• Recover files encrypted by crypted. What is a ransomware virus? Remove ransomware using Malwarebytes Anti-malware

    Hello everyone, today I’ll tell you how to decrypt files after a virus in Windows. One of the most problematic malware today is a Trojan, or virus, that encrypts files on a user's drive. Some of these files can be decrypted, but others cannot yet be decrypted. In the article I will describe possible algorithms of action in both situations.

    There are several modifications of this virus, but the general essence of the work is that after installation on your computer, your document files, images and other potentially important files are encrypted with a change in extension, after which you receive a message that all your files have been encrypted , and to decrypt them you need to send a certain amount to the attacker.

    Files on the computer are encrypted in xtbl

    One of the latest variants of the ransomware virus encrypts files, replacing them with files with the extension .xtbl and a name consisting of a random set of characters.

    At the same time, it is placed on the computer text file readme.txt with approximately the following content: “Your files have been encrypted. To decrypt them, you need to send the code to email address [email protected], [email protected] or [email protected]. Next you will get everything necessary instructions. Attempts to decrypt files yourself will lead to irretrievable loss of information” (mail address and text may differ).

    Unfortunately, there is no way to decrypt .xtbl at the moment (as soon as it becomes available, the instructions will be updated). Some users who actually had important information, they report on antivirus forums that they sent the authors of the virus 5,000 rubles or other required amount and received a decryptor, but this is very risky: you may not receive anything.

    What to do if the files were encrypted in .xtbl? My recommendations are as follows (but they differ from those on many other thematic sites, where, for example, they recommend immediately turning off the computer from the power supply or not removing the virus. In my opinion, this is unnecessary, and under some circumstances it may even be harmful, but it's up to you to decide.):

    1. If you know how, interrupt the encryption process by clearing the corresponding tasks in the task manager, disconnecting the computer from the Internet (this may be a necessary condition for encryption)
    2. Remember or write down the code that the attackers require to be sent to an email address (just not to a text file on the computer, just in case, so that it is not encrypted either).
    3. Using Malwarebytes Antimalware, trial Kaspersky versions Internet Security or Dr.Web Cure It to remove a virus that encrypts files (all of the tools listed above do a good job of this). I advise you to use the first and second products from the list in turn (however, if you have an antivirus installed, installing the second one “from above” is undesirable, as it can lead to problems with the computer.)
    4. Wait for a decryptor to appear from some antivirus company. Kaspersky Lab is at the forefront here.
    5. You can also send an example of an encrypted file and the required code to [email protected], if you have an unencrypted copy of the same file, please send that too. In theory, this could speed up the appearance of the decryptor.

    What not to do:

    • Rename encrypted files, change the extension and delete them if they are important to you.

    This is probably all I can say about encrypted files with the .xtbl extension at the moment.

    Trojan-Ransom.Win32.Aura and Trojan-Ransom.Win32.Rakhni

    The following Trojan encrypts files and installs extensions from this list:

    • .locked
    • .crypto
    • .kraken
    • .AES256 (not necessarily this Trojan, there are others that install the same extension).
    • .codercsu@gmail_com
    • .oshit
    • And others.

    To decrypt files after the specified viruses have run, the Kaspersky website has free utility RakhniDecryptor, available at official page http://support.kaspersky.ru/viruses/disinfection/10556.

    There is also detailed instructions on using this utility, showing how to recover encrypted files, from which, just in case, I would remove the item “Delete encrypted files after successful decryption” (although I think everything will be fine with the option installed).

    If you have a Dr.Web antivirus license, you can use free decryption from this company on the page http://support.drweb.com/new/free_unlocker/

    More ransomware virus options

    Less common, but also encountered, are the following Trojans that encrypt files and demand money for decryption. The links provided not only contain utilities for returning your files, but also a description of the signs that will help determine that you have this particular virus. Although in general, the optimal way is to scan the system using Kaspersky anti-virus, find out the name of the Trojan according to the classification of this company, and then look for a utility by this name.

    • Trojan-Ransom.Win32.Rector - free RectorDecryptor decryption utility and instructions for use are available here: http://support.kaspersky.ru/viruses/disinfection/4264
    • Trojan-Ransom.Win32.Xorist is a similar Trojan that displays a window asking you to send a paid SMS or contact by email to receive decryption instructions. Instructions for restoring encrypted files and the XoristDecryptor utility for this are available on the page http://support.kaspersky.ru/viruses/disinfection/2911
    • Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.Fury - RannohDecryptor utilityhttp://support.kaspersky.ru/viruses/disinfection/8547
    • Trojan.Encoder.858 (xtbl), Trojan.Encoder.741 and others with the same name (when searched through Dr.Web antivirus or the Cure It utility) and different numbers- try searching the Internet for the name of the Trojan. For some of them there are decryption utilities from Dr.Web, also if you were unable to find the utility, but have a Dr.Web license, you can use the official page http://support.drweb.com/new/free_unlocker/
    • CryptoLocker - to decrypt files after CryptoLocker works, you can use the site http://decryptcryptolocker.com - after sending an example file, you will receive a key and a utility to recover your files.

    Well, from the latest news - Kaspersky Lab, together with law enforcement officers from the Netherlands, developed Ransomware Decryptor (http://noransom.kaspersky.com) to decrypt files after CoinVault, but this ransomware is not yet found in our latitudes.

    By the way, if it suddenly turns out that you have something to add (because I may not have time to monitor what is happening with the decryption methods), let me know in the comments, this information will be useful to other users who are faced with a problem.

    - This malware, which, when activated, encrypts all personal files, such as documents, photographs, etc. The number of such programs is very large and it is increasing every day. Only in lately We encountered dozens of ransomware variants: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, .da_vinci_code, toste, fff, etc. The goal of such encryption viruses is to force users to buy, often for a large sum of money, the program and key necessary for decryption own files.

    Of course, you can restore encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often, the cost of decryption is very significant, and you also need to know that some ransomware viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just annoying to pay to restore your own files.

    Below we will talk in more detail about encryption viruses, how they penetrate the victim’s computer, as well as how to remove the encryption virus and restore files encrypted by it.

    How does a ransomware virus penetrate a computer?

    A ransomware virus is usually spread through email. The letter contains infected documents. Such letters are sent to a huge database of email addresses. The authors of this virus use misleading headers and contents of letters, trying to trick the user into opening a document attached to the letter. Some letters inform about the need to pay a bill, others offer to look at the latest price list, others offer to open a funny photo, etc. In any case, opening the attached file will result in your computer being infected with an encryption virus.

    What is a ransomware virus?

    A ransomware virus is a malicious program that infects modern versions operating systems Windows family, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. These viruses try to use the strongest possible encryption modes, for example RSA-2048 with a key length of 2048 bits, which practically eliminates the possibility of selecting a key to decrypt files yourself.

    When infecting a computer, the ransomware virus uses the system directory %APPDATA% to store its own files. For automatic start itself when you turn on the computer, the ransomware creates an entry in Windows registry: sections HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.

    Immediately after launch, the virus scans everything available drives, including network and cloud storage, to determine which files will be encrypted. A ransomware virus uses a filename extension as a way to identify a group of files that will be encrypted. Almost all types of files are encrypted, including such common ones as:

    0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata , .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, . mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta , .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, . apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, . js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2 , .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, . rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf , .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, . wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm , .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, . zif, .zip, .zw

    Immediately after the file is encrypted, it receives a new extension, which can often be used to identify the name or type of ransomware. Some types of these malware can also change the names of encrypted files. The virus then creates text document with names like HELP_YOUR_FILES, README, which contains instructions for decrypting encrypted files.

    During its operation, the ransomware virus tries to block the ability to recover files using the SVC system ( shadow copies files). For this purpose, the virus command mode calls the utility for administering shadow copies of files with a key that starts the procedure for them complete removal. Thus, it is almost always impossible to restore files by using their shadow copies.

    The ransomware virus actively uses intimidation tactics by giving the victim a link to a description of the encryption algorithm and displaying a threatening message on the Desktop. In this way, he tries to force the user of the infected computer, without hesitation, to send the computer ID to the email address of the virus’s author in order to try to get his files back. The response to such a message is most often the ransom amount and the e-wallet address.

