an AES256-based ransomware virus is still somewhat supported, but given a higher bit depth of the key, almost all developers simply shrug their shoulders. This, by the way, has been officially confirmed by specialists from Kaspersky Lab and Eset.

    In the most primitive version, the user contacting the support service is asked to send an encrypted file and its original for comparison and further operations to determine the encryption algorithm and recovery methods. But, as a rule, in most cases this does not give results. But the encrypting virus can decrypt files itself, it is believed, provided that the victim agrees to the attackers’ conditions and pays a certain amount in monetary terms. However, this formulation of the question raises legitimate doubts. And here's why.

    Encryptor virus: how to disinfect and decrypt files and can it be done?

    Allegedly, after payment, hackers activate decryption via remote access to your virus that is sitting on the system, or through an additional applet if the virus body is deleted. This looks more than doubtful.

    I would also like to note the fact that the Internet is full of fake posts claiming that the required amount was paid and the data was successfully restored. It's all a lie! And really - where is the guarantee that after payment the encryption virus will not be activated again in the system? It is not difficult to understand the psychology of burglars: pay once, pay again. And if we are talking about special important information such as specific commercial, scientific or military developments, the owners of such information are willing to pay whatever they want to ensure that the files remain safe and sound.

    The first remedy to eliminate the threat

    This is the nature of an encryption virus. How to disinfect and decrypt files after exposure to a threat? No way, if there are no available means, which also do not always help. But you can try.

    Let's assume that a ransomware virus has appeared in the system. How to cure infected files? First, you should perform an in-depth scan of the system without using S.M.A.R.T. technology, which detects threats only when boot sectors and system files are damaged.

    It is advisable not to use an existing standard scanner, which has already missed the threat, but to use portable utilities. The best option will boot from the Kaspersky Rescue Disk, which can start even before the operating system starts running.

    But this is only half the battle, since in this way you can only get rid of the virus itself. But with a decoder it will be more difficult. But more on that a little later.

    There is another category into which ransomware viruses fall. How to decipher the information will be discussed separately, but for now let us dwell on the fact that they can exist completely openly in the system in the form of officially installed programs and applications (the impudence of attackers knows no bounds, since the threat does not even try to disguise itself).

    In this case, you should use the Programs and Features section where you perform standard deletion. However, you need to pay attention to the fact that the standard uninstaller for Windows systems does not completely delete all program files. In particular, the ransom encryption virus is capable of creating own folders in the root directories of the system (usually these are Csrss directories, where the same name is present executable file csrss.exe). The main location is selected Windows folders, System32 or user directories (Users on the system disk).

    In addition, the No_more_ransom ransom virus writes its own keys in the registry in the form of a link, seemingly to the official Client Server Runtime Subsystem system service, which misleads many, since this service should be responsible for the interaction of client and server software. The key itself is located in the Run folder, which can be reached through the HKLM branch. It is clear that such keys will need to be deleted manually.

    To make it easier, you can use utilities like iObit Uninstaller, which search residual files and registry keys automatically (but only if the virus is visible on the system as installed application). But this is the simplest thing you can do.

    Solutions offered by antivirus software developers

    It is believed that decryption of a ransomware virus can be done using special utilities, although if you have technologies with a 2048 or 3072 bit key, you shouldn’t really count on them (in addition, many of them delete files after decryption, and then the recovered files disappear due to the presence of the virus body, which was not deleted before).

    Nevertheless, you can try. Of all the programs, it is worth highlighting RectorDecryptor and ShadowExplorer. It is believed that nothing better has been created yet. But the problem may also be that when you try to use a decryptor, there is no guarantee that the files being cured will not be deleted. That is, if you do not get rid of the virus initially, any attempt at decryption will be doomed to failure.

    In addition to deleting encrypted information, there can also be a fatal outcome - the entire system will be inoperable. In addition, a modern encryption virus can affect not only data stored on the computer’s hard drive, but also files in cloud storage. But there are no solutions for data recovery. In addition, as it turned out, many services do not accept enough effective measures protection (the same OneDrive built into Windows 10, which is exposed directly from the operating system).

    A radical solution to the problem

    As is already clear, most modern methods do not give a positive result when infected with such viruses. Of course, if you have the original damaged file, it can be sent for examination to antivirus laboratory. True, there are very serious doubts that the average user will create backups data that, when stored on a hard drive, can also be exposed to malicious code. And that in order to avoid troubles, users copy information to removable media, there is no question at all.

    Thus, for cardinal decision problem, the conclusion suggests itself: full formatting Winchester and everyone logical partitions with the removal of information. What should I do? You will have to sacrifice if you do not want the virus or its self-saved copy to be activated in the system again.

    To do this, you should not use the tools of Windows systems themselves (this means formatting virtual partitions, since if you try to access the system disk, a ban will be issued). It is better to boot from optical media such as LiveCD or installation distributions, for example those created using the Media utility Creation Tool for Windows 10.

    Before formatting, if the virus is removed from the system, you can try to restore integrity system components through command line(sfc /scannow), but in terms of decrypting and unlocking data this will not have any effect. Therefore format c: is the only correct one possible solution, whether you like it or not. This is the only way to completely get rid of threats of this type. Alas, there is no other way! Even treatment standard means, offered by most antivirus packages, turns out to be powerless.

    Instead of an afterword

    In terms of the obvious conclusions, we can only say that there is a single and universal solution There is currently no way to eliminate the consequences of this type of threat (sad, but true - this has been confirmed by the majority of anti-virus software developers and cryptography experts).

    It remains unclear why the emergence of algorithms based on 1024-, 2048- and 3072-bit encryption passed by those directly involved in the development and implementation of such technologies? Indeed, today the AES256 algorithm is considered the most promising and most secure. Notice! 256! This system modern viruses, as it turns out, doesn’t hold a candle. What can we say then about attempts to decrypt their keys?

    Be that as it may, avoiding the introduction of a threat into the system is quite simple. In the very simple version You should check all incoming messages with attachments in Outlook programs, Thunderbird and others mail clients antivirus immediately after receiving it and under no circumstances open attachments until the scan is completed. You should also carefully read the suggestions for installing additional software when installing some programs (usually they are written very small print or disguised as standard add-ons like Flash updates Player or something else). It is better to update multimedia components through official websites. This is the only way to at least somehow prevent the penetration of such threats into own system. The consequences can be completely unpredictable, given that viruses of this type instantly spread on the local network. And for the company, such a turn of events can result in a real collapse of all endeavors.

    Finally, and system administrator should not sit idle. Software tools It is better to exclude protection in such a situation. The same firewall ( firewall) should not be software, but “hardware” (naturally, with accompanying software on board). And, it goes without saying that you shouldn’t skimp on purchasing antivirus packages either. It is better to buy a licensed package rather than install primitive programs that supposedly provide real-time protection only according to the developer.

    And if a threat has already penetrated the system, the sequence of actions should include removing the virus body itself, and only then attempting to decrypt the damaged data. Ideally, complete formatting (note, not quick with clearing the table of contents, but complete, preferably with restoration or replacement of the existing file system, boot sectors and records).

    If the system is infected malware families Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX, then all files on the computer will be encrypted as follows:

    • When infected Trojan-Ransom.Win32.Rannoh names and extensions will change according to the template locked-<оригинальное_имя>.<4 произвольных буквы> .
    • When infected Trojan-Ransom.Win32.Cryakl a label is added to the end of the file contents (CRYPTENDBLACKDC) .
    • When infected Trojan-Ransom.Win32.AutoIt extension changes according to template <оригинальное_имя>@<почтовый_домен>_.<набор_символов> .
      For example, [email protected] _.RZWDTDIC.
    • When infected Trojan-Ransom.Win32.CryptXXX extension changes according to templates <оригинальное_имя>.crypt,<оригинальное_имя>. crypz And <оригинальное_имя>. cryp1.

    RannohDecryptor utility is designed to decrypt files after infection Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 , 2 And 3 .

    How to cure the system

    To cure an infected system:

    1. Download the RannohDecryptor.zip file.
    2. Run RannohDecryptor.exe on the infected machine.
    3. In the main window, click Start checking.
    1. Specify the path to the encrypted and unencrypted file.
      If the file is encrypted Trojan-Ransom.Win32.CryptXXX, specify the files yourself large size. Decryption will only be available for files of equal or smaller size.
    2. Wait until the end of the search and decryption of encrypted files.
    3. Restart your computer if required.
    4. To delete a copy of encrypted files like locked-<оригинальное_имя>.<4 произвольных буквы> After successful decryption, select .

    If the file was encrypted Trojan-Ransom.Win32.Cryakl, then the utility will save the file in the old location with the extension .decryptedKLR.original_extension. If you have chosen Delete encrypted files after successful decryption, then the decrypted file will be saved by the utility with the original name.

    1. By default, the utility displays the work report in the root system disk(the disk on which the OS is installed).

      The report name is as follows: UtilityName.Version_Date_Time_log.txt

      For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

    In a system infected Trojan-Ransom.Win32.CryptXXX, the utility scans a limited number of file formats. If a user selects a file affected by CryptXXX v2, it may take time to recover the key for a long time. In this case, the utility displays a warning.

    Read more: