• The virus has encrypted all dr web files. General consequences of penetration of all viruses of this type. A radical solution to the problem

    The fact that the Internet is full of viruses does not surprise anyone today. Many users perceive situations related to their impact on systems or personal data, to put it mildly, turning a blind eye, but only until a ransomware virus specifically takes hold in the system. Most ordinary users do not know how to disinfect and decrypt data stored on a hard drive. Therefore, this contingent is “led” to the demands put forward by the attackers. But let's see what can be done if such a threat is detected or to prevent it from entering the system.

    What is a ransomware virus?

    This type of threat uses standard and non-standard file encryption algorithms that completely change their contents and block access. For example, it will be absolutely impossible to open an encrypted text file for reading or editing, as well as play multimedia content (graphics, video or audio) after exposure to the virus. Even standard actions to copy or move objects are unavailable.

    The virus software itself is the tool that encrypts data in such a way that it can be restored initial state Even after removing the threat from the system, it is not always possible. Typically, such malicious programs create copies of themselves and settle very deeply in the system, so the file encrypting virus may be completely impossible to remove. By uninstalling the main program or deleting the main body of the virus, the user does not get rid of the threat, let alone restore encrypted information.

    How does the threat enter the system?

    As a rule, threats of this type are mostly aimed at large commercial organizations and can penetrate computers through mail programs, when an employee opens an allegedly attached document in an email, which is, say, an addition to some kind of cooperation agreement or to a product supply plan (commercial proposals with attachments from dubious sources are the first path for a virus).

    The trouble is that the encryption virus is on a machine that has access to local network, is able to adapt to it, creating its own copies not only in the network environment, but also on the administrator terminal, if it does not have necessary funds protection in the form of anti-virus software, firewall or firewall.

    Sometimes such threats can penetrate into computer systems ordinary users who, by and large, are of no interest to attackers. This happens during the installation of some programs downloaded from dubious Internet resources. Many users ignore warnings when starting a download. antivirus system protection, and during the installation process they do not pay attention to offers to install additional software, panels or browser plugins, and then, as they say, bite their elbows.

    Types of viruses and a little history

    Mostly threats of this type, in particular the most dangerous ransomware virus No_more_ransom are classified not only as tools for encrypting data or blocking access to it. In fact, all such malicious applications fall under the category of ransomware. In other words, attackers demand a certain bribe for decrypting information, believing that without the initial program they can produce this process will be impossible. This is partly true.

    But, if you dig into history, you will notice that one of the very first viruses of this type, although it did not make demands for money, was the infamous I Love You applet, which completely encrypted user systems media files (mostly music tracks). Decrypting files after the ransomware virus turned out to be impossible at that time. Now it is precisely this threat that can be fought in an elementary way.

    But the development of the viruses themselves or the encryption algorithms used does not stand still. What is there among viruses - here you have XTBL, and CBF, and Breaking_Bad, and [email protected], and a bunch of other crap.

    Method of influencing user files

    And if until recently most attacks were carried out using RSA-1024 algorithms based AES encryption with the same bit depth, the same encryption virus No_more_ransom is today presented in several interpretations using encryption keys based on RSA-2048 and even RSA-3072 technologies.

    Problems of deciphering the algorithms used

    The trouble is that modern systems decryption in the face of such a danger turned out to be powerless. Decryption of files after an AES256-based ransomware virus is still somewhat supported, but given a higher bit depth of the key, almost all developers simply shrug their shoulders. This, by the way, has been officially confirmed by specialists from Kaspersky Lab and Eset.

    In the most primitive version, the user contacting the support service is asked to send an encrypted file and its original for comparison and further operations to determine the encryption algorithm and recovery methods. But, as a rule, in most cases this does not give results. But the encrypting virus can decrypt files itself, it is believed, provided that the victim agrees to the attackers’ conditions and pays a certain amount in monetary terms. However, this formulation of the question raises legitimate doubts. And here's why.

    Encryptor virus: how to disinfect and decrypt files and can it be done?

    Allegedly, after payment, hackers activate decryption through remote access to their virus, which is sitting on the system, or through an additional applet if the virus body is deleted. This looks more than doubtful.