    Is my computer infected with a ransomware virus?

    It is quite easy to determine whether a computer is infected with an encryption virus or not. Pay attention to the extensions of your personal files, such as documents, photos, music, etc. If the extension has changed or your personal files have disappeared, leaving behind many files with unknown names, then your computer is infected. In addition, a sign of infection is the presence of a file named HELP_YOUR_FILES or README in your directories. This file will contain instructions for decrypting the files.

    If you suspect that you have opened an email infected with a ransomware virus, but there are no symptoms of infection yet, then do not turn off or restart your computer. Follow the steps described in this manual, section. I repeat once again, it is very important not to turn off the computer; in some types of ransomware, the file encryption process is activated the first time you turn on the computer after infection!

    How to decrypt files encrypted with a ransomware virus?

    If this disaster happens, then there is no need to panic! But you need to know that in most cases there is no free decryptor. This is due to the strong encryption algorithms used by such malware. This means that without a private key, it is almost impossible to decrypt files. Using the key selection method is also not an option, due to the large length of the key. Therefore, unfortunately, only paying the authors of the virus the entire requested amount is the only way to try to obtain the decryption key.

    Of course, there is absolutely no guarantee that after payment the authors of the virus will contact you and provide the key necessary to decrypt your files. In addition, you need to understand that by paying money to virus developers, you yourself encourage them to create new viruses.

    How to remove a ransomware virus?

    Before you begin, you need to know that by starting to remove the virus and attempt to restore the files yourself, you are blocking the ability to decrypt the files by paying the authors of the virus the amount they requested.

    Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types active ransomware viruses and will easily remove them from your computer, BUT they cannot restore encrypted files.

    5.1. Remove ransomware using Kaspersky Virus Removal Tool

    By default, the program is configured to recover all file types, but to speed up the work, it is recommended to leave only the file types that you need to recover. When you have completed your selection, click OK.

    At the bottom of the QPhotoRec program window, find the Browse button and click it. You need to select the directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a flash drive or external drive).

    To start the procedure for searching and restoring original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

    When the search is complete, click the Quit button. Now open the folder you have chosen to save the recovered files.

    The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3, etc. How more files will be found by the program, the more catalogs there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need, among large quantity recovered, use the built-in Windows search system (by file contents), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort option, since QPhotoRec attempts to restore this property when restoring a file.

    How to prevent a ransomware virus from infecting your computer?

    Most modern anti-virus programs already have a built-in system of protection against the penetration and activation of encryption viruses. Therefore, if your computer does not have antivirus program, then be sure to install it. You can find out how to choose it by reading this.

    Moreover, there are also specialized protective programs. For example, this is CryptoPrevent, more details.

    A few final words

    By following these instructions, your computer will be cleared of the ransomware virus. If you have any questions or need help, please contact us.

    If the system is infected with malware from the families Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX, then all files on the computer will be encrypted as follows:

    • When infected Trojan-Ransom.Win32.Rannoh names and extensions will change according to the template locked-<оригинальное_имя>.<4 произвольных буквы> .
    • When infected Trojan-Ransom.Win32.Cryakl a label is added to the end of the file contents (CRYPTENDBLACKDC) .
    • When infected Trojan-Ransom.Win32.AutoIt extension changes according to template <оригинальное_имя>@<почтовый_домен>_.<набор_символов> .
      For example, [email protected] _.RZWDTDIC.
    • When infected Trojan-Ransom.Win32.CryptXXX extension changes according to templates <оригинальное_имя>.crypt,<оригинальное_имя>. crypz And <оригинальное_имя>. cryp1.

    RannohDecryptor utility is designed to decrypt files after infection Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 , 2 And 3 .

    How to cure the system

    To cure an infected system:

    1. Download the RannohDecryptor.zip file.
    2. Run RannohDecryptor.exe on the infected machine.
    3. In the main window, click Start checking.
    1. Specify the path to the encrypted and unencrypted file.
      If the file is encrypted Trojan-Ransom.Win32.CryptXXX, specify the files yourself large size. Decryption will only be available for files of equal or smaller size.
    2. Wait until the end of the search and decryption of encrypted files.
    3. Restart your computer if required.
    4. To delete a copy of encrypted files like locked-<оригинальное_имя>.<4 произвольных буквы> After successful decryption, select .

    If the file was encrypted Trojan-Ransom.Win32.Cryakl, then the utility will save the file in the old location with the extension .decryptedKLR.original_extension. If you have chosen Delete encrypted files after successful decryption, then the decrypted file will be saved by the utility with the original name.

    1. By default, the utility displays the work report in the root system disk(the disk on which the OS is installed).

      The report name is as follows: UtilityName.Version_Date_Time_log.txt

      For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

    In a system infected Trojan-Ransom.Win32.CryptXXX, the utility scans a limited number of file formats. If a user selects a file affected by CryptXXX v2, restoring the key may take a long time. In this case, the utility displays a warning.

    Let us remind you: Trojans of the Trojan.Encoder family are malicious programs that encrypt files on a computer’s hard drive and demand money for decrypting them. Files *.mp3, *.doc, *.docx, *.pdf, *.jpg, *.rar and so on may be encrypted.
    It was not possible to personally meet the entire family of this virus, but, as practice shows, the method of infection, treatment and decoding is approximately the same for everyone:
    1. the victim is infected through a spam email with an attachment (less often by infectious means),
    2. the virus is recognized and removed (already) by almost any antivirus with fresh databases,
    3. files are decrypted by selecting password keys for the types of encryption used.
    For example, Trojan.Encoder.225 uses RC4 (modified) + DES encryption, and Trojan.Encoder.263 uses BlowFish in CTR mode. These viruses are currently 99% decipherable based on personal experience.

    But not everything is so smooth. Some encryption viruses require months of continuous decryption (Trojan.Encoder.102), while others (Trojan.Encoder.283) cannot be decrypted correctly even by specialists from Doctor Web, which, in fact, plays a key role in this article .

    Now, in order.

    At the beginning of August 2013, clients contacted me with the problem of files encrypted by the Trojan.Encoder.225 virus. The virus, at that time, was new, no one knew anything, there were 2-3 thematic Google links on the Internet. After a lengthy search on the Internet, it turns out that the only (found) organization that deals with the problem of decrypting files after this virus is the Doctor Web company. Namely: gives recommendations, helps when contacting technical support, develops its own decryptors, etc.

    Negative retreat.

    And, taking this opportunity, I would like to point out two getting fat minus of Kaspersky Lab. Which, when contacting their technical support, they brush it off with “we are working on this issue, we will notify you of the results by mail.” And yet, the downside is that I never received a response to the request. After 4 months. Damn the reaction time. And here I am striving for the standard “no more than one hour from completing the application.”
    Shame on you, Comrade Evgeniy Kaspersky, general manager Kaspersky Lab. But I have a good half of all companies “sit” on it. Well, okay, licenses expire in January-March 2014. Is it worth talking about whether I will renew my license?;)

    I present the faces of “specialists” from “simpler” companies, so to speak, NOT giants of the antivirus industry. They probably just “huddled in a corner” and “cryed quietly.”
    Although, what’s more, absolutely everyone was completely screwed. The antivirus, in principle, should not have allowed this virus to get onto the computer. Especially considering modern technologies. And “they”, the GIANTS anti-VIRUS industry, supposedly everything is captured, “heuristic analysis”, “preemptive system”, “proactive defense”...

    WHERE WERE ALL THESE SUPER-SYSTEMS WHEN THE HR DEPARTMENT WORKER OPENED A “HALMONNESS” LETTER WITH THE SUBJECT “RESUME”???
    What was the employee supposed to think?
    If YOU cannot protect us, then why do we need YOU at all?

    And everything would be fine with Doctor Web, but to get help, you must, of course, have a license for any of their software products. When contacting technical support (hereinafter referred to as TS), you must provide serial number Dr.Web and don’t forget to select “request for treatment” in the “Request Category:” line or simply provide them with an encrypted file to the laboratory. I’ll immediately make a reservation that the so-called “journal keys” of Dr.Web, which are posted in batches on the Internet, are not suitable, since they do not confirm the purchase of any software products, and are eliminated by TP specialists once or twice. It’s easier to buy the most “cheap” license. Because if you take on decryption, this license will pay you back a million times over. Especially if the folder with photos “Egypt 2012” was in one copy...

    Attempt No. 1

    So, having bought a “license for 2 PCs for a year” for an n-amount of money, contacting the TP and providing some files, I received a link to the decryption utility te225decrypt.exe version 1.3.0.0. Anticipating success, I launch the utility (you need to point it to one of the encrypted *. doc files). The utility begins the selection, mercilessly loading the old processor E5300 DualCore, 2600 MHz (overclocked to 3.46 GHz) / 8192 MB DDR2-800, HDD 160Gb Western Digital to 90-100%.
    Here, in parallel with me, a colleague on a PC core i5 2500k (overclocked to 4.5ghz) / 16 ram 1600 / ssd intel joins in the work (this is for comparison of the time spent at the end of the article).
    After 6 days, the utility reported that 7277 files had been decrypted. But the happiness did not last long. All files were decrypted “crookedly”. That is, for example, microsoft docs office open, but with different errors: " Word application There was content in the *.docx document that could not be read" or "The *.docx file cannot be opened due to errors in its content." *.jpg files also open either with an error, or 95% of the image turns out to be a faded black or light green background. For *.rar files - “Unexpected end of archive”.
    Overall a complete failure.

    Attempt No. 2

    We write to TP about the results. They ask you to provide a couple of files. A day later they again provide a link to the te225decrypt.exe utility, but this time version 1.3.2.0. Well, let's launch, there was no alternative then anyway. About 6 days pass and the utility ends with the error “Unable to select encryption parameters.” Total 13 days “down the drain.”
    But we don’t give up, we have important documents from our *stupid* client without basic backups.

    Attempt No. 3

    We write to TP about the results. They ask you to provide a couple of files. And, as you may have guessed, a day later they provide a link to the same te225decrypt.exe utility, but version 1.4.2.0. Well, let's launch, there was no alternative, and it has not appeared either from Kaspersky Lab, or from ESET NOD32, or from other manufacturers antivirus solutions. And now, after 5 days 3 hours 14 minutes (123.5 hours), the utility reports that the files have been decrypted (for a colleague on a core i5, decryption took only 21 hours 10 minutes).
    Well, I think it was or wasn’t. And lo and behold: complete success! All files are decrypted correctly. Everything opens, closes, looks, edits and saves properly.

    Everyone is happy, THE END.

    “Where is the story about the Trojan.Encoder.263 virus?”, you ask. And on the next PC, under the table... there was. Everything was simpler there: We write to the Doctor Web TP, get the te263decrypt.exe utility, launch it, wait 6.5 days, voila! and everything is ready. To summarize, I can give some advice from the Doctor Web forum in my edition:

    What to do if you are infected with a ransomware virus:
    - send to the virus laboratory Dr. Web or in the “Submit” form suspicious file» encrypted doc file.
    - Wait for a response from a Dr.Web employee and then follow his instructions.

    What NOT to do:
    - change the extension of encrypted files; Otherwise, with a successfully selected key, the utility simply will not “see” the files that need to be decrypted.
    - use independently, without consulting specialists, any programs for decrypting/recovering data.

    Attention, having a server free from other tasks, I offer my free services for decrypting YOUR data. Server core i7-3770K with overclocking to *certain frequencies*, 16GB of RAM and SSD Vertex 4.
    For all active users of Habr, the use of my resources will be FREE!!!
    Write to me in a personal message or through other contacts. I’ve already “eaten the dog” on this. Therefore, I’m not too lazy to put the server on decryption overnight.
    This virus is the “scourge” of our time and taking “loot” from fellow soldiers is not humane. Although, if someone “throws” a couple of bucks into my Yandex.money account 410011278501419, I won’t mind. But this is not at all necessary. Contact us. I process applications in my free time.

    New information!

