The ransomware encrypted the files. Methods of protection against ransomware viruses. Encryption computer virus: definition and algorithm of action

I continue the notorious section on my website with another story in which I myself was a victim. I will talk about the ransomware virus Crusis (Dharma), which encrypted all files on network drive and gave them the extension .combo. He worked not only on local files, as happens most often, but also over network ones.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Introduction

The story will be in the first person, since the data and infrastructure that I managed were affected by the encryptor. As sad as it is to admit this, I am partly to blame for what happened, although I have known cryptographers for a very long time. In my defense, I will say that no data was lost, everything was quickly restored and investigated without delay. But first things first.

The boring morning began with the fact that at 9:15 the system administrator from one remote site called and said that there was an encryptor on the network, the data on the network drives had already been encrypted. A chill ran through my skin :) He began to check the source of infection on his own, and I began to check with my own. Of course, I immediately went to the server, disconnected network drives and began looking at the data access log. Network drives are configured to, must be enabled. From the log, I immediately saw the source of the infection, the account the ransomware was running under, and the start time of encryption.

Description of the Crusis (Dharma) ransomware virus

Then the investigation began. Encrypted files received the extension .combo. There were a lot of them. The cryptographer began working late in the evening, at approximately 11 p.m. We were lucky - the backup of the affected disks had just been completed by this time. The data was not lost at all, since it was backed up at the end of the working day. I immediately started restoring from the backup, which is on a separate server without SMB access.

Overnight, the virus managed to encrypt approximately 400 GB of data on network drives. The banal deletion of all encrypted files with the combo extension took long time. At first I wanted to delete them all at once, but when just counting these files lasted for 15 minutes, I realized that it was useless this moment time. Instead, I started downloading the latest data, and cleaned the disks of encrypted files after.

I’ll tell you the simple truth right away. Having up-to-date, reliable backups makes any problem solvable. I can’t even imagine what to do if they are not there or they are not relevant. I always pay special attention to backups. I take care of them, I cherish them, and I don’t give anyone access to them.

After I launched the recovery of encrypted files, I had time to calmly understand the situation and take a closer look at Crusis ransomware virus(Dharma). Surprises and surprises awaited me here. The source of infection was a virtual machine with Windows 7 with abandoned rdp port via a backup channel. The port was not standard - 33333. I think it was the main mistake to use such a port. Although it is not standard, it is very popular. Of course, it’s better not to forward rdp at all, but in this case it was really necessary. By the way, now, instead of this virtual machine, a virtual machine with CentOS 7 is also used; it runs a container with xfce and a browser in Docker. Well, this virtual machine has no access anywhere, only where it is needed.

What's scary about this whole story? The virtual machine was updated. The cryptographer started working at the end of August. It is impossible to determine exactly when the machine was infected. The virus wiped out a lot of things in the virtual machine itself. Updates to this system were installed in May. That is, there should not be any old open holes on it. Now I don’t even know how to leave rdp port accessible from the Internet. There are too many cases where this is really needed. For example, a terminal server on rented hardware. You won’t also rent a VPN gateway for each server.

Now let’s get closer to the point and the ransomware itself. The network interface of the virtual machine was disabled, after which I started it. I was greeted by a standard sign, which I had already seen many times from other cryptographers.

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 501BED27 In case of no answer in 24 hours write us to these e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click "Buy bitcoins", and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

There were 2 text files on the desktop named FILES ENCRYPTED.TXT the following content:

All your data has been locked us Do you want to return? write email [email protected]

It’s interesting that the directory permissions have changed Desktop. The user did not have write permissions. Apparently, the virus did this to prevent the user from accidentally deleting information in text files from the desktop. There was a directory there on the desktop troy, which contained the virus itself - a file l20VHC_playload.exe.