    I would also like to note the fact that the Internet is full of fake posts claiming that the required amount was paid and the data was successfully restored. It's all a lie! And really - where is the guarantee that after payment the encryption virus will not be activated again in the system? It is not difficult to understand the psychology of burglars: pay once, pay again. And if we are talking about particularly important information, such as specific commercial, scientific or military developments, the owners of such information are willing to pay whatever they want to ensure that the files remain safe and sound.

    The first remedy to eliminate the threat

    This is the nature of an encryption virus. How to disinfect and decrypt files after exposure to a threat? No way, if there are no available means, which also do not always help. But you can try.

    Let's assume that a ransomware virus has appeared in the system. How to cure infected files? First, you should perform an in-depth scan of the system without using S.M.A.R.T. technology, which detects threats only when boot sectors and system files are damaged.

    It is advisable not to use an existing standard scanner, which has already missed the threat, but to use portable utilities. The best option will boot from the Kaspersky Rescue Disk, which can start even before the operating system starts working.

    But this is only half the battle, since in this way you can only get rid of the virus itself. But with a decoder it will be more difficult. But more on that a little later.

    There is another category into which ransomware viruses fall. How to decipher the information will be discussed separately, but for now let’s dwell on the fact that they can completely openly exist in the system in the form of officially installed programs and applications (the impudence of attackers knows no bounds, since the threat does not even try to disguise itself).

    In this case, you should use the Programs and Features section, where standard uninstallation is performed. However, you need to pay attention to the fact that the standard uninstaller for Windows systems does not completely delete all program files. In particular, the ransom encryption virus is capable of creating own folders in the root directories of the system (usually these are Csrss directories, where the same name is present executable file csrss.exe). The main location is selected Windows folders, System32 or user directories (Users on the system disk).

    In addition, the No_more_ransom ransom virus writes its own keys in the registry in the form of a link, seemingly to the official Client Server Runtime Subsystem system service, which misleads many, since this service should be responsible for the interaction of client and server software. The key itself is located in the Run folder, which can be reached through the HKLM branch. It is clear that such keys will need to be deleted manually.

    To make it easier, you can use utilities like iObit Uninstaller, which search residual files and registry keys automatically (but only if the virus is visible on the system as an installed application). But this is the simplest thing you can do.

    Solutions offered by antivirus software developers

    Decryption of a ransomware virus, it is believed, can be done using special utilities, although if you have technologies with a 2048 or 3072 bit key, you shouldn’t really count on them (in addition, many of them delete files after decryption, and then the recovered files disappear due to the fault of the presence of a virus body that has not been removed before).

    Nevertheless, you can try. Of all the programs, it is worth highlighting RectorDecryptor and ShadowExplorer. It is believed that nothing better has been created yet. But the problem may also be that when you try to use a decryptor, there is no guarantee that the files being cured will not be deleted. That is, if you do not get rid of the virus initially, any attempt at decryption will be doomed to failure.

    In addition to deleting encrypted information, there can also be a fatal outcome - the entire system will be inoperable. In addition, a modern encryption virus can affect not only data stored on the computer’s hard drive, but also files in cloud storage. But there are no solutions for data recovery. In addition, as it turned out, many services do not accept enough effective measures protection (the same OneDrive built into Windows 10, which is exposed directly from the operating system).

    A radical solution to the problem

    As is already clear, most modern methods do not give a positive result when infected with such viruses. Of course, if you have the original damaged file, it can be sent for examination to an antivirus laboratory. True, there are also very serious doubts about the fact that the average user will create backup copies of data, which, when stored on a hard drive, can also be exposed to malicious code. And the fact that in order to avoid troubles, users copy information to removable media is not discussed at all.

    Thus, to radically solve the problem, the conclusion suggests itself: complete formatting of the hard drive and all logical partitions with the removal of information. What should I do? You will have to sacrifice if you do not want the virus or its self-saved copy to be activated in the system again.

    To do this, you should not use the tools of the Windows systems themselves (this means formatting virtual partitions, since when trying to access system disk a ban will be issued). It is better to boot from optical media such as LiveCD or installation distributions, for example those created using the Media utility Creation Tool for Windows 10.

    Before formatting, if the virus is removed from the system, you can try to restore integrity system components through command line(sfc /scannow), but in terms of decrypting and unlocking data this will not have any effect. Therefore format c: is the only correct one possible solution, whether you like it or not. This is the only way to completely get rid of threats of this type. Alas, there is no other way! Even treatment standard means, offered by most antivirus packages, turns out to be powerless.

    Instead of an afterword

    In terms of the obvious conclusions, we can only say that there is a single and universal solution There is currently no way to eliminate the consequences of this type of threat (sad, but true - this has been confirmed by most anti-virus software developers and cryptography experts).

    It remains unclear why the emergence of algorithms based on 1024-, 2048- and 3072-bit encryption passed by those directly involved in the development and implementation of such technologies? Indeed, today the AES256 algorithm is considered the most promising and most secure. Notice! 256! This system modern viruses, as it turns out, doesn’t hold a candle. What can we say then about attempts to decrypt their keys?

    Be that as it may, it is quite simple to avoid introducing a threat into the system. In the very simple version You should check all incoming messages with attachments in Outlook programs, Thunderbird and others mail clients antivirus immediately after receiving it and under no circumstances open attachments until the scan is completed. You should also carefully read the suggestions for installing additional software when installing some programs (usually they are written very small print or disguised as standard add-ons like updates Flash Player or something else). It is better to update multimedia components through official websites. This is the only way to at least somehow prevent such threats from penetrating into your own system. The consequences can be completely unpredictable, given that viruses of this type instantly spread on the local network. And for the company, such a turn of events can result in a real collapse of all endeavors.

    Finally, and system administrator should not sit idle. It is better to exclude software protection tools in such a situation. The same firewall (firewall) should not be software, but “hardware” (naturally, with accompanying software on board). And, it goes without saying that you shouldn’t skimp on purchasing antivirus packages either. It is better to buy a licensed package rather than install primitive programs that supposedly provide real-time protection only according to the developer.

    And if a threat has already penetrated the system, the sequence of actions should include removing the virus body itself, and only then attempting to decrypt the damaged data. Ideally, full formatting (note, not quick with clearing the table of contents, but complete, preferably with restoration or replacement of the existing file system, boot sectors and records).

    Good day to everyone, my dear friends and readers of my blog. Today the topic will be quite sad, because it will concern viruses. I’ll tell you about an incident that happened at my work not so long ago. An employee called my department with an excited voice: “Dima, the virus has encrypted the files on the computer: what to do now?” Then I realized that it smelled like something was fried, but in the end I went to her to have a look.

    Yes. Everything turned out to be sad. Most of the files on the computer were infected, or rather encrypted: Office documents, PDF files, 1C databases and many others. In general, the ass is complete. Probably only archives, applications and text documents (and a bunch of other things) were not affected. All this data changed its extension, and also changed its names to something like sjd7gy2HjdlVnsjds. Also, several appeared on the desktop and in folders identical documents README.txt They honestly say that your computer is infected and that you do not take any action, do not delete anything, do not scan with antiviruses, otherwise the files will not be returned.
    The file also says that these nice people will be able to restore everything as it was. To do this, they need to send the key from the document to their email, after which you will receive necessary instructions. They don’t write the price, but in fact it turns out that the cost of a return is something like 20,000 rubles.

    Is your data worth the money? Are you ready to pay to remove the ransomware? I doubt. What to do then? Let's talk about this later. For now, let's start with everything in order.

    Where does this nasty encryption virus come from? Everything is very simple here. People pick it up via email. As a rule this virus penetrates into organizations corporate boxes, although not only. At first glance, you won’t mistake it for cocoa, since it does not come in the form of spam, but from a real-life serious organization, for example, we received a letter from the Rostelecom provider from their official mail.

    The letter was completely ordinary, like “New tariff plans For legal entities" A PDF file is included inside. And when you open this file, you open Pandora's box. All important files are encrypted and converted in simple words into a "brick". Moreover, antiviruses don’t catch this crap right away.

    What I did and what didn't work

    Naturally, no one wanted to pay 20 thousand for this, since the information was not worth that much, and besides, dealing with scammers was not at all an option. And besides, it’s not a fact that for this amount everything will be unlocked for you.

    I ran the drweb cureit utility and it found the virus, but it was of little use, since even after the virus the files remained encrypted. Removing the virus turned out to be easy, but dealing with the consequences is much more difficult. I went to the Doctor Web and Kaspersky forums, and there I found the topic I needed, and also learned that neither there nor there could help with decryption yet. Everything was very heavily encrypted.

    But search engines began to show results that some companies decrypt files for a fee. Well, this interested me, especially since the company turned out to be real, actually existing. On their website they offered to decipher five pieces for free in order to show their abilities. Well, I took and sent them the 5 most important files in my opinion.
    After some time, I received an answer that they managed to decipher everything and that for complete decoding they would charge me 22 thousand. Moreover, they did not want to give me the files. I immediately assumed that they were most likely working in tandem with scammers. Well, naturally they were sent to hell.

    • using the programs "Recuva" and "RStudio"
    • Running through various utilities
    • Well, to calm myself down, I couldn’t help but try (although I knew perfectly well that it wouldn’t help) just to get the needful. Brad of course)

    None of this helped me. But I still found a way out.\r\n\r\nOf course, if suddenly you have such a situation, then look at what extension the files are encrypted with. After that go to http://support.kaspersky.ru/viruses/disinfection/10556 and see what extensions are listed. If your extension is on the list, then use this utility.
    But in all 3 cases that I saw these ransomware, none of these utilities helped. Specifically, I encountered a virus "da vinci code" And "VAULT". In the first case, both the name and extension changed, and in the second, only the extension. In general, there are a whole bunch of such encryptors. I hear such bastards as xtbl, no more ransom, better call saul and many others.

    What helped

    Have you ever heard of shadow copies? So, when a recovery point is created, shadow copies of your files are automatically created. And if something happens to your files, you can always return them to the moment when the restore point was created. One wonderful program for recovering files from shadow copies will help us with this.

    To begin with download and install the program "Shadow Explorer". If the latest version fails (this happens), then install the previous one.

    Go to Shadow Explorer. As we can see, the main part of the program is similar to Explorer, i.e. files and folders. Now pay attention to the upper left corner. There we see see the letter local disk and date. This date means that all submitted files on drive C are current at that time. I have November 30th. This means that the last restore point was created on November 30th.
    If we click on the date drop-down list, we will see for which dates we still have shadow copies. And if we click on the drop-down list of local drives and select, for example, drive D, we will see the date at which we have current files. But for the disk D points are not created automatically, so this thing needs to be specified in the settings. This very easy to do.
    As you can see, if for the disk C I have a fairly recent date, then for the disk D the last point was created almost a year ago. Well, then we do it point by point:

    All. Now all that remains is to wait for the export to complete. And then we go to the very folder that you selected and check all the files for openability and functionality. Everything is cool).
    I know that the Internet offers some other different methods, utilities, etc., but I won’t write about them, because this is the third time I’ve encountered this problem, and nothing but shadow copies has ever helped me out. Although maybe I was just unlucky).

    But unfortunately, the last time it was possible to restore only those files that were on drive C, since by default points were created only for drive C. Accordingly, there were no shadow copies for drive D. Of course, you also need to remember that there are restore points, which can lead to, so keep an eye on that too.

    And in order for shadow copies to be created for other hard drives, you need them too.

    Prevention

    In order to avoid problems with recovery, you need to do prevention. To do this, you need to adhere to the following rules.

    By the way, one day this virus encrypted files on a flash drive where our key certificates for digital signatures were located. So be very careful with flash drives too.

    Best regards, Dmitry Kostin.

    Modern technologies allow hackers to constantly improve methods of fraud in relation to ordinary users. As a rule, virus software that penetrates the computer is used for these purposes. Encryption viruses are considered especially dangerous. The threat is that the virus spreads very quickly, encrypting files (the user simply will not be able to open a single document). And if it’s quite simple, then it’s much more difficult to decrypt the data.

    What to do if a virus has encrypted files on your computer

    Anyone can be attacked by ransomware; even users who have powerful anti-virus software are not immune. File encrypting Trojans come in a variety of codes that may be beyond the capabilities of an antivirus. Hackers even manage to attack in this way large companies who did not take care of the necessary protection of their information. So, having picked up a ransomware program online, you need to take a number of measures.

    The main signs of infection are: slow work computer and changing document names (can be seen on the desktop).