    Starting from December 8, 2013, a new virus from the same Trojan.Encoder series began to spread under the Doctor Web classification - Trojan.Encoder.263, but with RSA encryption. This type as of today (12/20/2013) cannot be deciphered, as it uses a very strong encryption method.

    I recommend to everyone who has suffered from this virus:
    1. Using built-in windows search find all files containing the .perfect extension, copy them to external media.
    2. Copy the CONTACT.txt file as well
    3. Place this external media “on the shelf”.
    4. Wait for the decryptor utility to appear.

    What NOT to do:
    There is no need to mess with criminals. This is stupid. In more than 50% of cases, after “payment” of approximately 5000 rubles, you will receive NOTHING. No money, no decryptor.
    To be fair, it is worth noting that there are those “lucky” people on the Internet who received their files back by decryption for “loot.” But you shouldn't trust these people. If I were a virus writer, the first thing I would do would be to spread information like “I paid and they sent me a decoder!!!”
    Behind these “lucky ones” there may be the same attackers.

    Well... let's wish good luck to other antivirus companies in creating a utility for decrypting files after the Trojan.Encoder group of viruses.

    Special thanks to comrade v.martyanov from the Doctor Web forum for the work done on creating decryption utilities.

    If it appears on your computer text message, which says that your files are encrypted, then do not rush to panic. What are the symptoms of file encryption? The usual extension changes to *.vault, *.xtbl, * [email protected] _XO101, etc. The files cannot be opened - a key is required, which can be purchased by sending a letter to the address specified in the message.

    Where did you get the encrypted files from?

    The computer caught a virus that blocked access to information. Antivirus programs often miss them because the program is usually based on some harmless free encryption utility. You will remove the virus itself quickly enough, but serious problems may arise with decrypting the information.

    Technical support from Kaspersky Lab, Dr.Web and other well-known companies developing anti-virus software, in response to user requests to decrypt data, reports that it is impossible to do this in an acceptable time. There are several programs that can pick up the code, but they can only work with previously studied viruses. If you are faced with new modification, then the chances of restoring access to information are extremely low.

    How does a ransomware virus get onto a computer?

    In 90% of cases, users themselves activate the virus on their computer, opening unknown letters. Then a message is sent to e-mail with a provocative subject - “Subpoena”, “Loan debt”, “Notification from the tax office”, etc. Inside the fake letter there is an attachment, after downloading which the ransomware gets onto the computer and begins to gradually block access to the files.

    Encryption does not happen instantly, so users have time to remove the virus before all information is encrypted. You can destroy a malicious script using the cleaning utilities Dr.Web CureIt, Kaspersky Internet Security and Malwarebytes Antimalware.

    File recovery methods

    If system protection has been enabled on your computer, then even after the effect of a ransomware virus there is a chance to return files to their normal state using shadow copies of files. Ransomware usually tries to remove them, but sometimes they fail to do so due to lack of administrator rights.

    Restoring a previous version:

    In order for previous versions to be saved, you need to enable system protection.

    Important: system protection must be enabled before the ransomware appears, after which it will no longer help.

    1. Open Computer properties.
    2. From the menu on the left, select System Protection.
    3. Select drive C and click "Configure".
    4. Select restore settings and previous versions files. Apply the changes by clicking "Ok".

    If you took these steps before the file-encrypting virus appeared, then after cleaning your computer from malicious code, you will have a good chance of recovering your information.

    Using special utilities

    Kaspersky Lab has prepared several utilities to help open encrypted files after removing the virus. The first decryptor you should try is Kaspersky RectorDecryptor.

    1. Download the program from the official Kaspersky Lab website.
    2. Then run the utility and click “Start scan”. Specify the path to any encrypted file.

    If the malicious program has not changed the extension of the files, then to decrypt them you need to collect them in a separate folder. If the utility is RectorDecryptor, download two more programs from the official Kaspersky website - XoristDecryptor and RakhniDecryptor.

    The latest utility from Kaspersky Lab is called Ransomware Decryptor. It helps decrypt files after the CoinVault virus, which is not yet very widespread on the RuNet, but may soon replace other Trojans.

    Read more: