Menu
homeFiles and folders

A utility for decrypting files after the ishtar virus. Everyone is happy, THE END. Description of the CRYPTED000007 ransomware virus

I continue the notorious section on my website with another story in which I myself was a victim. I will talk about the ransomware virus Crusis (Dharma), which encrypted all files on a network drive and gave them the .combo extension. He worked not only on local files, as is most often the case, but also on network ones.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Introduction

The story will be in the first person, since the data and infrastructure that I managed were affected by the encryptor. As sad as it is to admit this, I am partly to blame for what happened, although I have known cryptographers for a very long time. In my defense, I will say that no data was lost, everything was quickly restored and investigated without delay. But first things first.

The boring morning began with the fact that at 9:15 a system administrator from one remote site called and said that there was an encryptor on the network and the data on network drives had already been encrypted. A chill ran through my skin :) He began to check the source of infection on his own, and I began to check with my own. Of course, I immediately went to the server, disconnected network drives and began looking at the data access log. Network drives are configured to, must be enabled. From the log, I immediately saw the source of the infection, the account the ransomware was running under, and the start time of encryption.

Description of the Crusis (Dharma) ransomware virus

Then the investigation began. Encrypted files received the extension .combo. There were a lot of them. The cryptographer began working late in the evening, at approximately 11 p.m. I was lucky - the backup of the affected disks had just been completed by this time. The data was not lost at all, since it was backed up at the end of the working day. I immediately started restoring from the backup, which is on a separate server without SMB access.

Overnight, the virus managed to encrypt approximately 400 GB of data on network drives. The banal deletion of all encrypted files with the combo extension took a long time. At first I wanted to delete them all at once, but when just counting these files lasted for 15 minutes, I realized that it was useless this moment time. Instead, I started downloading the latest data, and cleaned the disks of encrypted files after.

I’ll tell you the simple truth right away. Having up-to-date, reliable backups makes any problem solvable. I can’t even imagine what to do if they are not there or they are not relevant. I always pay special attention to backups. I take care of them, I cherish them, and I don’t give anyone access to them.

After I launched the recovery of encrypted files, I had time to calmly understand the situation and take a closer look at Crusis ransomware virus(Dharma). Surprises and surprises awaited me here. The source of infection was a virtual machine with Windows 7 with abandoned rdp port via a backup channel. The port was not standard - 33333. I think it was the main mistake to use such a port. Although it is not standard, it is very popular. Of course, it’s better not to forward rdp at all, but in this case it was really necessary. By the way, now, instead of this virtual machine, a virtual machine with CentOS 7 is also used; it runs a container with xfce and a browser in Docker. Well, this virtual machine has no access anywhere, only where it is needed.

What's scary about this whole story? The virtual machine was updated. The cryptographer started working at the end of August. It is impossible to determine exactly when the machine was infected. The virus wiped out a lot of things in the virtual machine itself. Updates to this system were installed in May. That is, there should not be any old open holes on it. Now I don’t even know how to leave rdp port accessible from the Internet. There are too many cases where this is really needed. For example, a terminal server on rented hardware. You won’t also rent a VPN gateway for each server.

Now let’s get closer to the point and the ransomware itself. The virtual machine had it disabled network interface, after that I launched it. I was greeted by a standard sign, which I had already seen many times from other cryptographers.

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 501BED27 In case of no answer in 24 hours write us to these e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click "Buy bitcoins", and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

There were 2 text files on the desktop named FILES ENCRYPTED.TXT the following content:

All your data has been locked us Do you want to return? write email [email protected]

It’s interesting that the directory permissions have changed Desktop. The user did not have write permissions. Apparently, the virus did this to prevent the user from accidentally deleting information in text files from the desktop. There was a directory there on the desktop troy, which contained the virus itself - a file l20VHC_playload.exe.

How the Crusis (Dharma) ransomware virus encrypts files

Having calmly figured it all out and read similar messages on the topic of ransomware on the Internet, I learned that I had caught a version of the famous Crusis (Dharma) ransomware virus. Kaspersky detects it like Trojan-Ransom.Win32.Crusis.to. It puts different extensions on files, including .combo. My list of files looked something like this:

  • Vanino.docx.id-24EE2FBC..combo
  • Petropavlovsk-Kamchatsky.docx.id-24EE2FBC..combo
  • Khorol.docx.id-24EE2FBC..combo
  • Yakutsk.docx.id-24EE2FBC..combo

I’ll tell you some more details about how the ransomware worked. I didn't mention an important thing. This computer was in the domain. The files were encrypted from a domain user!!! This is where the question arises: where did the virus get it from? I did not see information on the domain controller logs and the selection of the user's password. There weren't a ton of failed logins. Either some kind of vulnerability was exploited, or I don't know what to think. An account used that has never logged in this system. There was authorization via rdp from a domain user account, and then encryption. There were also no traces of brute-force attacks on users and passwords on the system itself. Almost immediately I had a login using rdp domain account. It was necessary to choose, at a minimum, not only a password, but also a name.

Unfortunately, the account had a password of 123456. This was the only account with that password that was missed by the local admins. Human factor. It was the leader and for some reason a whole series of system administrators knew about this password, but did not change it. Obviously, this is the reason for using this particular account. But nevertheless, the mechanism for obtaining even such a simple password and username remains unknown.

I turned off and deleted the virtual machine infected with encryptor, having first taken the disk image. The virus itself took the image out of it to look at its work. The further story will be based on running the virus in a virtual machine.

One more small detail. The virus scanned the entire local network and at the same time encrypted information on those computers where there were some shared folders with access to everyone. This is the first time I have seen such a modification of the encryptor. This is truly a scary thing. Such a virus can simply paralyze the work of the entire organization. Let's say, for some reason, you had network access to the backups themselves. Or they used some kind of weak password for the account. It may happen that everything will be encrypted - both data and archived copies. In general, I’m now thinking about storing backups not only in an isolated network environment, but generally on switched off equipment, which is started only to make a backup.

How to treat your computer and remove Crusis (Dharma) ransomware

In my case, the Crusis (Dharma) ransomware virus was not particularly hidden and removing it should not pose any problems. As I said, it was in a folder on my desktop. In addition, he recorded himself and an information message in the autorun.

The body of the virus itself was duplicated in the launch section Startup for all users and windows/system32. I didn’t look more closely because I don’t see the point in it. After being infected with ransomware, I strongly recommend reinstalling the system. This is the only way to be sure to remove the virus. You will never be completely sure that the virus has been removed, since it could have used some as yet unpublished and unknown vulnerabilities to leave a bookmark on the system. After some time, through this mortgage you can get some new virus and everything will repeat itself in a circle.

So I recommend that immediately after detecting the ransomware, you do not treat your computer, but reinstall the system, saving the remaining data. Perhaps the virus did not manage to encrypt everything. These recommendations apply to those who do not intend to attempt to recover files. If you have current backups, then simply reinstall the system and restore the data.

If you don’t have backups and are ready to restore files at any cost, then we try not to touch the computer at all. First of all, just turn it off network cable, download a couple of encrypted files and a text file with information on clean flash drive, then shut down the computer. The computer can no longer be turned on. If you don’t understand computer matters at all, then you won’t be able to deal with the virus yourself, much less decrypt or restore files. Contact someone who knows. If you think that you can do something yourself, then read on.

Where to download the Crusis (Dharma) decryptor

What follows is my universal advice on all ransomware viruses. There is a website - https://www.nomoreransom.org It could theoretically contain a decryptor for Crusis or Dharma, or some other information on decrypting files. In my practice, this has never happened before, but maybe you’ll get lucky. It's worth a try. For this purpose on home page agree by clicking YES.

Attach 2 files and paste the contents of the ransomware’s information message and click Check.

If you're lucky, you'll get some information. In my case nothing was found.

All existing decryptors for ransomware are collected on separate page— https://www.nomoreransom.org/ru/decryption-tools.html The existence of this list allows us to expect that there is still some meaning in this site and service. Similar service Kaspersky has it - https://noransom.kaspersky.com/ru/ You can try your luck there.

I don’t think it’s worth looking for decryptors anywhere else through an Internet search. It is unlikely that they will be found. Most likely it will be either a regular scam with junk software at best, or a new virus.

Important addition. If you have a licensed version of an antivirus installed, be sure to create a request to the antivirus TP for file decryption. Sometimes it really helps. I have seen reviews of successful decryption by antivirus support.

How to decrypt and recover files after the Crusis (Dharma) virus

What to do when the Crusis (Dharma) virus has encrypted your files, none of the previously described methods helped, and you really need to restore the files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

  • Tool shadow copies windows.
  • Deleted data recovery programs

Before further manipulations, I recommend making a sector-by-sector disk image. This will allow you to record the current state and if nothing works, then at least you can return to the starting point and try something else. Next, you need to remove the ransomware itself using any antivirus with the latest set of anti-virus databases. Will do CureIt or Kaspersky Virus Removal Tool. You can install any other antivirus in trial mode. This is enough to remove the virus.

After this, we boot into the infected system and check whether we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. To easily restore files from shadow copies, I suggest using free program for this purpose - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the left top corner can choose backup copy, if you have several of them. Check different copies for availability necessary files. Compare by dates, where more latest version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and specified the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be an older version than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using recovery tools deleted files. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard drive to do this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here, what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

  • R.saver
  • Starus File Recovery
  • JPEG Recovery Pro
  • Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire process of recovering files using the listed programs is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Crusis (Dharma) ransomware

As usual, I went through the forums popular antiviruses looking for information about the ransomware that installs the .combo extension. There is a clear trend towards the spread of the virus. A lot of requests start from mid-August. Now it seems they are not visible, but perhaps temporarily, or the extension of the encrypted files has simply changed.

Here is an example of a typical request from the Kaspersky forum.

There is also a comment from the moderator below.

The EsetNod32 forum has long been familiar with the virus that installs the .combo extension. As I understand it, the virus is not unique and not new, but a variation of the long-known Crusis (Dharma) series of viruses. Here is a typical request to decrypt data:

I noticed that there are many reviews on the Eset forum that the virus penetrated the server via rdp. It looks like this is a really strong threat and you can’t leave rdp without cover. The only question that arises is how does the virus enter via rdp? It guesses a password, connects with a known user and password, or something else.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including Crusis (Dharma). Their address is http://www.dr-shifro.ru. Payment only after decryption and your verification. Here is an approximate scheme of work:

  1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
  2. Launches the decryptor on your computer and decrypts some files.
  3. You make sure that all files are opened, sign the acceptance certificate for completed work, and receive a decryptor.
  4. You decrypt your files and complete the remaining documents.

You don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against ransomware virus

I will not list the obvious things about launching unknown programs from the Internet and opening attachments in mail. Everyone knows this now. In addition, I wrote about this many times in my articles in the about section. I'll pay attention to backups. They must not only exist, but be inaccessible from the outside. If this is some kind of network drive, then a separate account with a strong password must have access to it.

If you back up personal files to a flash drive or external drive, do not keep them constantly connected to the system. After creation archival copies, disconnect devices from the computer. I see the ideal backup on a separate device, which is turned on only to make a backup, and then again physically disconnected from the network by disconnecting network wire or simply shutting down.

Backups must be incremental. This is necessary in order to avoid a situation where the encryptor encrypted all the data without you noticing. A backup was performed, which replaced the old files with new, but already encrypted ones. As a result, you have an archive, but it is of no use. You need to have an archive depth of at least several days. I think that in the future there will be, if they have not yet appeared, ransomware that will quietly encrypt part of the data and wait for some time without revealing themselves. This will be done in the expectation that the encrypted files will end up in archives and there, over time, will replace the real files.

This will be a tough time for the corporate sector. I have already given an example above from the eset forum, where network drives with 20 TB of data were encrypted. Now imagine that you have such a network drive, but only 500G of data is encrypted in directories that are not accessed constantly. A couple of weeks pass, no one notices the encrypted files, because they are in archive directories and are constantly not being worked with. But at the end of the reporting period, data is needed. They go there and see that everything is encrypted. They go to the archive, and there the storage depth is, say, 7 days. And that's all, the data is gone.

This requires a separate, careful approach to archives. Need to software and resources for long-term data storage.

Video about file decryption and recovery

Here is an example of a similar modification of the virus, but the video is completely relevant for combo.

is a malicious program that, when activated, encrypts all personal files, such as documents, photos, etc. The number of such programs is very large and it is increasing every day. Only recently we have encountered dozens of ransomware variants: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, .da_vinci_code, toste, fff, etc. The goal of such encryption viruses is to force users to buy, often for a large sum of money, the program and key necessary for decryption own files.

Of course, you can restore encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often, the cost of decryption is very significant, and you also need to know that some ransomware viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just annoying to pay to restore your own files.

Below we will talk in more detail about encryption viruses, how they penetrate the victim’s computer, as well as how to remove the encryption virus and restore files encrypted by it.

How does a ransomware virus penetrate a computer?

A ransomware virus is usually spread via email. The letter contains infected documents. Such letters are sent to a huge database of email addresses. The authors of this virus use misleading headers and contents of letters, trying to trick the user into opening a document attached to the letter. Some letters inform about the need to pay a bill, others offer to look at the latest price list, others offer to open a funny photo, etc. In any case, opening the attached file will result in your computer being infected with a ransomware virus.

What is a ransomware virus?

A ransomware virus is a malicious program that infects modern versions of Windows operating systems, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. These viruses try to use the strongest possible encryption modes, for example RSA-2048 with the key length is 2048 bits, which practically eliminates the possibility of selecting a key to independently decrypt files.

When infecting a computer, the ransomware virus uses the system directory %APPDATA% to store its own files. To automatically launch itself when you turn on the computer, the ransomware creates an entry in the Windows registry: sections HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKCU\Software\Microsoft\Windows\CurrentVersion\ Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.

Immediately after launching, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. A ransomware virus uses a filename extension as a way to identify a group of files that will be encrypted. Almost all types of files are encrypted, including such common ones as:

0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata , .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, . mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta , .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, . apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, . js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2 , .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, . rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf , .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, . wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm , .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, . zif, .zip, .zw

Immediately after a file is encrypted, it receives a new extension, which can often be used to identify the name or type of ransomware. Some types of these malware can also change the names of encrypted files. The virus then creates text document with names like HELP_YOUR_FILES, README, which contains instructions for decrypting encrypted files.

During its operation, the encryption virus tries to block the ability to restore files using the SVC (shadow copy of files) system. To do this, the virus, in command mode, calls the utility for administering shadow copies of files with a key that starts the procedure for completely deleting them. Thus, it is almost always impossible to restore files by using their shadow copies.

The ransomware virus actively uses intimidation tactics by giving the victim a link to a description of the encryption algorithm and displaying a threatening message on the Desktop. In this way, he tries to force the user of the infected computer, without hesitation, to send the computer ID to the email address of the virus’s author in order to try to get his files back. The response to such a message is most often the ransom amount and the e-wallet address.

Is my computer infected with a ransomware virus?

It is quite easy to determine whether a computer is infected with an encryption virus or not. Pay attention to the extensions of your personal files, such as documents, photos, music, etc. If the extension has changed or your personal files have disappeared, leaving behind many files with unknown names, then your computer is infected. In addition, a sign of infection is the presence of a file named HELP_YOUR_FILES or README in your directories. This file will contain instructions for decrypting the files.

If you suspect that you have opened an email infected with a ransomware virus, but there are no symptoms of infection yet, then do not turn off or restart your computer. Follow the steps described in this manual, section. I repeat once again, it is very important not to turn off the computer; in some types of ransomware, the file encryption process is activated the first time you turn on the computer after infection!

How to decrypt files encrypted with a ransomware virus?

If this disaster happens, then there is no need to panic! But you need to know that in most cases there is no free decryptor. This is due to the strong encryption algorithms used by such malware. This means that without a private key, it is almost impossible to decrypt files. Using the key selection method is also not an option, due to the large length of the key. Therefore, unfortunately, only paying the authors of the virus the entire requested amount is the only way to try to obtain the decryption key.

Of course, there is absolutely no guarantee that after payment the authors of the virus will contact you and provide the key necessary to decrypt your files. In addition, you need to understand that by paying money to virus developers, you yourself encourage them to create new viruses.

How to remove a ransomware virus?

Before you begin, you need to know that when you begin removing a virus and trying to self-recovery files, you block the ability to decrypt the files by paying the authors of the virus the amount they requested.

Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types of active ransomware viruses and will easily remove them from your computer, BUT they cannot recover encrypted files.

5.1. Remove ransomware using Kaspersky Virus Removal Tool

By default, the program is configured to recover all file types, but to speed up the work, it is recommended to leave only the file types that you need to recover. When you have completed your selection, click OK.

At the bottom of the QPhotoRec program window, find the Browse button and click it. You need to select the directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a flash drive or external drive).

To start the procedure for searching and restoring original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

When the search is complete, click the Quit button. Now open the folder you have chosen to save the recovered files.

The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3, etc. The more files the program finds, the more directories there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need among a large number of recovered ones, use the built-in Windows search system (by file contents), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort option, since QPhotoRec attempts to restore this property when restoring a file.

How to prevent a ransomware virus from infecting your computer?

Most modern anti-virus programs already have a built-in protection system against the penetration and activation of encryption viruses. Therefore, if your computer does not have antivirus program, then be sure to install it. You can find out how to choose it by reading this.

Moreover, there are specialized protection programs. For example, this is CryptoPrevent, more details.

A few final words

By following these instructions, your computer will be cleared of the ransomware virus. If you have any questions or need help, please contact us.

Ransomware hackers are very similar to regular blackmailers. Both in the real world and in the cyber environment, there is a single or group target of attack. It is either stolen or made inaccessible. Next, criminals use certain means of communication with victims to convey their demands. Computer scammers usually choose only a few formats for ransom letters, but copies can be found in almost any memory location on an infected system. In the case of the spyware family known as Troldesh or Shade, scammers take a special approach when contacting the victim.

Let's take a closer look at this strain of ransomware virus, which is aimed at the Russian-speaking audience. Most similar infections detect the keyboard layout on the attacked PC, and if one of the languages ​​is Russian, the intrusion stops. However, the ransomware virus XTBL indecipherable: unfortunately for users, the attack unfolds regardless of their geographic location and language preferences. A clear embodiment of this versatility is a warning that appears in the desktop background, as well as a TXT file with instructions for paying the ransom.

The XTBL virus is usually spread through spam. Messages are like letters famous brands, or are simply conspicuous because the subject line uses expressions such as “Urgent!” or “Important Financial Documents.” The phishing trick will work when the recipient of such email. messages will download a ZIP file containing JavaScript code, or a Docm object with a potentially vulnerable macro.

Having completed the basic algorithm on the compromised PC, the ransomware Trojan proceeds to search for data that may be of value to the user. For this purpose, the virus scans the local and external memory, simultaneously matching each file with a set of formats selected based on the extension of the object. All .jpg, .wav, .doc, .xls files, as well as many other objects, are encrypted using the AES-256 symmetric block crypto algorithm.

There are two aspects to this harmful effect. First of all, the user loses access to important data. In addition, the file names are deeply encoded, which produces a meaningless set of hexadecimal characters. Anything that the names of the affected files have in common is something added to them xtbl extension, i.e. name of cyber threat. Encrypted file names sometimes have a special format. In some versions of Troldesh, the names of the encrypted objects may remain unchanged, and a unique code is added at the end: [email protected], [email protected], or [email protected].

Obviously, the attackers, having introduced email addresses. mail directly into the names of the files, indicating to the victims the method of communication. Email is also indicated elsewhere, namely in the ransom demand letter contained in the “Readme.txt” file. Such Notepad documents will appear on the Desktop, as well as in all folders with encrypted data. The key message is this:

“All files were encrypted. To decrypt them, you need to send the code: [Your unique cipher] to the email address [email protected] or [email protected]. Next you will get everything necessary instructions. Attempts to decrypt on your own will lead to nothing but irretrievable loss of information.”

The email address may change depending on the blackmail group spreading the virus.

Concerning further development events: in general, scammers respond with a recommendation to transfer a ransom, which can be 3 bitcoins, or another amount in this range. Please note that no one can guarantee that hackers will fulfill their promise even after receiving the money. To restore access to .xtbl files, affected users are recommended to first try all available alternative methods. In some cases, data can be put in order using the service shadow copying volumes (Volume Shadow Copy), provided directly in the Windows OS, as well as decryption and data recovery programs from independent software developers.

Remove XTBL ransomware using an automatic cleaner

An extremely effective method of working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components, their complete removal with one click. Please note that we are talking about two different processes: uninstalling an infection and restoring files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.

  1. . After starting the software, click the button Start Computer Scan (Start scanning).
  2. The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.

Restore access to encrypted files with the extension .xtbl

As noted, the XTBL ransomware locks files using a strong encryption algorithm, so that encrypted data cannot be restored with a wave of a magic wand - short of paying an unheard-of ransom amount. But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Decryptor - program automatic recovery files

A very unusual circumstance is known. This infection erases source files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This provides an opportunity for such software how to restore erased objects, even if the reliability of their removal is guaranteed. It is strongly recommended to resort to the file recovery procedure, the effectiveness of which has been confirmed more than once.

Shadow copies of volumes

The approach is based on Windows procedure file backup, which is repeated at each recovery point. An important condition for this method to work: the “System Restore” function must be activated before the infection. However, any changes to the file made after the restore point will not appear in the restored version of the file.

Backup

This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select the necessary files and launch the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.

Check for possible presence of residual components of the XTBL ransomware virus

Manual cleaning risks missing individual pieces of ransomware that could escape removal as hidden objects operating system or registry items. To eliminate the risk of partial retention of individual malicious elements, scan your computer using a reliable universal anti-virus suite.

Appearing approximately 8-10 years ago, encrypting viruses today have gained enormous popularity among various types of computer scammers.

Experts attribute this to the appearance in free access builder programs, using which even a weak specialist can assemble a computer virus with specified properties.

How does an encryption virus work?

Most often, an encrypting virus is introduced into a victim’s computer via mail. The company receives a letter allegedly sent by a job applicant, potential partner or by the buyer, but containing an implanted pdf file with the virus.

When a company employee opens an email, the virus is inserted into the list of startup programs. After you restart the computer, it starts, renames and encrypts files, and then self-destructs.

Often infected emails are disguised as messages from tax authorities, law enforcement agencies, banks, etc.

In a directory with damaged files, a letter is found stating that the information is encrypted in a secure, crypto-resistant way and cannot be decrypted independently without permanent loss of the files.


If you want to restore it, you need to transfer a certain amount within the specified period in order to receive the decryption key.

Is it possible to handle file decryption on your own?

Most often, ransomware uses a virus for their purposes, which Doctor Web called Trojan.Encoder. It converts files present on the victim computer by giving them the extension .crypt. Almost all common formats can be encrypted text files, images, audio tracks, compressed files.

To restore encrypted files, the company’s specialists created a utility te19decrypt. Today it is freely available, where any Internet user can download it. This is a small program, occupying only 233 KB. After downloading you need to:

- in the window that opens, click on the button "Continue" ;

- if a message appears "Error" , supplemented by the entry "I can't get key file[file name]. Do you want to specify its location manually?", press the button OK;

- in the window that appears "Open" specify the path to the file encrypted.txt;

— then the decryption process will begin.


You should never delete the file encrypted.txt before running the decryptor utility, since its loss will make it impossible to restore encrypted information.

Decryptor program RectorDecryptor

To restore encrypted files, many people use the special program RectorDecryptor. You need to work with it as follows:

- download the program RectorDecryptor, if it is not at your disposal;

— remove all programs from the startup list except antivirus;

- restart the computer;

— look through the list of files, highlight suspicious ones, especially those that do not have information about the manufacturer;

— delete suspicious files that may contain a virus;

- clear browser cache and temporary folders using the program CCleaner or similar;

- launch RectorDecryptor, indicate the encrypted file, as well as its extension, and then click the button "Start checking" ;

- V latest versions program, you can only specify the file name, then press "Open" ;

— wait until the file is decrypted and move on to the next one.

Next program RectorDecryptor It itself continues to scan all files located on your computer, including those located on removable media.


Decryption may take several hours, depending on the number of damaged files and computer performance. The recovered information is written to the same directory where it was before.

You can indicate the need to delete encrypted material after decryption by checking the box next to the corresponding request. But experienced users advise not to do this, since if decryption is unsuccessful, you will completely lose the ability to recover your data.

Let us remind you: Trojans of the Trojan.Encoder family are malicious programs that encrypt files on a computer’s hard drive and demand money for decrypting them. Files *.mp3, *.doc, *.docx, *.pdf, *.jpg, *.rar and so on may be encrypted.
It was not possible to personally meet the entire family of this virus, but, as practice shows, the method of infection, treatment and decoding is approximately the same for everyone:
1. the victim is infected through a spam email with an attachment (less often by infectious means),
2. the virus is recognized and removed (already) by almost any antivirus with fresh databases,
3. files are decrypted by selecting password keys for the types of encryption used.
For example, Trojan.Encoder.225 uses RC4 (modified) + DES encryption, and Trojan.Encoder.263 uses BlowFish in CTR mode. These viruses are currently 99% decipherable based on personal experience.

But not everything is so smooth. Some encryption viruses require months of continuous decryption (Trojan.Encoder.102), while others (Trojan.Encoder.283) cannot be decrypted correctly even by specialists from the Doctor Web company, which actually plays key role in this article.

Now, in order.

At the beginning of August 2013, clients contacted me with the problem of files encrypted by the Trojan.Encoder.225 virus. The virus, at that time, was new, no one knew anything, there were 2-3 thematic Google links on the Internet. After a lengthy search on the Internet, it turns out that the only (found) organization that deals with the problem of decrypting files after this virus is the Doctor Web company. Namely: gives recommendations, helps when contacting technical support, develops its own decryptors, etc.

Negative retreat.

And, taking this opportunity, I would like to point out two getting fat minus of Kaspersky Lab. Which, when contacting their technical support, they brush off “we are working on this issue, we will notify you of the results by mail.” And yet, the downside is that I never received a response to the request. After 4 months. Damn the reaction time. And here I am striving for the standard “no more than one hour from completing the application.”
Shame on you, Comrade Evgeniy Kaspersky, CEO Kaspersky Lab. But I have a good half of all companies “sit” on it. Well, okay, licenses expire in January-March 2014. Is it worth talking about whether I will renew my license?;)

I present the faces of “specialists” from “simpler” companies, so to speak, NOT giants of the antivirus industry. They probably just “huddled in a corner” and “cryed quietly.”
Although, what’s more, absolutely everyone was completely screwed. The antivirus, in principle, should not have allowed this virus to get onto the computer. Especially considering modern technology. And “they”, the GIANTS of the anti-VIRUS industry, supposedly have everything covered, “heuristic analysis”, “preemptive system”, “proactive protection”...

WHERE WERE ALL THESE SUPER-SYSTEMS WHEN THE HR DEPARTMENT WORKER OPENED A “HALMONNESS” LETTER WITH THE SUBJECT “RESUME”???
What was the employee supposed to think?
If YOU cannot protect us, then why do we need YOU at all?

And everything would be fine with Doctor Web, but to get help, you must, of course, have a license for any of their software products. When contacting technical support (hereinafter referred to as TS), you must provide the Dr.Web serial number and do not forget to select “request for treatment” in the “Request Category:” line or simply provide them with an encrypted file to the laboratory. Let me make a reservation right away that the so-called “journal keys” of Dr.Web, which are posted in batches on the Internet, are not suitable, since they do not confirm the purchase of any software products, and are eliminated once or twice by TP specialists. It’s easier to buy the most “cheap” license. Because if you take on decryption, this license will pay you back a million times over. Especially if the folder with photos “Egypt 2012” was in one copy...

Attempt No. 1

So, having bought a “license for 2 PCs for a year” for an n-amount of money, contacting the TP and providing some files, I received a link to the decryption utility te225decrypt.exe version 1.3.0.0. Anticipating success, I launch the utility (you need to point it to one of the encrypted *.doc files). The utility begins the selection, mercilessly loading the old processor E5300 DualCore, 2600 MHz (overclocked to 3.46 GHz) / 8192 MB DDR2-800, HDD 160Gb Western Digital to 90-100%.
Here, in parallel with me, a colleague on a PC core i5 2500k (overclocked to 4.5ghz) / 16 ram 1600 / ssd intel joins in the work (this is for comparison of the time spent at the end of the article).
After 6 days, the utility reported that 7277 files had been decrypted. But the happiness did not last long. All files were decrypted “crookedly”. That is, for example, microsoft docs office open, but with various errors: “Word found content in the *.docx document that could not be read” or “The *.docx file cannot be opened due to errors in the content.” *.jpg files also open either with an error, or 95% of the image turns out to be a faded black or light green background. For *.rar files - “Unexpected end of archive”.
Overall a complete failure.

Attempt No. 2

We write to TP about the results. They ask you to provide a couple of files. A day later they again provide a link to the te225decrypt.exe utility, but version 1.3.2.0. Well, let's launch, there was no alternative then anyway. About 6 days pass and the utility ends with the error “Unable to select encryption parameters.” Total 13 days “down the drain.”
But we don’t give up, we have important documents from our *stupid* client without basic backups.

Attempt No. 3

We write to TP about the results. They ask you to provide a couple of files. And, as you may have guessed, a day later they provide a link to the same te225decrypt.exe utility, but version 1.4.2.0. Well, let's launch, there was no alternative, and it has not appeared either from Kaspersky Lab, or from ESET NOD32, or from other manufacturers of anti-virus solutions. And now, after 5 days 3 hours 14 minutes (123.5 hours), the utility reports that the files have been decrypted (for a colleague on a core i5, decryption took only 21 hours 10 minutes).
Well, I think it was or wasn’t. And lo and behold: complete success! All files are decrypted correctly. Everything opens, closes, looks, edits and saves properly.

Everyone is happy, THE END.

“Where is the story about the Trojan.Encoder.263 virus?”, you ask. And on the next PC, under the table... there was. Everything was simpler there: We write to the Doctor Web TP, get the te263decrypt.exe utility, launch it, wait 6.5 days, voila! and everything is ready. To summarize, I can give some advice from the Doctor Web forum in my edition:

What to do if you are infected with a ransomware virus:
- send to the virus laboratory Dr. Web or in the “Submit suspicious file” form an encrypted doc file.
- Wait for a response from a Dr.Web employee and then follow his instructions.

What NOT to do:
- change the extension of encrypted files; Otherwise, with a successfully selected key, the utility simply will not “see” the files that need to be decrypted.
- use independently, without consultation with specialists, any programs for decrypting/recovering data.

Attention, having a server free from other tasks, I offer my free services for decrypting YOUR data. Server core i7-3770K with overclocking to * certain frequencies*, 16GB RAM and SSD Vertex 4.
For all active users of Habr, the use of my resources will be FREE!!!
Write to me in a personal message or through other contacts. I’ve already “eaten the dog” on this. Therefore, I’m not too lazy to put the server on decryption overnight.
This virus is the “scourge” of our time and taking “loot” from fellow soldiers is not humane. Although, if someone “throws” a couple of bucks into my Yandex.money account 410011278501419, I won’t mind. But this is not at all necessary. Contact us. I process applications in my free time.

New information!

Starting from December 8, 2013, a new virus from the same Trojan.Encoder series began to spread under the Doctor Web classification - Trojan.Encoder.263, but with RSA encryption. This type as of today (12/20/2013) cannot be deciphered, as it uses a very strong encryption method.

I recommend to everyone who has suffered from this virus:
1. Using the built-in Windows search, find all files containing the .perfect extension and copy them to external media.
2. Copy the CONTACT.txt file as well
3. Place this external media “on the shelf”.
4. Wait for the decryptor utility to appear.

What NOT to do:
There is no need to mess with criminals. This is silly. In more than 50% of cases, after “payment” of approximately 5000 rubles, you will receive NOTHING. No money, no decryptor.
To be fair, it is worth noting that there are those “lucky” people on the Internet who received their files back by decryption for “loot.” But you shouldn't trust these people. If I were a virus writer, the first thing I would do would be to spread information like “I paid and they sent me a decoder!!!”
Behind these “lucky ones” there may be the same attackers.

Well... let's wish good luck to other antivirus companies in creating a utility for decrypting files after the Trojan.Encoder group of viruses.

Special thanks to comrade v.martyanov from the Doctor Web forum for the work done on creating decryption utilities.