How the Crusis (Dharma) ransomware virus encrypts files

After calmly figuring everything out and reading similar messages on the topic of ransomware on the Internet, I learned that I had caught a version of the famous Crusis (Dharma) ransomware virus. Kaspersky detects it like Trojan-Ransom.Win32.Crusis.to. He puts different extensions to files, including .combo. My list of files looked something like this:

• Vanino.docx.id-24EE2FBC..combo
• Petropavlovsk-Kamchatsky.docx.id-24EE2FBC..combo
• Khorol.docx.id-24EE2FBC..combo
• Yakutsk.docx.id-24EE2FBC..combo

I’ll tell you some more details about how the ransomware worked. I didn't mention an important thing. This computer was in a domain. The files were encrypted from a domain user!!! This is where the question arises: where did the virus get it from? I did not see information on the domain controller logs and the selection of the user's password. There weren't a ton of failed logins. Either some kind of vulnerability was exploited, or I don't know what to think. An account was used that has never logged into this system. There was authorization via rdp from a domain user account, and then encryption. There were also no traces of brute-force attacks on users and passwords on the system itself. Almost immediately I had a login using rdp domain account. It was necessary to choose, at a minimum, not only a password, but also a name.

Unfortunately, the account had a password of 123456. This was the only account with that password that was missed by the local admins. Human factor. It was the leader and for some reason a whole series system administrators knew about this password, but did not change it. Obviously, this is the reason for using this particular account. But nevertheless, the mechanism for obtaining even such simple password and username.

I turned off and deleted the virtual machine infected with encryptor, having first taken the disk image. The virus itself took the image out of it to look at its work. The further story will be based on running the virus in a virtual machine.

One more small detail. The virus scanned the entire local network and at the same time encrypted information on those computers where there were some shared folders with access to everyone. This is the first time I have seen such a modification of the encryptor. This is truly a scary thing. Such a virus can simply paralyze the work of the entire organization. Let's say, for some reason, you had network access to the backups themselves. Or they used some kind of weak password for the account. It may happen that everything will be encrypted - both data and archived copies. In general, I’m now thinking about storing backups not only in an isolated network environment, but generally on switched off equipment that is started only to make a backup.

How to treat your computer and remove Crusis (Dharma) ransomware

In my case, the Crusis (Dharma) ransomware virus was not particularly hidden and removing it should not pose any problems. As I said, it was in a folder on my desktop. In addition, he recorded himself and an information message in the autorun.

The body of the virus itself was duplicated in the launch section Startup for all users and windows/system32. I didn’t look more closely because I don’t see the point in it. After being infected with ransomware, I strongly recommend reinstalling the system. This is the only way to be sure to remove the virus. You will never be completely sure that the virus has been removed, since it could have used some as yet unpublished and unknown vulnerabilities to leave a bookmark on the system. After some time, through this mortgage you can get some new virus and everything will repeat itself in a circle.

So I recommend that immediately after detecting ransomware, you do not treat your computer, but reinstall the system, saving the remaining data. Perhaps the virus did not manage to encrypt everything. These recommendations apply to those who do not intend to attempt to recover files. If you have current backups, then simply reinstall the system and restore the data.

If you don’t have backups and are ready to restore files at any cost, then we try not to touch the computer at all. First of all, simply disconnect the network cable, download a couple of encrypted files and a text file with information on clean flash drive, then shut down the computer. More computer cannot be turned on. If you don’t understand computer matters at all, then you won’t be able to deal with the virus yourself, much less decrypt or restore files. Contact someone who knows. If you think that you can do something yourself, then read on.

Where to download the Crusis (Dharma) decryptor

Next comes mine universal advice for all ransomware viruses. There is a website - https://www.nomoreransom.org It could theoretically contain a decryptor for Crusis or Dharma, or some other information on decrypting files. In my practice, this has never happened before, but maybe you’ll get lucky. It's worth a try. To do this on home page agree by clicking YES.

Attach 2 files and paste the contents of the ransomware’s information message and click Check.

If you're lucky, you'll get some information. In my case nothing was found.

All existing decryptors for ransomware are collected on separate page— https://www.nomoreransom.org/ru/decryption-tools.html The existence of this list allows us to expect that there is still some meaning in this site and service. Kaspersky has a similar service - https://noransom.kaspersky.com/ru/ You can try your luck there.

I don’t think it’s worth looking for decryptors anywhere else through an Internet search. It is unlikely that they will be found. Most likely it will be either a regular scam with junk software in best case scenario, or a new virus.

Important addition. If you have a licensed version of an antivirus installed, be sure to create a request to the antivirus TP for file decryption. Sometimes it really helps. I have seen reviews of successful decryption by antivirus support.

How to decrypt and recover files after the Crusis (Dharma) virus

What to do when the Crusis (Dharma) virus has encrypted your files, none of the previously described methods helped, and you really need to restore the files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

Before further manipulations, I recommend making a sector-by-sector disk image. This will allow you to record the current state and if nothing works, then at least you can return to the starting point and try something else. Next you need to remove the ransomware itself using any antivirus with the latest set antivirus databases. Will do CureIt or Kaspersky Virus Removal Tool . You can install any other antivirus in trial mode. This is enough to remove the virus.

After that, we boot into the infected system and check whether we have enabled shadow copies. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If you did not confirm during infection UAC request to delete files in shadow copies, then some data should remain there. For convenient recovery files from shadow copies, I suggest using free program for this purpose - ShadowExplorer. Download the archive, unpack the program and run it.

Will open latest copy files and the root of drive C. On the left top corner you can select a backup copy if you have several of them. Check different copies for availability necessary files. Compare by dates, where more latest version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and specified the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be more old version, than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using deleted file recovery tools. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launch graphic version program executes file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard disk for this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here, what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to restore maximum amount files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process using listed programs shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Crusis (Dharma) ransomware

As usual, I went through the forums popular antiviruses looking for information about the ransomware that installs the .combo extension. There is a clear trend towards the spread of the virus. A lot of requests start from mid-August. Now it seems they are not visible, but perhaps temporarily, or the extension of the encrypted files has simply changed.

Here is an example of a typical request from the Kaspersky forum.

There is also a comment from the moderator below.

The EsetNod32 forum has long been familiar with the virus that installs the .combo extension. As I understand it, the virus is not unique and not new, but a variation of the long-known Crusis (Dharma) series of viruses. Here is a typical request to decrypt data:

I noticed that there are many reviews on the Eset forum that the virus penetrated the server via rdp. It looks like this is a really strong threat and you can’t leave rdp without cover. The only question that arises is how does the virus enter via rdp? It guesses a password, connects with a known user and password, or something else.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including Crusis (Dharma). Their address is http://www.dr-shifro.ru. Payment only after decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor on your computer and decrypts some files.
3. You make sure that all files are opened, sign the acceptance certificate for completed work, and receive a decryptor.
4. You decrypt your files and complete the remaining documents.

You don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against ransomware virus

I won't list the obvious things about launching unknown programs from the Internet and opening attachments in mail. Everyone knows this now. In addition, I wrote about this many times in my articles in the about section. I'll pay attention to backups. They must not only exist, but be inaccessible from the outside. If this is some kind of network drive, then a separate account with a strong password must have access to it.

If you back up personal files to a flash drive or external drive, do not keep them constantly connected to the system. After creation archival copies, disconnect devices from the computer. I see the ideal backup on a separate device, which is turned on only to make a backup, and then again physically disconnected from the network by disconnecting network wire or simply shutting down.

Backups must be incremental. This is necessary in order to avoid a situation where the encryptor encrypted all the data without you noticing. Has been completed backup, which replaced old files with new ones, but already encrypted. As a result, you have an archive, but it is of no use. You need to have an archive depth of at least several days. I think that in the future there will be, if they have not yet appeared, ransomware that will quietly encrypt part of the data and wait for some time without revealing themselves. This will be done in the expectation that the encrypted files will end up in archives and there, over time, replace the real files.

This will be a tough time for the corporate sector. I have already given an example above from the eset forum, where network drives with 20 TB of data were encrypted. Now imagine that you have such a network drive, but only 500G of data is encrypted in directories that are not accessed constantly. A couple of weeks pass, no one notices the encrypted files, because they are in archive directories and are constantly not being worked with. But at the end of the reporting period, data is needed. They go there and see that everything is encrypted. They go to the archive, and there the storage depth is, say, 7 days. And that's all, the data is gone.

This requires a separate, careful approach to archives. You need software and resources for long-term data storage.

Video about file decryption and recovery

Here is an example of a similar modification of the virus, but the video is completely relevant for combo.

And every year more and more new ones appear... more and more interesting. Most Popular Lately a virus (Trojan-Ransom.Win32.Rector) that encrypts all your files (*.mp3, *.doc, *.docx, *.iso, *.pdf, *.jpg, *.rar, etc.) . The problem is that decrypting such files is extremely difficult and time-consuming; depending on the type of encryption, decryption can take weeks, months, or even years. In my opinion, this virus is currently the apogee of danger among other viruses. It is especially dangerous for home computers/laptops, since most users do not back up their data and when encrypting files, they lose all data. For organizations, this virus is less dangerous because they do backups important data and in case of infection, they are simply restored, naturally after the virus is removed. I encountered this virus several times, I will describe how it happened and what it led to.

The first time I encountered a virus that encrypts files was in early 2014. An administrator from another city contacted me and told me the most unpleasant news - All files on the file server are encrypted! The infection occurred in an elementary way - the accounting department received a letter with the attachment “Act of something there.pdf.exe”, as you understand, they opened this EXE file and the process began... he encrypted all personal files on the computer and switched to file server(it was connected by a network drive). The administrator and I started digging for information on the Internet... at that time there was no solution... everyone wrote that there was such a virus, it was not known how to treat it, the files could not be decrypted, perhaps sending the files to Kaspersky, Dr Web or Nod32 would help. You can only send them if you use them antivirus programs(there are licenses). We sent the files to Dr Web and Nod32, the results were 0, I don’t remember what they said to Dr Web, and Nod 32 was completely silent and I didn’t get any response from them. In general, everything was sad and we never found a solution; we restored some of the files from backup.

The second story - just the other day (mid-October 2014) I received a call from an organization asking me to solve a problem with a virus; as you understand, all the files on the computer were encrypted. Here's an example of what it looked like.

As you can see, the extension *.AES256 was added to each file. In each folder there was a file “Attention_open-me.txt” which contained contacts for communication.

When trying to open these files, a program with contacts opened to contact the authors of the virus to pay for decryption. Of course, I do not recommend contacting them, or paying for the code either, since you will only support them financially and it is not a fact that you will receive the decryption key.

The infection occurred during the installation of a program downloaded from the Internet. The most surprising thing was that when they noticed that the files had changed (icons and file extensions had changed), they did nothing and continued to work, while the ransomware continued to encrypt all files.

Attention!!! If you notice encryption of files on your computer (change in icons, change in extension), immediately turn off your computer/laptop and look for a solution from another device (from another computer/laptop, phone, tablet) or contact IT specialists. The longer your computer/laptop is turned on, the more files it will encrypt.

In general, I already wanted to refuse to help them, but I decided to surf the Internet, maybe a solution to this problem had already appeared. As a result of searching, I read a lot of information about things that cannot be decrypted, that you need to send files to antivirus companies (Kaspersky, Dr Web or Nod32) - thanks for the experience.
I came across a utility from Kaspersky - RectorDecryptor. And about miracle files managed to decipher. Well, first things first...

The first step is to stop the ransomware. You won’t find any antiviruses, because the installed Dr Web didn’t find anything. First of all, I went to startup and disabled all startups (except antivirus). Rebooted the computer. Then I started looking at what kind of files were in startup.

As you can see in the "Command" field it is indicated where the file is located, Special attention Applications without a signature need to be removed (Manufacturer - No data). In general, I found and deleted the malware and files that were not yet clear to me. After that, I cleared temporary folders and browser caches; it is best to use the program for these purposes CCleaner .

Then I started decrypting the files, for this I downloaded decryption program RectorDecryptor . I launched it and saw a rather ascetic interface of the utility.

I clicked “Start scanning” and indicated the extension that all changed files had.

And indicated the encrypted file. In newer versions of RectorDecryptor you can simply specify the encrypted file. Click the "Open" button.

Tada-a-a-am!!! A miracle happened and the file was decrypted.

After this, the utility automatically checks all computer files + files on the connected network drive and decrypts them. The decryption process may take several hours (depending on the number of encrypted files and the speed of your computer).

As a result, all encrypted files were successfully decrypted into the same directory where they were originally located.

All that remains is to delete all files with the extension .AES256; this could be done by checking the “Delete encrypted files after successful decryption” checkbox if you click “Change scan parameters” in the RectorDecryptor window.

But remember that it is better not to check this box, because if the files are not successfully decrypted, they will be deleted and in order to try to decrypt them again you will have to first restore .

When you try to delete all encrypted files using standard search and removal, I came across freezes and extremely slow work computer.

Therefore, to remove it, it is best to use the command line, run it and write del"<диск>:\*.<расширение зашифрованного файла>"/f/s. In my case del "d:\*.AES256" /f /s.

Do not forget to delete the files "Attention_open-me.txt", to do this, use the command on the command line del"<диск>:\*.<имя файла>"/f/s, For example
del "d:\Attention_open-me.txt" /f /s

Thus, the virus was defeated and the files were restored. I want to warn you that this method It won’t help everyone, the whole point is that Kapersky in this utility has collected all the known decryption keys (from those files that were sent by those infected with the virus) and uses a brute force method to select the keys and decrypt them. Those. if your files are encrypted by a virus with an unknown key, then this method will not help... you will have to send the infected files to antivirus companies - Kaspersky, Dr Web or Nod32 to decrypt them.

Traveling to different cities and towns, a person willy-nilly encounters surprises that can be both pleasant and provoke increased discomfort and severe grief.

The same emotions can await a user who is interested in “travelling” on the Internet. Although sometimes unpleasant surprises They fly into email on their own in the form of threatening letters and documents, which users try to read as soon as possible, thereby falling into the scammers’ networks.

On the Internet, you can encounter an incredible number of viruses programmed to perform multiple negative tasks on your computer, so it is important to learn to distinguish between safe links for downloading files and documents and avoid those that pose a clear danger to your computer.

If you have become one of those unfortunate people who had to experience the negative consequences of a virus intervention, you will not doubt that it is useful to collect and subsequently systematize information on how to prevent infection of your computer.

Viruses appeared as soon as they appeared computer technology. Every year there are more and more varieties of viruses, so it is easy for the user to destroy only the virus carrier that has long been known, and a 100% method of its destruction has been found.

It is much more difficult for the user to “fight” against virus carriers that just appear on the network or are accompanied by full-scale destructive actions.

File recovery methods

In a situation where a virus has encrypted files on a computer, what to do for many is key issue. If these are amateur photos, the loss of which you also don’t want to accept, you can look for ways to solve the problem over a long period of time. However, if a virus has encrypted files that are extremely important for business activities, the desire to figure out what to do becomes incredibly large, and you also want to take effective steps quickly enough.

Restoring a previous version

If system protection was turned on on your computer in advance, then even in cases where an “uninvited guest encryptor” has already managed to take over you, you will still be able to restore documents, knowing what to do in this case.

The system will help you recover documents using their shadow copies. Of course, the Trojan also directs its efforts to eliminate such copies, but viruses are not always able to carry out such manipulations, since they do not have administrative rights.

Step 1

So, it’s easy to restore a document using its previous copy. To do this, you right-click on the file that turns out to be damaged. In the menu that appears, select “Properties”. A window will appear on your PC screen containing four tabs, you need to go to last tab"Previous Versions"

Step 2

All available shadow copies of the document will be listed in the window below; all you have to do is select the option that is most suitable for you, then click on the “Restore” button.

Unfortunately, such “ambulance” cannot be used on a computer where system protection has not been enabled in advance. For this reason, we recommend that you turn it on in advance, so as not to “bite your elbows” later, reproaching yourself with obvious disobedience.

Step 3

It’s also easy to enable system protection on your computer; it won’t take much of your time. Therefore, banish your laziness and stubbornness and help your computer become less vulnerable to Trojans.

Right-click on the “Computer” icon and select “Properties”. On the left side of the window that opens there will be a list in which find the line “System protection”, click on it.

Now a window will open again in which you will be asked to select a disk. Highlighting local disk"C", click the "Customize" button.

Step 4

Now a window will open offering recovery options. You need to agree with the first option, which involves restoring system parameters and previous versions documents. Finally, click the traditional “Ok” button.

If you have done all these manipulations in advance, then even if a Trojan visits your computer and encrypts your files, you will have excellent prospects for recovering important information.

At least you won’t panic when you discover that all the files on your computer are encrypted; in this case, you will already know exactly what to do.

Using Utilities

Many antivirus companies do not leave users alone with the problem of viruses encrypting documents. Kaspersky Lab and Doctor Web have developed special utilities to help resolve such problematic situations.

So, if you find terrible traces of a ransomware visit, try using Kaspersky utility RectorDecryptor.

Run the utility on your computer, specify the path to the file that was encrypted. It is not difficult to understand what the utility should do directly. Using multiple options, it tries to find the key to decrypt the file. Unfortunately, such an operation can be quite lengthy and is not within the time frame for many users.

In particular, it may happen that it takes about 120 days to select the correct key. At the same time, you must understand that it is not recommended to interrupt the decryption process, so you should also not turn off the computer.

Kaspersky Lab also offers other utilities:

• XoristDecryptor;
• RakhniDecryptor;
• Ransomware Decryptor.

These utilities are aimed at the results of the malicious activities of other ransomware Trojans. In particular, the Ransomware Decryptor utility is still unknown to many, since it is aimed at combating CoinVault, which is only now beginning to attack the Internet and penetrate users’ computers.

Doctor Web developers are also not idle, so they present users with their utilities, with which you can also try to recover encrypted documents on your computer.

Create any folder on drive C and give it a simple name. Unzip the utility downloaded from the company’s official website into this folder.

Now you can use it to practical solution Problems. To do this, run command line, type “cd c:\XXX” in it, where instead of XXX write the name of the folder in which you placed the utility.

Instead of “myfiles” the name of the folder in which the damaged documents are located should be written.

Now the utility will launch and the treatment process will begin; after successful completion, you will find a report indicating what was recovered. By the way, the program does not delete encrypted files, but simply saves the restored version next to them.

Unfortunately, even this Doctor Web utility cannot be considered as a magic wand; it also cannot do everything.

Many people may have already figured out what to do in case of infection, but experienced users It is recommended to obtain information on what is strictly not recommended to do, so as not to provoke more serious consequences when the chances of document recovery are equal to zero.

Cannot be reinstalled on your computer operating system. In this case, you may be able to eliminate the pest, but return it to working condition documents will definitely not work.

You cannot run programs responsible for cleaning the registry, deleting temporary files on the computer.

Not recommended antivirus scanning, during which infected documents can simply be deleted. If you were a little stupid and launched an antivirus, succumbing to panic, then at least make sure that all infected files are not deleted, but simply quarantined.

If you are an advanced user, you can interrupt the encryption process on your computer before it spreads to all files and documents. To do this, you need to launch the “Task Manager” and stop the process. Inexperienced user is unlikely to be able to figure out which process is related to the virus.

It is useful to disconnect your computer from the Internet. By breaking such a connection, the process of encrypting files and documents on the computer in most cases is also interrupted.

So, with a full understanding of what to do when a ransomware Trojan is detected, you can take steps to ensure success. In addition, having received information on how to decrypt files encrypted by a virus, you can try to eliminate the problem yourself and prevent it from occurring again.

The number of viruses in their usual sense is becoming less and less, and the reason for this is free antiviruses that work well and protect users’ computers. At the same time, not everyone cares about the security of their data, and they risk becoming infected not only with malware, but also with standard viruses, among which the most common continues to be the Trojan. He can show himself different ways, but one of the most dangerous is file encryption. If a virus encrypts files on your computer, it is not guaranteed that you will be able to get the data back, but some effective methods there are, and they will be discussed below.

Encryption virus: what it is and how it works

On the Internet you can find hundreds of varieties of viruses that encrypt files. Their actions lead to one consequence - the user’s data on the computer is unknown format which cannot be opened with standard programs. Here are just some of the formats into which data on a computer can be encrypted as a result of viruses: .locked, .xtbl, .kraken, .cbf, .oshit and many others. In some cases, it is written directly into the file extension e-mail address creators of the virus.

Among the most common viruses that encrypt files are Trojan-Ransom.Win32.Aura And Trojan-Ransom.Win32.Rakhni. They come in many forms, and the virus may not even bear the name Trojan (for example, CryptoLocker), but their actions are practically the same. New versions of encryption viruses are regularly released to make it more difficult for the creators of antivirus applications to deal with new formats.

If an encrypting virus has penetrated a computer, it will certainly manifest itself not only by blocking files, but also by offering the user to unlock them for a monetary fee. A banner may appear on the screen telling you where you need to transfer money to unlock the files. When such a banner does not appear, you should look for a “letter” from the virus developers on your desktop; in most cases, such a file is called ReadMe.txt.

Depending on the developers of the virus, prices for file decryption may vary. At the same time, it is far from a fact that when you send money to the creators of the virus, they will send back an unlocking method. In most cases, the money goes “nowhere”, and the computer user does not receive a decryption method.

After the virus is on your computer and you see the code on the screen that you need to send to specific address To get a decryptor, you shouldn't do this. First of all, copy this code onto a piece of paper, since the newly created file may also be encrypted. After this, you can hide information from the developers of the virus and try to find on the Internet a way to get rid of the file encryptor in your particular case. Below we present the main programs that allow you to remove a virus and decrypt files, but they cannot be called universal, and the creators antivirus software The list of solutions is regularly expanded.

Getting rid of a file encrypting virus is quite simple using free versions antiviruses. 3 free programs cope well with file encrypting viruses:

• Malwarebytes Antimalware;
• Dr.Web Cure It ;
• Kaspersky Internet Security.

The apps mentioned above are completely free or have trial versions. We recommend using a solution from Dr.Web or Kespersky after you scan your system with Malwarebytes Antimalware. Let us remind you once again that it is not recommended to install 2 or more antiviruses on your computer at the same time, so before installing each new solution, you must remove the previous one.

As we noted above, ideal solution The problem in this situation will be the selection of instructions that allow you to deal specifically with your problem. Such instructions are most often posted on the websites of antivirus developers. Below we present several relevant antivirus utilities that allow you to cope with various types Trojans and other types of ransomware.

The above is only a small part of the antivirus utilities that allow you to decrypt infected files. It is worth noting that if you simply try to get the data back, it will, on the contrary, be lost forever - you should not do this.

Hello everyone, today I’ll tell you how to decrypt files after a virus in Windows. One of the most problematic malware today it is a Trojan or virus that encrypts files on the user’s disk. Some of these files can be decrypted, but others cannot yet be decrypted. In the article I will describe possible algorithms of action in both situations.

There are several modifications of this virus, but the general essence of the work is that after installation on your computer, your document files, images and other potentially important files are encrypted with a change in extension, after which you receive a message that all your files have been encrypted , and to decrypt them you need to send a certain amount to the attacker.

Files on the computer are encrypted in xtbl

One of the latest variants of the ransomware virus encrypts files, replacing them with files with the extension .xtbl and a name consisting of a random set of characters.

At the same time, a text file readme.txt is placed on the computer with approximately the following content: “Your files have been encrypted. To decrypt them, you need to send the code to email address [email protected], [email protected] or [email protected]. Next you will get everything necessary instructions. Attempts to decrypt files yourself will lead to irretrievable loss of information” (mail address and text may differ).

Unfortunately, there is no way to decrypt .xtbl at the moment (as soon as it becomes available, the instructions will be updated). Some users who had really important information on their computer report on antivirus forums that they sent the authors of the virus 5,000 rubles or other required amount and received a decryptor, but this is very risky: you may not receive anything.

What to do if the files were encrypted in .xtbl? My recommendations are as follows (but they differ from those on many other thematic sites, where, for example, they recommend immediately turning off the computer from the power supply or not removing the virus. In my opinion, this is unnecessary, and under some circumstances it may even be harmful, but it's up to you to decide.):

1. If you know how, interrupt the encryption process by clearing the corresponding tasks in the task manager, disconnecting the computer from the Internet (this may be a necessary condition encryption)
2. Remember or write down the code that the attackers require to be sent to an email address (just not to a text file on the computer, just in case, so that it is not encrypted either).
3. WITH using Malwarebytes Antimalware, trial Kaspersky versions Internet Security or Dr.Web Cure It will remove a virus that encrypts files (all of the tools listed above do a good job of this). I advise you to use the first and second products from the list in turn (however, if you have an antivirus installed, installing the second one “from above” is undesirable, as it can lead to problems with the computer.)
4. Wait for a decryptor to appear from some antivirus company. Kaspersky Lab is at the forefront here.
5. You can also send an example of an encrypted file and the required code to [email protected], if you have an unencrypted copy of the same file, please send that too. In theory, this could speed up the appearance of the decryptor.

What not to do:

• Rename encrypted files, change the extension and delete them if they are important to you.

This is probably all I can say about encrypted files with the .xtbl extension at the moment.

Trojan-Ransom.Win32.Aura and Trojan-Ransom.Win32.Rakhni

The following Trojan encrypts files and installs extensions from this list:

• .locked
• .crypto
• .kraken
• .AES256 (not necessarily this Trojan, there are others that install the same extension).
• .codercsu@gmail_com
• .oshit
• And others.

To decrypt files after the operation of these viruses, the Kaspersky website has a free utility called RakhniDecryptor, available on official page http://support.kaspersky.ru/viruses/disinfection/10556.

There is also detailed instructions on the use of this utility, showing how to recover encrypted files, from which, just in case, I would remove the item “Delete encrypted files after successful decryption” (although, I think with installed option everything will be OK).

If you have a Dr.Web antivirus license, you can use free decryption from this company on the page http://support.drweb.com/new/free_unlocker/

Other ransomware virus options

Less common, but also encountered, are the following Trojans that encrypt files and demand money for decryption. The links provided not only contain utilities for returning your files, but also a description of the signs that will help determine that you have this particular virus. Although in general, the optimal way is to scan the system using Kaspersky anti-virus, find out the name of the Trojan according to the classification of this company, and then look for a utility by this name.

• Trojan-Ransom.Win32.Rector - free RectorDecryptor decryption utility and instructions for use are available here: http://support.kaspersky.ru/viruses/disinfection/4264
• Trojan-Ransom.Win32.Xorist is a similar Trojan that displays a window asking you to send paid SMS or contact at e-mail for decryption instructions. Instructions for restoring encrypted files and the XoristDecryptor utility for this are available on the page http://support.kaspersky.ru/viruses/disinfection/2911
• Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.Fury - RannohDecryptor utilityhttp://support.kaspersky.ru/viruses/disinfection/8547
• Trojan.Encoder.858 (xtbl), Trojan.Encoder.741 and others with the same name (when searched through Dr.Web antivirus or the Cure It utility) and different numbers- try searching the Internet for the name of the Trojan. For some of them there are decryption utilities from Dr.Web, also if you were unable to find the utility, but have a Dr.Web license, you can use the official page http://support.drweb.com/new/free_unlocker/
• CryptoLocker - to decrypt files after CryptoLocker works, you can use the site http://decryptcryptolocker.com - after sending the sample file, you will receive a key and a utility to recover your files.

Well from latest news- Kaspersky Lab, together with law enforcement officers from the Netherlands, developed Ransomware Decryptor (http://noransom.kaspersky.com) to decrypt files after CoinVault, but this ransomware is not yet found in our latitudes.

By the way, if it suddenly turns out that you have something to add (because I may not have time to monitor what is happening with the decryption methods), let me know in the comments, this information will be useful to other users who are faced with a problem.