    1. Restart your computer to stop encryption. When turning on, do not confirm the launch of unknown programs.
    2. Run your antivirus if it has not been attacked by ransomware.
    3. In some cases, shadow copies will help to restore information. To find them, open the “Properties” of the encrypted document. This method works with encrypted data from the Vault extension, about which there is information on the portal.
    4. Download the latest version of the utility to combat ransomware viruses. The most effective ones are offered by Kaspersky Lab.

    Ransomware viruses in 2016: examples

    When fighting any virus attack it is important to understand that the code changes very often, adding to new protection from antiviruses. Of course, security programs need some time until the developer updates the database. We have selected the most dangerous encryption viruses of recent times.

    Ishtar Ransomware

    Ishtar is a ransomware that extorts money from the user. The virus was noticed in the fall of 2016, infecting a huge number of computers of users from Russia and a number of other countries. Distributed via email newsletter, which contains attached documents (installers, documents, etc.). Data infected by the Ishtar encryptor is given the prefix “ISHTAR” in its name. The process creates a test document that indicates where to go to obtain the password. The attackers demand from 3,000 to 15,000 rubles for it.

    The danger of the Ishtar virus is that today there is no decryptor that would help users. Antivirus software companies need time to decipher all the code. Now you can only isolate important information (if it is of particular importance) onto a separate medium, waiting for the release of a utility capable of decrypting documents. It is recommended to reinstall operating system.

    Neitrino

    The Neitrino encryptor appeared on the Internet in 2015. The attack principle is similar to other viruses of a similar category. Changes the names of folders and files by adding "Neitrino" or "Neutrino". The virus is difficult to decrypt; not all representatives of antivirus companies undertake this, citing a very complex code. Some users may benefit from restoring a shadow copy. To do this, right-click on the encrypted document, go to “Properties”, “Previous Versions” tab, click “Restore”. It wouldn’t hurt to use free utility from Kaspersky Lab.

    Wallet or .wallet.

    The Wallet encryption virus appeared at the end of 2016. During the infection process, it changes the name of the data to “Name..wallet” or something similar. Like most ransomware viruses, it enters the system through attachments in emails sent by attackers. Since the threat appeared very recently, antivirus programs do not notice it. After encryption, he creates a document in which the fraudster indicates the email for communication. Currently, antivirus software developers are working to decipher the code of the ransomware virus. [email protected]. Users who have been attacked can only wait. If the data is important, it is recommended to save it to external storage, cleaning the system.

    Enigma

    The Enigma ransomware virus began infecting the computers of Russian users at the end of April 2016. The AES-RSA encryption model is used, which is found in most ransomware viruses today. The virus penetrates the computer using a script that the user runs by opening files from a suspicious email. There is still no universal means to combat the Enigma ransomware. Users with an antivirus license can ask for help on the developer's official website. A small “loophole” was also found - Windows UAC. If the user clicks “No” in the window that appears during the virus infection process, he will be able to subsequently restore information using shadow copies.

    Granit

    A new ransomware virus, Granit, appeared on the Internet in the fall of 2016. Infection occurs according to the following scenario: the user launches the installer, which infects and encrypts all data on the PC, as well as connected drives. Fighting the virus is difficult. To remove you can use special utilities from Kaspersky, but the code has not yet been decrypted. Perhaps restoring previous versions of the data will help. In addition, a specialist who has extensive experience can decrypt, but the service is expensive.

    Tyson

    Was spotted recently. It is an extension of the already known ransomware no_more_ransom, which you can learn about on our website. It reaches personal computers from email. Many corporate PCs were attacked. The virus creates text document with instructions for unlocking, offering to pay a “ransom”. The Tyson ransomware appeared recently, so there is no unlocking key yet. The only way to recover information is to return previous versions, if they have not been deleted by a virus. You can, of course, take a risk by transferring money to the account specified by the attackers, but there is no guarantee that you will receive the password.

    Spora

    At the beginning of 2017, a number of users became victims of the new Spora ransomware. In terms of its operating principle, it is not very different from its counterparts, but it boasts a more professional design: the instructions for obtaining a password are better written, and the website looks more beautiful. The Spora ransomware virus was created in C language and uses a combination of RSA and AES to encrypt the victim’s data. As a rule, computers on which the 1C accounting program was actively used were attacked. The virus, hiding under the guise of a simple invoice in .pdf format, forces company employees to launch it. No treatment has been found yet.

    1C.Drop.1

    This 1C encryption virus appeared in the summer of 2016, disrupting the work of many accounting departments. It was designed specifically for computers that use software 1C. Once on the PC via a file in an email, it prompts the owner to update the program. Whatever button the user presses, the virus will begin encrypting files. Dr.Web specialists are working on decryption tools, but no solution has been found yet. This is due to the complex code, which may have several modifications. The only protection against 1C.Drop.1 is user vigilance and regular archiving of important documents.

    da_vinci_code

    A new ransomware with an unusual name. The virus appeared in the spring of 2016. It differs from its predecessors in its improved code and strong encryption mode. da_vinci_code infects the computer thanks to an execution application (usually attached to an email), which the user launches independently. The da Vinci code copies the body to the system directory and registry, providing automatic start at turning on Windows. Each victim's computer is assigned a unique ID (helps to obtain a password). It is almost impossible to decrypt the data. You can pay money to attackers, but no one guarantees that you will receive the password.

    [email protected] / [email protected]

    Two email addresses that were often accompanied by ransomware viruses in 2016. They serve to connect the victim with the attacker. Attached were the addresses of the most different types viruses: da_vinci_code, no_more_ransom and so on. It is highly recommended not to contact or transfer money to scammers. Users in most cases are left without passwords. Thus, showing that the attackers' ransomware works, generating income.

    Breaking Bad

    It appeared at the beginning of 2015, but actively spread only a year later. The principle of infection is identical to other encryptors: installing a file from an email, encrypting data. Conventional antivirus programs, as a rule, do not notice the Breaking Bad virus. Some code cannot bypass Windows UAC, leaving the user with the option to restore previous versions of documents. No company developing anti-virus software has yet presented a decryptor.

    XTBL

    A very common ransomware that has caused trouble for many users. Once on the PC, the virus changes the file extension to .xtbl in a matter of minutes. A document is created in which the attacker extorts cash. Some variants of the XTBL virus cannot destroy files for system recovery, which allows you to get back important documents. The virus itself can be removed by many programs, but decrypting documents is very difficult. If he is the owner licensed antivirus, use technical support by attaching samples of infected data.

    Kukaracha

    The Cucaracha ransomware was discovered in December 2016. The virus with an interesting name hides user files using the RSA-2048 algorithm, which is highly resistant. Kaspersky Antivirus labeled it as Trojan-Ransom.Win32.Scatter.lb. Kukaracha can be removed from the computer so that other documents are not infected. However, infected ones today are almost impossible to decrypt (a very powerful algorithm).

    How does a ransomware virus work?

    There are a huge number of ransomware, but they all work on a similar principle.

    1. Hitting on personal computer. Typically, thanks to an attached file to an email. The installation is initiated by the user himself by opening the document.
    2. File infection. Almost all types of files are encrypted (depending on the virus). A text document is created that contains contacts for communicating with the attackers.
    3. All. The user cannot access any document.

    Control agents from popular laboratories

    The widespread use of ransomware, which is recognized as the most dangerous threat to user data, has become an impetus for many antivirus laboratories. Every popular company provides its users with programs that help them fight ransomware. In addition, many of them help with document decryption and system protection.

    Kaspersky and ransomware viruses

    One of the most famous anti-virus laboratories in Russia and the world offers today the most effective tools for combating ransomware viruses. The first barrier to a ransomware virus will be Kaspersky Endpoint Security 10 s latest updates. The antivirus simply will not allow the threat to enter your computer (although it may not stop new versions). To decrypt information, the developer presents several free utilities: XoristDecryptor, RakhniDecryptor and Ransomware Decryptor. They help find the virus and select the password.

    Dr. Web and ransomware

    This lab recommends using their antivirus program, main feature which became file backup. The storage with copies of documents is also protected from unauthorized access by intruders. Owners of licensed product Dr. Web help function is available in technical support. True, even experienced specialists cannot always resist this type of threat.

    ESET Nod 32 and ransomware

    This company did not stand aside either, providing its users with good protection against the penetration of viruses onto the computer. In addition, the laboratory recently released a free utility with up-to-date databases - Eset Crysis Decryptor. The developers say that it will help in the fight against even the newest ransomware.

    The number of viruses in their usual sense is becoming less and less, and the reason for this is free antiviruses that work well and protect users’ computers. At the same time, not everyone cares about the security of their data, and they risk becoming infected not only with malware, but also with standard viruses, among which Trojan continues to be the most common. It can manifest itself in many ways, but one of the most dangerous is file encryption. If a virus encrypts files on your computer, it is not guaranteed that you will be able to get the data back, but some effective methods there are, and they will be discussed below.

    Encryption virus: what it is and how it works

    On the Internet you can find hundreds of varieties of viruses that encrypt files. Their actions lead to one consequence - the user’s data on the computer receives an unknown format that cannot be opened using standard programs. Here are just some of the formats into which data on a computer can be encrypted as a result of viruses: .locked, .xtbl, .kraken, .cbf, .oshit and many others. In some cases, it is written directly into the file extension e-mail address creators of the virus.

    Among the most common viruses that encrypt files are Trojan-Ransom.Win32.Aura And Trojan-Ransom.Win32.Rakhni. They come in many forms, and the virus may not even be called Trojan (for example, CryptoLocker), but their actions are practically the same. New versions of encryption viruses are regularly released to make it more difficult for the creators of antivirus applications to deal with new formats.

    If an encrypting virus has penetrated a computer, it will certainly manifest itself not only by blocking files, but also by offering the user to unlock them for a monetary fee. A banner may appear on the screen telling you where you need to transfer money to unlock the files. When such a banner does not appear, you should look for a “letter” from the virus developers on your desktop; in most cases, such a file is called ReadMe.txt.

    Depending on the developers of the virus, prices for file decryption may vary. At the same time, it is far from a fact that when you send money to the creators of the virus, they will send back an unlocking method. In most cases, the money goes “nowhere”, and the computer user does not receive a decryption method.

    Once a virus has appeared on your computer and you see a code on the screen that needs to be sent to a specific address in order to receive a decryptor, you should not do this. First of all, copy this code onto a piece of paper, since the newly created file may also be encrypted. After this, you can hide information from the developers of the virus and try to find on the Internet a way to get rid of the file encryptor in your specific case. Below we present the main programs that allow you to remove a virus and decrypt files, but they cannot be called universal, and the creators of anti-virus software regularly expand the list of solutions.

    Getting rid of a file encrypting virus is quite simple using free versions of antivirus programs. 3 free programs cope well with file encrypting viruses:

    • Malwarebytes Antimalware;
    • Dr.Web Cure It ;
    • Kaspersky Internet Security.

    The apps mentioned above are completely free or have trial versions. We recommend using a solution from Dr.Web or Kespersky after you check the system with Malwarebytes help Antimalware. Let us remind you once again that installing 2 or more antiviruses on your computer at the same time is not recommended, so before installing each new solution, you must remove the previous one.

    As we noted above, ideal solution The problem in this situation will be the selection of instructions that allow you to cope specifically with your problem. Such instructions are most often posted on the websites of antivirus developers. Below we present several current antivirus utilities that allow you to cope with various types Trojans and other types of ransomware.


    The above is only a small part of the antivirus utilities that allow you to decrypt infected files. It is worth noting that if you simply try to get the data back, it will, on the contrary, be lost forever - you should not do this.

    Encryptors (cryptolockers) mean a family malware, which, using various encryption algorithms, block user access to files on the computer (known, for example, cbf, chipdale, just, foxmail inbox com, watnik91 aol com, etc.).

    Typically the virus encrypts popular types user files: documents, spreadsheets, 1C databases, any data sets, photographs, etc. File decryption is offered for money - the creators require you to transfer a certain amount, usually in bitcoins. And if the organization has not taken proper measures to ensure the safety of important information, transferring the required amount to the attackers may be the only way to restore the company’s functionality.

    In most cases, the virus spreads through email, masquerading as quite ordinary letters: notices from the tax office, acts and contracts, information about purchases, etc. By downloading and opening such a file, the user, without realizing it, runs malicious code. The virus sequentially encrypts the necessary files, and also deletes the original copies using guaranteed destruction methods (so that the user cannot recover recently deleted files using special tools).

    Modern ransomware

    Encryptors and other viruses that block user access to data are not new problem V information security. The first versions appeared back in the 90s, but they mainly used either “weak” (unstable algorithms, small key size) or symmetric encryption(the files of a large number of victims were encrypted with one key; it was also possible to recover the key by studying the virus code), or they even came up with their own algorithms. Modern copies are free of such shortcomings; attackers use hybrid encryption: using symmetric algorithms, the contents of files are encrypted with very high high speed, and the encryption key is encrypted a symmetric algorithm. This means that to decrypt files you need a key that only the attacker owns, in source code I can't find the program. For example, CryptoLocker uses RSA algorithm with a key length of 2048 bits in combination with the symmetric AES algorithm with a key length of 256 bits. These algorithms are currently recognized as crypto-resistant.

    The computer is infected with a virus. What to do?

    It is worth keeping in mind that although ransomware viruses use modern encryption algorithms, they are not capable of instantly encrypting all files on a computer. Encryption occurs sequentially, the speed depends on the size of the encrypted files. Therefore, if you find while working that your usual files and programs no longer open correctly, you should immediately stop working on the computer and turn it off. This way you can protect some files from encryption.

    Once you have encountered a problem, the first thing you need to do is get rid of the virus itself. We will not dwell on this in detail; it is enough to try to cure your computer using anti-virus programs or remove the virus manually. It is only worth noting that the virus often self-destructs after the encryption algorithm is completed, thereby making it difficult to decrypt files without turning to attackers for help. In this case, the antivirus program may not detect anything.

    The main question is how to recover encrypted data? Unfortunately, recovering files after a ransomware virus is almost impossible. At least guarantee full recovery In case of successful infection, no one will have any data. Many antivirus manufacturers offer their assistance in decrypting files. To do this, you need to send an encrypted file and additional information(file with contacts of attackers, public key) through special forms, posted on the manufacturers' websites. There is a small chance that a way to fight a particular virus has been found and your files will be successfully decrypted.

    Try using recovery utilities deleted files. It is possible that the virus did not use guaranteed destruction methods and some files can be recovered (this can especially work with files large size, for example, with files of several tens of gigabytes). There is also a chance to recover files from shadow copies. When using recovery functions Windows systems creates pictures (“snapshots”), which may contain file data at the time of creating the recovery point.

    If your data was encrypted in cloud services, contact technical support or explore the capabilities of the service you use: in most cases, services provide a “rollback” function to previous versions of files, so they can be restored.

    What we strongly do not recommend doing is following the lead of ransomware and paying for decryption. There were cases when people gave money and did not receive the keys. No one guarantees that the attackers, having received the money, will actually send the encryption key and you will be able to restore the files.

    How to protect yourself from a ransomware virus. Preventive measures

    It is easier to prevent dangerous consequences than to correct them:

    • Use reliable antivirus agents and update regularly antivirus databases. It sounds trivial, but this will significantly reduce the likelihood of a virus successfully injecting itself into your computer.
    • Keep backup copies of your data.

    This is best done using specialized backup tools. Most cryptolockers are able to encrypt backup copies, too, so it makes sense to store backup copies on other computers (for example, on servers) or on alienated media.

    Limit permissions to change files in folders with backup copies, allowing only additional recording. In addition to the consequences of ransomware, backup systems neutralize many other threats associated with data loss. The spread of the virus once again demonstrates the relevance and importance of using such systems. Recovering data is much easier than decrypting it!

    One more in an efficient way The solution is to restrict the launch of some potentially dangerous file types, for example, with extensions .js, .cmd, .bat, .vba, .ps1, etc. This can be done using the AppLocker tool (in Enterprise editions) or policies SRP is centralized in the domain. There are quite a few on the web detailed guides how to do it. In most cases, the user will not need to use the script files listed above, and the ransomware will have less chance of successfully infiltrating.

    • Be careful.

    Mindfulness is one of the most effective methods preventing the threat. Be suspicious of every letter you receive from unknown persons. Do not rush to open all attachments; if in doubt, it is better to contact the administrator with a question.

    Alexander Vlasov, senior engineer of the information security systems implementation department at SKB Kontur

    Read more: