A program for recovering encrypted files with a virus. Recovering encrypted data using the WannaCry ransomware virus: Possibility and Solution. Recover damaged files with preview

If a text message appears on your computer saying that your files are encrypted, then do not rush to panic. What are the symptoms of file encryption? The usual extension changes to *.vault, *.xtbl, * [email protected] _XO101, etc. The files cannot be opened - a key is required, which can be purchased by sending a letter to the address specified in the message.

Where did you get the encrypted files from?

The computer caught a virus that blocked access to information. Antivirus programs often miss them because the program is usually based on some harmless free encryption utility. You will remove the virus itself quickly enough, but serious problems may arise with decrypting the information.

Technical support from Kaspersky Lab, Dr.Web and other well-known companies developing anti-virus software, in response to user requests to decrypt data, reports that it is impossible to do this in an acceptable time. There are several programs that can pick up the code, but they can only work with previously studied viruses. If you encounter a new modification, then the chances of restoring access to information are extremely low.

How does a ransomware virus get onto a computer?

In 90% of cases, users themselves activate the virus on their computer, opening unknown letters. Then a message is sent to e-mail with a provocative subject - “Subpoena”, “Loan debt”, “Notification from the tax office”, etc. Inside the fake letter there is an attachment, after downloading which the ransomware gets onto the computer and begins to gradually block access to the files.

Encryption does not happen instantly, so users have time to remove the virus before all information is encrypted. You can destroy a malicious script using the cleaning utilities Dr.Web CureIt, Kaspersky Internet Security and Malwarebytes Antimalware.

File recovery methods

If system protection has been enabled on your computer, then even after the action of a ransomware virus there is a chance to return files to their normal state using shadow copies of files. Ransomware usually tries to remove them, but sometimes they fail to do so due to lack of administrator rights.

Restoring a previous version:

In order for previous versions to be saved, you need to enable system protection.

Important: system protection must be enabled before the ransomware appears, after which it will no longer help.

1. Open Computer properties.
2. From the menu on the left, select System Protection.
   
3. Select drive C and click "Configure".
4. Choose to restore settings and previous versions of files. Apply the changes by clicking "Ok".

If you took these steps before the file-encrypting virus appeared, then after cleaning your computer from malicious code, you will have a good chance of recovering your information.

Using special utilities

Kaspersky Lab has prepared several utilities to help open encrypted files after removing the virus. The first decryptor you should try is Kaspersky RectorDecryptor.

1. Download the program from the official Kaspersky Lab website.
2. Then run the utility and click “Start scan”. Specify the path to any encrypted file.

If the malicious program has not changed the extension of the files, then to decrypt them you need to collect them in a separate folder. If the utility is RectorDecryptor, download two more programs from the official Kaspersky website - XoristDecryptor and RakhniDecryptor.

The latest utility from Kaspersky Lab is called Ransomware Decryptor. It helps decrypt files after the CoinVault virus, which is not yet very widespread on the RuNet, but may soon replace other Trojans.

French company Quarkslab specialist Adrien Guinet reports that he has found a way to decrypt data damaged by a ransomware attack. Unfortunately, this method only works for the Windows XP operating system and not in all cases, but it is better than nothing.

I got to finish the full decryption process, but I confirm that, in this case, the private key can be recovered on an XP system #wannacry!! pic.twitter.com/QiB3Q1NYpS

Guinier published the source code for a tool he called WannaKey on GitHub. The researcher’s technique is, in fact, based on the exploitation of a rather strange and little-known bug in Windows XP, which even the authors of the sensational ransomware malware did not seem to know about. The fact is that, under certain circumstances, it is possible to extract the key needed to “rescue” files from the memory of a machine running XP.

The researcher explains that during operation, the ransomware uses the Windows Crypto API and generates a pair of keys - a public one, which is used to encrypt files, and a private one, which can be used to decrypt files after paying the ransom. To prevent victims from getting to the private key and decrypting the data ahead of time, the authors of WannaCry encrypt the key itself, so that it becomes available only after payment.

After the key has been encrypted, its unencrypted version is erased using the standard CryptReleaseContext function, which in theory should also remove it from the memory of the infected machine. However, Guinier noted that this does not happen, only the "marker" pointing to the key is removed.

The specialist writes that it is possible to extract the private key from memory. Guinier himself conducted a series of tests and successfully decrypted files on several infected computers running Windows XP. However, the researcher writes that for a successful outcome of the operation, a number of conditions must be met. Since the key is stored only in volatile memory, you not only need to be wary of the fact that any process could accidentally overwrite data on top of the key and the memory will be redistributed, but you also should not turn off and restart the computer after infection.

“If you are lucky, you will be able to access these areas of memory and recover the key. It may still be there and you can use it to decrypt your files. But this does not work in all cases,” writes the researcher.

It is unknown how many computers running Windows XP were infected by WannaCry, and what percentage of users never rebooted or turned off their PC after infection. Let me remind you that in total hundreds of thousands of machines were affected by ransomware attacks in more than a hundred countries around the world. Still, Guinier hopes his technique could be useful to at least some users.

Other experts have already confirmed that in theory the Guinier instrument should work. Thus, the famous cryptographer and professor at Johns Hopkins University Matthew Green writes that the method should work, although in the current circumstances it all looks more like a lottery. Another well-known specialist, an employee of the F-Secure company, Mikko Hypponen, asks the question “why use a function that does not destroy keys to destroy keys?”, but agrees that the bug can be used to recover encrypted files.

About a week or two ago, another hack from modern virus makers appeared on the Internet, which encrypts all the user’s files. Once again I will consider the question of how to cure a computer after a ransomware virus encrypted000007 and recover encrypted files. In this case, nothing new or unique has appeared, just a modification of the previous version.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Description of the CRYPTED000007 ransomware virus

The CRYPTED000007 encryptor is no fundamentally different from its predecessors. It works almost exactly the same way. But still there are several nuances that distinguish it. I'll tell you about everything in order.

It arrives, like its analogues, by mail. Social engineering techniques are used to ensure that the user becomes interested in the letter and opens it. In my case, the letter talked about some kind of court and important information about the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.

In parallel with opening the document, file encryption starts. An information message from the Windows User Account Control system begins to constantly pop up.

If you agree to the proposal, then the backup copies of files in shadow copies of Windows will be deleted and restoring information will be very difficult. It is obvious that you cannot agree with the proposal under any circumstances. In this encryptor, these requests pop up constantly, one after another and do not stop, forcing the user to agree and delete the backup copies. This is the main difference from previous modifications of encryptors. I have never encountered requests to delete shadow copies without stopping. Usually, after 5-10 offers they stopped.

I will immediately give a recommendation for the future. It is very common for people to disable User Account Control warnings. There is no need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is to not constantly work under the computer administrator account unless there is an objective need for it. In this case, the virus will not have the opportunity to do much harm. You will have a better chance of resisting him.

But even if you have always answered negatively to the ransomware’s requests, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files with the same content on your desktop.

Your files have been encrypted. To decrypt ux, you need to send the code: 329D54752553ED978F94|0 to the email address [email protected]. Next you will receive all the necessary instructions. Attempts to decipher on your own will not lead to anything other than an irrevocable number of information. If you still want to try, then make backup copies of the files first, otherwise, in the event of a change, decryption will become impossible under any circumstances. If you have not received notification at the above address within 48 hours (only in this case!), use the contact form. This can be done in two ways: 1) Download and install Tor Browser using the link: https://www.torproject.org/download/download-easy.html.en In the Tor Browser address, enter the address: http://cryptsen7fo43rr6 .onion/ and press Enter. The page with the contact form will load. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Mailing address may change. I also came across the following addresses:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you discover that your files are encrypted, immediately turn off your computer. This must be done to interrupt the encryption process both on the local computer and on network drives. An encryption virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information there, then it will take him considerable time. Sometimes, even in a couple of hours, the ransomware did not have time to encrypt everything on a network drive with a capacity of approximately 100 gigabytes.

Next you need to think carefully about how to act. If you need information on your computer at any cost and you do not have backup copies, then it is better at this moment to turn to specialists. Not necessarily for money to some companies. You just need a person who is well versed in information systems. It is necessary to assess the scale of the disaster, remove the virus, and collect all available information on the situation in order to understand how to proceed.

Incorrect actions at this stage can significantly complicate the process of decrypting or restoring files. In the worst case, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and has finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. Moreover, not only the file extension will be replaced, but also the file name, so you won’t know exactly what kind of files you had if you don’t remember. It will look something like this.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done specifically to confuse people and encourage them to pay for file decryption.

And if your network folders were encrypted and there are no full backups, then this can completely stop the work of the entire organization. It will take you a while to figure out what was ultimately lost in order to begin restoration.

How to treat your computer and remove CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most important question is how to disinfect a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I would like to immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files at any cost, do not touch your computer, but immediately contact professionals. Below I will talk about them and provide a link to the site and describe how they work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from a computer, since the virus does not have the task of remaining on the computer at any cost. After completely encrypting the files, it is even more profitable for him to delete himself and disappear, so that it is more difficult to investigate the incident and decrypt the files.

It is difficult to describe how to manually remove a virus, although I have tried to do this before, but I see that most often it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Typically, viruses are sent by mail in waves, and each time there is a new modification that is not yet detected by antiviruses. Universal tools that check startup and detect suspicious activity in system folders help.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool - a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit.
3. If the first two utilities do not help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com.

Most likely, one of these products will clear your computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave an example of the removal method and you can see it there. Briefly, step by step, you need to act like this:

1. We look at the list of processes, after adding several additional columns to the task manager.
2. We find the virus process, open the folder in which it sits and delete it.
3. We clear the mention of the virus process by file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor comes up first when it comes to a ransomware virus. The first thing I recommend is to use the service https://www.nomoreransom.org. What if you are lucky and they have a decryptor for your version of the CRYPTED000007 encryptor. I’ll say right away that you don’t have many chances, but trying is not torture. On the main page click Yes:

Then download a couple of encrypted files and click Go! Find out:

At the time of writing, there was no decryptor on the site.

Perhaps you will have better luck. You can also see the list of decryptors for download on a separate page - https://www.nomoreransom.org/decryption-tools.html. Maybe there's something useful there. When the virus is completely fresh, there is little chance of this happening, but over time, something may appear. There are examples when decryptors for some modifications of encryptors appeared on the Internet. And these examples are on the specified page.

I don’t know where else you can find a decoder. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encryptors. Only the authors of the virus can have a full-fledged decryptor.

How to decrypt and recover files after the CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

First, let's check if we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I talked about this request in more detail at the beginning of the story, when I talked about how the virus works.

To easily restore files from shadow copies, I suggest using a free program for this - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the upper left corner, you can select a backup copy if you have several of them. Check different copies for the required files. Compare by date for the most recent version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and specified the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be an older version than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using deleted file recovery tools. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard drive to do this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here, what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Filecoder.ED encryptor

Popular antiviruses detect the ransomware CRYPTED000007 as Filecoder.ED and then there may be some other designation. I looked through the major antivirus forums and didn't see anything useful there. Unfortunately, as usual, antivirus software turned out to be unprepared for the invasion of a new wave of ransomware. Here is a post from the Kaspersky forum.

Antiviruses traditionally miss new modifications of ransomware Trojans. Nevertheless, I recommend using them. If you are lucky and receive a ransomware email not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. A new version of ransomware is released, but antiviruses do not respond to it. As soon as a certain amount of material for research on a new virus accumulates, antivirus software releases an update and begins to respond to it.

I don’t understand what prevents antiviruses from responding immediately to any encryption process in the system. Perhaps there is some technical nuance on this topic that does not allow us to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and suggest stopping the process.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are opened and sign the certificate of delivery/acceptance of completed work.
4. Payment is made solely upon successful decryption results.

I'll be honest, I don't know how they do it, but you don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against the CRYPTED000007 virus

How to protect yourself from ransomware and avoid material and moral damage? There are some simple and effective tips:

1. Backup! Backup of all important data. And not just a backup, but a backup to which there is no constant access. Otherwise, the virus can infect both your documents and backup copies.
2. Licensed antivirus. Although they do not provide a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the encryptor, but after 3-4 days they begin to respond. This increases your chances of avoiding infection if you were not included in the first wave of distribution of a new modification of the ransomware.
3. Do not open suspicious attachments in mail. There is nothing to comment here. All ransomware known to me reached users via email. Moreover, every time new tricks are invented to deceive the victim.
4. Do not thoughtlessly open links sent to you from your friends via social networks or instant messengers. This is also how viruses sometimes spread.
5. Enable windows to display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will be .exe, .vbs, .src. In your everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I have already written before in every article about the ransomware virus. In the meantime, I say goodbye. I would be glad to receive useful comments on the article and the CRYPTED000007 ransomware virus in general.

Video about file decryption and recovery

Here is an example of a previous modification of the virus, but the video is completely relevant for CRYPTED000007.

The first ransomware Trojans of the Trojan.Encoder family appeared in 2006-2007. Since January 2009, the number of their varieties has increased by approximately 1900%! Currently, Trojan.Encoder is one of the most dangerous threats for users, having several thousand modifications. From April 2013 to March 2015, the Doctor Web virus laboratory received 8,553 requests to decrypt files affected by encoder Trojans.
Encryption viruses have almost won first place in requests to information security forums. Every day, on average, 40 requests for decryption are received only by the employees of the Doctor Web virus laboratory from users infected with various types of encryption Trojans ( Trojan.Encoder, Trojan-Ransom.Win32.Xorist, Trojan-Ransom.Win32.Rector, Trojan.Locker, Trojan.Matsnu, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.GpCode, Digital Safe, Digital Case, lockdir.exe, rectorrsa, Trojan-Ransom.Win32.Rakhn, CTB-Locker, vault and so on). The main signs of such infections are changing the extensions of user files, such as music files, image files, documents, etc., when you try to open them, a message appears from the attackers demanding payment for obtaining a decryptor. It is also possible to change the background image of the desktop, the appearance of text documents and windows with corresponding messages about encryption, violation of license agreements, etc. Encryption Trojans are especially dangerous for commercial companies, since lost data from databases and payment documents can block the company’s work for an indefinite period of time, leading to loss of profits.

Trojans from the Trojan.Encoder family use dozens of different algorithms for encrypting user files. For example, to find the keys to decrypt files encrypted by the Trojan.Encoder.741 using a brute force method, you will need:
107902838054224993544152335601 year

Decryption of files damaged by the Trojan is possible in no more than 10% of cases. This means that most user data is lost forever.

Today, ransomware demands up to 1,500 bitcoins.

Even if you pay a ransom to the attacker, it will not give you any guarantee of data recovery.

It comes to oddities - a case was recorded when, despite the ransom paid, the criminals were unable to decrypt files encrypted by the Trojan.Encoder they created, and sent the affected user for help... to the technical support service of an antivirus company!

How does infection occur?

• Through email attachments; Using social engineering, attackers force the user to open the attached file.
• Using Zbot infections disguised as PDF attachments.
• Through exploit kits located on hacked websites that exploit vulnerabilities on the computer to install an infection.
• Through Trojans that offer to download the player necessary to watch online videos. This usually happens on porn sites.
• Via RDP, using password guessing and vulnerabilities in this protocol.
• Using infected keygens, cracks and activation utilities.

In more than 90% of cases, users launch (activate) ransomware on their computers with their own hands.

When using RDP password guessing, an attacker he comes in on his own under a hacked account, turns it off himself or downloads an antivirus product and launches itself encryption.

Until you stop being scared of letters with the headings “Debt”, “Criminal Proceedings”, etc., attackers will take advantage of your naivety.

Think about it... Learn yourself and teach others the simplest basics of safety!

• Never open attachments from emails received from unknown recipients, no matter how scary the header may be. If the attachment arrived as an archive, take the trouble to simply view the contents of the archive. And if there is an executable file (extension .exe, .com, .bat, .cmd, .scr), then this is 99.(9)% a trap for you.
• If you are still afraid of something, do not be lazy to find out the true email address of the organization from whose behalf the letter was sent to you. This is not so difficult to find out in our information age.
• Even if the sender’s address turns out to be true, do not be lazy to check by phone whether such a letter has been sent. The sender's address can be easily faked using anonymous smtp servers.
• If the sender says Sberbank or Russian Post, then this does not mean anything. Normal letters should ideally be signed with an electronic signature. Please carefully check the files attached to such emails before opening them.
• Regularly make backup copies of information on separate media.
• Forget about using simple passwords that are easy to guess and get into the organization’s local network using your data. For RDP access, use certificates, VPN access, or two-factor authentication.
• Never work with Administrator rights, pay attention to messages UAC even if they have "Blue colour" signed application, do not click "Yes", if you have not run installations or updates.
• Regularly install security updates not only for the operating system, but also for application programs.
• Install password for antivirus program settings, different from the account password, enable the self-defense option

What to do in case of infection?

Let us quote the recommendations of Dr.Web and Kaspersky Lab:

• immediately turn off your computer to stop the Trojan, the Reset button on your computer can save a significant part of the data;
• Comment site: Despite the fact that such a recommendation is given by well-known laboratories, in some cases its implementation will complicate decryption, since the key may be stored in RAM and after rebooting the system, it will be impossible to restore it. To stop further encryption, you can freeze the execution of the ransomware process using Process Explorer or for further recommendations.

Spoiler: Footnote

No encoder is capable of encrypting all the data instantly, so until the encryption is completed, some part of it remains untouched. And the more time has passed since the start of encryption, the less untouched data remains. Since our task is to save as many of them as possible, we need to stop the operation of the encoder. You can, in principle, start analyzing the list of processes, look for where the Trojan is in them, try to terminate it... But, believe me, unplugging the power cord is much faster! Shutting down Windows normally is not a bad alternative, but it may take some time, or the Trojan may interfere with it through its actions. So my choice is to pull the cord. Undoubtedly, this step has its drawbacks: the possibility of damaging the file system and the impossibility of further taking a RAM dump. For an unprepared person, a damaged file system is a more serious problem than an encoder. At least the files remain after the encoder, but damage to the partition table will make it impossible to boot the OS. On the other hand, a competent data recovery specialist will repair the same partition table without any problems, but the encoder may simply not have time to reach many files.

To initiate criminal proceedings against attackers, law enforcement agencies need a procedural reason - your statement about the crime. Sample application

Be prepared for your computer to be seized for some time for examination.

If they refuse to accept your application, receive a written refusal and file a complaint with a higher police authority (the police chief of your city or region).

• Do not under any circumstances try to reinstall the operating system;
• do not delete any files or email messages on your computer;
• do not run any “cleaners” of temporary files and registry;
• You should not scan and treat your computer with antiviruses and antivirus utilities, and especially with antivirus LiveCDs; as a last resort, you can move infected files to antivirus quarantine;

Spoiler: Footnote

For decryption, an inconspicuous 40-byte file in a temporary directory or an incomprehensible shortcut on the desktop may be of greatest importance. You probably don't know whether they will be important for decryption or not, so it's better not to touch anything. Cleaning the registry is generally a dubious procedure, and some encoders leave traces of operation there that are important for decoding. Antiviruses, of course, can find the body of an encoder Trojan. And they can even delete it once and for all, but then what will be left for analysis? How will we understand how and what the files were encrypted with? Therefore, it is better to leave the animal on the disk. Another important point: I do not know of any system cleaning product that takes into account the possibility of the encoder operating and retains all traces of its operation. And, most likely, such funds will not appear. Reinstalling the system will definitely destroy all traces of the Trojan, except for encrypted files.

• do not try to recover encrypted files on one's own;

Spoiler: Footnote

If you have a couple of years of writing programs under your belt, you really understand what RC4, AES, RSA are and what the differences are between them, you know what Hiew is and what 0xDEADC0DE means, you can give it a try. I don't recommend it to others. Let's say you found some miracle method for decrypting files and you even managed to decrypt one file. This is not a guarantee that the technique will work on all your files. Moreover, this is not a guarantee that using this method you will not damage the files even more. Even in our work there are unpleasant moments when serious errors are discovered in the decryption code, but in thousands of cases up to this point the code has worked as it should.

Now that it is clear what to do and what not to do, you can start deciphering. In theory, decryption is almost always possible. This is if you know all the data necessary for it or have an unlimited amount of money, time and processor cores. In practice, something can be deciphered almost immediately. Something will wait a couple of months or even years for its turn. In some cases, you don’t even have to take on it: no one will rent a supercomputer for free for 5 years. It’s also bad that a seemingly simple case turns out to be extremely complex when examined in detail. It's up to you to decide who to contact.

• contact the anti-virus laboratory of a company that has a department of virus analysts dealing with this problem;
• Attach a file encrypted by the Trojan to the ticket (and, if possible, an unencrypted copy of it);
• wait for the virus analyst's response. Due to the high volume of requests, this may take some time.

How to recover files?

Addresses with forms for sending encrypted files:

• Dr.Web (Applications for free decryption are accepted only from users of the comprehensive Drweb antivirus)
• Kaspersky Lab (Requests for free decryption are accepted only from users of Kaspersky Lab commercial products)
• ESET, LLC ( Applications for free decryption are accepted only from users of ESET commercial products)
• The No More Ransom Project (selection of codebreakers)
• Encryptors - extortionists (selection of decipherers)
• ID Ransomware (selection of decryptors)

We We absolutely do not recommend restore files yourself, since if you do it ineptly, you can lose all the information without restoring anything!!! In addition, recovery of files encrypted by certain types of Trojans it's simply impossible due to the strength of the encryption mechanism.

Deleted file recovery utilities:
Some types of encryption Trojans create a copy of the encrypted file, encrypt it, and delete the original file. In this case, you can use one of the file recovery utilities (it is advisable to use portable versions of the programs, downloaded and recorded on a flash drive on another computer):

• R.saver
• Recuva
• JPEG Ripper - utility for recovering damaged images
• JPGscan description)
• PhotoRec - a utility for restoring damaged images (description)

Method to solve problems with some versions Lockdir

Folders encrypted with some versions of Lockdir can be opened using an archiver 7-zip

After successful data recovery, you need to check the system for malware; to do this, you should run and create a topic describing the problem in the section

Recovering encrypted files using the operating system.

In order to restore files using the operating system, you must enable system protection before the ransomware Trojan gets onto your computer. Most ransomware Trojans will try to delete any shadow copies on your computer, but sometimes this will fail (if you do not have administrative privileges and Windows updates are installed), and you will be able to use shadow copies to recover damaged files.

It should be remembered that the command to delete shadow copies:

Code:

Vssadmin delete shadows

works only with administrator rights, so after enabling protection, you must work only as a user with limited rights and carefully pay attention to all UAC warnings about an attempt to escalate rights.

Spoiler: How to enable system protection?

How to restore previous versions of files after they are damaged?

Note:

Restoring from the properties of a file or folder using the “Previous Versions” tab is available only in editions of Windows 7 not lower than “Professional”. Home editions of Windows 7 and all editions of newer Windows operating systems have a workaround (under the spoiler).

Spoiler

Second way - this is the use of the utility ShadowExplorer(you can download both the installer and the portable version of the utility).

Run the program
Select the drive and date for which you want to recover files

Select the file or folder to recover and right-click on it
Select menu item Export and specify the path to the folder where you want to restore files from the shadow copy.

Ways to protect yourself from ransomware Trojans

Unfortunately, methods of protecting against ransomware Trojans for ordinary users are quite complicated, since they require security policy or HIPS settings that allow access to files only to certain applications and do not provide 100% protection in cases where a Trojan is embedded in the address space of a trusted application. Therefore, the only available method of protection is to back up user files to removable media. Moreover, if such media is an external hard drive or flash drive, these media should be connected to the computer only for the duration of the backup and be disconnected the rest of the time. For greater security, backups can be performed by booting from LiveCD. Backups can also be carried out on the so-called " cloud storage" provided by some companies.

Setting up anti-virus programs to reduce the likelihood of infection by ransomware Trojans.

Applies to all products:

It is necessary to enable the self-defense module and set a complex password for the antivirus settings!!!

Today, perhaps, only people very far from the Internet are unaware of the mass infections of computers with the WannaCry (“I want to cry”) encryption Trojan that began on May 12, 2017. And I would divide the reaction of those who know into 2 opposite categories: indifference and panic. What does this mean?

And the fact that fragmentary information does not provide a complete understanding of the situation gives rise to speculation and leaves behind more questions than answers. In order to understand what is really happening, who and what it threatens, how to protect yourself from infection and how to decrypt files damaged by WannaCry, today’s article is devoted to it.

Is “devil” really that scary?

I don't understand what all the fuss is aboutWannaCry? There are many viruses, new ones appear constantly. What's special about this one?

WannaCry (other names WanaCrypt0r, Wana Decrypt0r 2.0, WannaCrypt, WNCRY, WCry) is not an ordinary cyber malware. The reason for his notoriety is the gigantic amounts of damage caused. According to Europol, it disrupted the operation of more than 200,000 computers running Windows in 150 countries, and the damage suffered by their owners amounted to more than $1,000,000,000. And this is only in the first 4 days of distribution. Most of the victims are in Russia and Ukraine.

I know that viruses enter PCs through adult websites. I don’t visit such resources, so I’m not in danger.

Virus? I have a problem too. When viruses appear on my computer, I run the *** utility and after half an hour everything is fine. And if it doesn’t help, I reinstall Windows.

Virus is different from virus. WannaCry is a Trojan ransomware, a network worm that can spread through local networks and the Internet from one computer to another without human intervention.

Most malware, including ransomware, starts working only after the user “swallows the bait,” that is, clicks on a link, opens a file, etc. A To get infected with WannaCry, you don't need to do anything at all!

Once on a Windows computer, the malware encrypts the bulk of user files in a short time, after which it displays a message demanding a ransom of $300-600, which must be transferred to the specified wallet within 3 days. In case of delay, he threatens to make decryption of files impossible in 7 days.

At the same time, the malware looks for loopholes to penetrate other computers, and if it finds it, it infects the entire local network. This means that backup copies of files stored on neighboring machines also become unusable.

Removing a virus from a computer does not decrypt files! Reinstalling the operating system too. On the contrary, if infected with ransomware, both of these actions may deprive you of the ability to recover files even if you have a valid key.

So yes, “damn” is quite scary.

How WannaCry spreads

You're lying. A virus can only get onto my computer if I download it myself. And I'm vigilant.

Many malware are able to infect computers (and mobile devices, by the way, too) through vulnerabilities - errors in the code of operating system components and programs that open up the opportunity for cyber attackers to use a remote machine for their own purposes. WannaCry, in particular, spreads through a 0-day vulnerability in the SMB protocol (zero-day vulnerabilities are errors that were not fixed at the time they were exploited by malware/spyware).

That is, to infect a computer with a ransomware worm, two conditions are sufficient:

• Connections to a network where there are other infected machines (Internet).
• The presence of the above-described loophole in the system.

Where did this infection even come from? Is this the work of Russian hackers?

According to some reports (I am not responsible for the authenticity), the US National Security Agency was the first to discover a flaw in the SMB network protocol, which is used for legal remote access to files and printers in Windows. Instead of reporting it to Microsoft so that they could fix the error, the NSA decided to use it themselves and developed an exploit for this (a program that exploits the vulnerability).

Visualization of the dynamics of WannaCry distribution on the website intel.malwaretech.com

Subsequently, this exploit (codenamed EternalBlue), which for some time served the NSA to penetrate computers without the knowledge of the owners, was stolen by hackers and formed the basis for the creation of the WannaCry ransomware. That is, thanks to the not entirely legal and ethical actions of the US government agency, virus writers learned about the vulnerability.

I disabled installation of updatesWindows. What for is it necessary when everything works without them.

The reason for such a rapid and widespread spread of the epidemic was the absence at that time of a “patch” - a Windows update that could close the Wanna Cry loophole. After all, it took time to develop it.

Today such a patch exists. Users who update the system automatically received it within the first hours of release. And those who believe that updates are not needed are still at risk of infection.

Who is at risk from the WannaCry attack and how to protect against it

As far as I know, more than 90% of computers infectedWannaCry, operated byWindows 7. I have “ten”, which means I’m not in danger.

All operating systems that use the SMB v1 network protocol are susceptible to WannaCry infection. This:

• Windows XP
• Windows Vista
• Windows 7
• Windows 8
• Windows 8.1
• Windows RT 8.1
• Windows 10 v 1511
• Windows 10 v1607
• Windows Server 2003
• Windows Server 2008
• Windows Server 2012
• Windows Server 2016

Today, users of systems that do not have the critical security update MS17-010(available for free download from technet.microsoft.com linked to). Patches for Windows XP, Windows Server 2003, Windows 8 and other unsupported operating systems can be downloaded from this page support.microsoft.com. It also describes ways to check for the presence of a life-saving update.

If you don't know the OS version on your computer, press the Win+R key combination and run the winver command.

To enhance security, and if it is not possible to update the system now, Microsoft provides instructions for temporarily disabling the SMB protocol version 1. They are located and. Additionally, but not necessarily, you can close TCP port 445, which serves SMB, through the firewall.

I have the best antivirus in the world ***, with it I can do anything and I’m not afraid of anything.

The spread of WannaCry can occur not only by the self-propelled method described above, but also in the usual ways - through social networks, email, infected and phishing web resources, etc. And there are such cases. If you download and run a malicious program manually, neither an antivirus nor patches that close vulnerabilities will save you from infection.

How the virus works, what it encrypts

Yes, let him encrypt what he wants. I have a friend who is a programmer, he will decipher everything for me. As a last resort, we will find the key using brute force.

Well, it encrypts a couple of files, so what? This will not prevent me from working on the computer.

Unfortunately, it will not decrypt, since there are no ways to crack the RSA-2048 encryption algorithm that Wanna Cry uses and will not appear in the foreseeable future. And it will encrypt not just a couple of files, but almost everything.

I won’t give a detailed description of how the malware works; anyone interested can read its analysis, for example, on the blog of Microsoft expert Matt Suiche. I will note only the most significant moments.

Files with the following extensions are encrypted: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks , .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, . xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z , .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, . djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl , .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, . ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds , .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der.

As you can see, there are documents, photos, video-audio, archives, mail, and files created in various programs... The malware tries to reach every directory in the system.

Encrypted objects receive double extension with postscript WNCRY, for example, "Document1.doc.WNCRY".

After encryption, the virus copies an executable file to each folder @[email protected] – supposedly for decryption after ransom, as well as a text document @[email protected] with a message for the user.

Next, it tries to destroy shadow copies and Windows restore points. If UAC is running on the system, the user must confirm this operation. If you reject the request, there is still a chance to restore data from copies.

WannaCry transmits the encryption keys of the affected system to command centers located on the Tor network, after which it deletes them from the computer. To search for other vulnerable machines, it scans the local network and arbitrary IP ranges on the Internet, and once found, penetrates everything it can reach.

Today, analysts know of several modifications of WannaCry with different distribution mechanisms, and new ones should be expected to appear in the near future.

What to do if WannaCry has already infected your computer

I see files changing extensions. What's happening? How to stop this?

Encryption is not a one-time process, although it does not take too long. If you managed to notice it before the ransomware message appears on your screen, you can save some of the files by immediately turning off the computer’s power. Not by shutting down the system, but by unplugging the plug from the socket!

When Windows boots in normal mode, encryption will continue, so it is important to prevent it. The next start of the computer must occur either in safe mode, in which viruses are not active, or from another bootable media.

My files are encrypted! The virus demands a ransom for them! What to do, how to decrypt?

Decrypting files after WannaCry is only possible if you have a secret key, which the attackers promise to provide as soon as the victim transfers the ransom amount to them. However, such promises are almost never fulfilled: why should malware distributors bother if they already got what they wanted?

In some cases, the problem can be solved without ransom. To date, 2 WannaCry decryptors have been developed: WannaKey(by Adrien Guinet) and WanaKiwi(by Benjamin Delpy) The first one works only in Windows XP, and the second one, created on the basis of the first one, works in Windows XP, Vista and 7 x86, as well as in northern systems 2003, 2008 and 2008R2 x86.

The operating algorithm of both decryptors is based on searching for secret keys in the memory of the encryptor process. This means that only those who did not have time to restart the computer have a chance of decryption. And if not too much time has passed since encryption (the memory has not been overwritten by another process).

So, if you are a Windows XP-7 x86 user, the first thing you should do after the ransom message appears is to disconnect your computer from the local network and the Internet and run the WanaKiwi decryptor downloaded on another device. Before removing the key, do not perform any other actions on the computer!

You can read a description of the work of the WanaKiwi decryptor in another blog by Matt Suiche.

After decrypting the files, run an antivirus to remove the malware and install a patch that closes its distribution paths.

Today, WannaCry is recognized by almost all antivirus programs, with the exception of those that are not updated, so almost any will do.

How to live this life further

This self-propelled epidemic took the world by surprise. For all kinds of security services, it turned out to be as unexpected as the onset of winter on December 1 for utility workers. The reason is carelessness and randomness. The consequences are irreparable loss of data and damages. And for the creators of the malware, this is an incentive to continue in the same spirit.

According to analysts, WanaCry brought very good dividends to distributors, which means that attacks like this will be repeated. And those who are carried away now will not necessarily be carried away later. Of course, if you don't worry about it in advance.

So, so that you don't ever have to cry over encrypted files:

• Do not refuse to install operating system and application updates. This will protect you from 99% of threats that spread through unpatched vulnerabilities.
• Keep it on.
• Create backup copies of important files and store them on another physical medium, or better yet, on several. In corporate networks, it is optimal to use distributed data storage databases; home users can use free cloud services like Yandex Disk, Google Drive, OneDrive, MEGASynk, etc. Do not keep these applications running when you are not using them.
• Choose reliable operating systems. Windows XP is not like that.
• Install a comprehensive antivirus of the Internet Security class and additional protection against ransomware, for example, Kaspersky Endpoint Security. Or analogs from other developers.
• Increase your level of literacy in countering ransomware Trojans. For example, the antivirus vendor Dr.Web has prepared training courses for users and administrators of various systems. A lot of useful and, importantly, reliable information is contained in the blogs of other A/V developers.

And most importantly: even if you have suffered, do not transfer money to the attackers for decryption. The probability that you will be deceived is 99%. Moreover, if no one pays, the extortion business will become meaningless. Otherwise, the spread of such an infection will only grow.