All files on the computer are encrypted. Expiration date of encryption malware. What to do next when all encrypted files are on a separate device

And every year more and more new ones appear... more and more interesting. The most popular virus recently (Trojan-Ransom.Win32.Rector), which encrypts all your files (*.mp3, *.doc, *.docx, *.iso, *.pdf, *.jpg, *.rar, etc. .d.). The problem is that decrypting such files is extremely difficult and time-consuming; depending on the type of encryption, decryption can take weeks, months, or even years. In my opinion, this virus is currently the apogee of danger among other viruses. It is especially dangerous for home computers/laptops, since most users do not back up their data and when encrypting files, they lose all data. For organizations, this virus is less dangerous because they make backup copies of important data and, in case of infection, simply restore them, naturally after removing the virus. I encountered this virus several times, I will describe how it happened and what it led to.

The first time I encountered a virus that encrypts files was in early 2014. An administrator from another city contacted me and told me the most unpleasant news - All files on the file server are encrypted! The infection occurred in an elementary way - the accounting department received a letter with the attachment “Act of something there.pdf.exe”, as you understand, they opened this EXE file and the process began... it encrypted all personal files on the computer and went to the file server (it was connected by a network drive). The administrator and I started digging for information on the Internet... at that time there was no solution... everyone wrote that there was such a virus, it was not known how to treat it, the files could not be decrypted, perhaps sending the files to Kaspersky, Dr Web or Nod32 would help. You can only send them if you use their anti-virus programs (licensed). We sent the files to Dr Web and Nod32, the results were 0, I don’t remember what they said to Dr Web, and Nod 32 was completely silent and I didn’t get any response from them. In general, everything was sad and we never found a solution; we restored some of the files from backup.

The second story - just the other day (mid-October 2014) I received a call from an organization asking me to solve a problem with a virus; as you understand, all the files on the computer were encrypted. Here's an example of what it looked like.

As you can see, the extension *.AES256 was added to each file. In each folder there was a file “Attention_open-me.txt” which contained contacts for communication.

When trying to open these files, a program with contacts opened to contact the authors of the virus to pay for decryption. Of course, I do not recommend contacting them, or paying for the code either, since you will only support them financially and it is not a fact that you will receive the decryption key.

The infection occurred during the installation of a program downloaded from the Internet. The most surprising thing was that when they noticed that the files had changed (icons and file extensions had changed), they did nothing and continued to work, while the ransomware continued to encrypt all files.

Attention!!! If you notice encryption of files on your computer (change in icons, change in extension), immediately turn off your computer/laptop and look for a solution from another device (from another computer/laptop, phone, tablet) or contact IT specialists. The longer your computer/laptop is turned on, the more files it will encrypt.

In general, I already wanted to refuse to help them, but I decided to surf the Internet, maybe a solution to this problem had already appeared. As a result of searching, I read a lot of information that it cannot be decrypted, that you need to send files to antivirus companies (Kaspersky, Dr Web or Nod32) - thanks for the experience.
I came across a utility from Kaspersky - RectorDecryptor. And lo and behold, the files were decrypted. Well, first things first...

The first step is to stop the ransomware. You won’t find any antiviruses, because the installed Dr Web didn’t find anything. First of all, I went to startup and disabled all startups (except antivirus). Rebooted the computer. Then I started looking at what kind of files were in startup.

As you can see in the "Command" field it is indicated where the file is located, special attention needs to be removed for applications without a signature (Manufacturer - No data). In general, I found and deleted the malware and files that were not yet clear to me. After that, I cleared temporary folders and browser caches; it is best to use the program for these purposes CCleaner .

Then I started decrypting the files, for this I downloaded decryption program RectorDecryptor . I launched it and saw a rather ascetic interface of the utility.

I clicked “Start scanning” and indicated the extension that all changed files had.

And indicated the encrypted file. In newer versions of RectorDecryptor you can simply specify the encrypted file. Click the "Open" button.

Tada-a-a-am!!! A miracle happened and the file was decrypted.

After this, the utility automatically checks all computer files + files on the connected network drive and decrypts them. The decryption process may take several hours (depending on the number of encrypted files and the speed of your computer).

As a result, all encrypted files were successfully decrypted into the same directory where they were originally located.

All that remains is to delete all files with the extension .AES256; this could be done by checking the “Delete encrypted files after successful decryption” checkbox if you click “Change scan parameters” in the RectorDecryptor window.

But remember that it is better not to check this box, because if the files are not successfully decrypted, they will be deleted and in order to try to decrypt them again you will have to first restore .

When I tried to delete all encrypted files using standard search and deletion, I encountered freezes and extremely slow operation of the computer.

Therefore, to remove it, it is best to use the command line, run it and write del"<диск>:\*.<расширение зашифрованного файла>"/f/s. In my case del "d:\*.AES256" /f /s.

Do not forget to delete the files "Attention_open-me.txt", to do this, use the command on the command line del"<диск>:\*.<имя файла>"/f/s, For example
del "d:\Attention_open-me.txt" /f /s

Thus, the virus was defeated and the files were restored. I want to warn you that this method will not help everyone, the whole point is that Kapersky in this utility has collected all the known decryption keys (from those files that were sent by those infected with the virus) and uses a brute force method to select the keys and decrypt them. Those. if your files are encrypted by a virus with an unknown key, then this method will not help... you will have to send the infected files to antivirus companies - Kaspersky, Dr Web or Nod32 to decrypt them.

The fact that the Internet is full of viruses does not surprise anyone today. Many users perceive situations related to their impact on systems or personal data, to put it mildly, turning a blind eye, but only until a ransomware virus specifically takes hold in the system. Most ordinary users do not know how to disinfect and decrypt data stored on a hard drive. Therefore, this contingent is “led” to the demands put forward by the attackers. But let's see what can be done if such a threat is detected or to prevent it from entering the system.

What is a ransomware virus?

This type of threat uses standard and non-standard file encryption algorithms that completely change their contents and block access. For example, it will be absolutely impossible to open an encrypted text file for reading or editing, as well as play multimedia content (graphics, video or audio) after exposure to the virus. Even standard actions to copy or move objects are unavailable.

The virus software itself is a tool that encrypts data in such a way that it is not always possible to restore its original state even after removing the threat from the system. Typically, such malicious programs create copies of themselves and settle very deeply in the system, so the file encrypting virus may be completely impossible to remove. By uninstalling the main program or deleting the main body of the virus, the user does not get rid of the threat, let alone restore encrypted information.

How does the threat enter the system?

As a rule, threats of this type are mostly aimed at large commercial structures and can penetrate computers through email programs when an employee opens a supposedly attached document in an email, which is, say, an addendum to some kind of cooperation agreement or product supply plan (commercial offers with investments from dubious sources are the first path for the virus).

The trouble is that a ransomware virus on a machine that has access to a local network is able to adapt to it, creating its own copies not only in the network environment, but also on the administrator terminal, if it does not have the necessary means of protection in the form of anti-virus software, firewall or firewall.

Sometimes such threats can penetrate the computer systems of ordinary users, which, by and large, are of no interest to attackers. This happens during the installation of some programs downloaded from dubious Internet resources. Many users ignore the warnings of the anti-virus protection system when starting the download, and during the installation process they do not pay attention to offers to install additional software, panels or browser plug-ins, and then, as they say, bite their elbows.

Types of viruses and a little history

In general, threats of this type, in particular the most dangerous ransomware virus No_more_ransom, are classified not only as tools for encrypting data or blocking access to it. In fact, all such malicious applications fall under the category of ransomware. In other words, attackers demand a certain bribe for decrypting information, believing that without the initial program it will be impossible to carry out this process. This is partly true.

But, if you dig into history, you will notice that one of the very first viruses of this type, although it did not demand money, was the infamous I Love You applet, which completely encrypted multimedia files (mainly music tracks) on user systems. Decrypting files after the ransomware virus turned out to be impossible at that time. Now it is precisely this threat that can be fought in an elementary way.

But the development of the viruses themselves or the encryption algorithms used does not stand still. What is there among viruses - here you have XTBL, and CBF, and Breaking_Bad, and [email protected], and a bunch of other crap.

Method of influencing user files

And if until recently most attacks were carried out using RSA-1024 algorithms based on AES encryption with the same bit depth, the same No_more_ransom ransom virus is now presented in several interpretations using encryption keys based on RSA-2048 and even RSA-3072 technologies.

Problems of deciphering the algorithms used

The trouble is that modern decryption systems were powerless in the face of such a danger. Decryption of files after an AES256-based ransomware virus is still somewhat supported, but given a higher bit depth of the key, almost all developers simply shrug their shoulders. This, by the way, has been officially confirmed by specialists from Kaspersky Lab and Eset.

In the most primitive version, the user contacting the support service is asked to send an encrypted file and its original for comparison and further operations to determine the encryption algorithm and recovery methods. But, as a rule, in most cases this does not give results. But the encrypting virus can decrypt files itself, it is believed, provided that the victim agrees to the attackers’ conditions and pays a certain amount in monetary terms. However, this formulation of the question raises legitimate doubts. And that's why.

Encryptor virus: how to disinfect and decrypt files and can it be done?

Allegedly, after payment, hackers activate decryption through remote access to their virus, which is sitting on the system, or through an additional applet if the virus body is deleted. This looks more than doubtful.

I would also like to note the fact that the Internet is full of fake posts claiming that the required amount was paid and the data was successfully restored. It's all a lie! And really - where is the guarantee that after payment the encryption virus will not be activated again in the system? It is not difficult to understand the psychology of burglars: pay once, pay again. And if we are talking about particularly important information, such as specific commercial, scientific or military developments, the owners of such information are willing to pay whatever they want to ensure that the files remain safe and sound.

The first remedy to eliminate the threat

This is the nature of an encryption virus. How to disinfect and decrypt files after exposure to a threat? No way, if there are no available means, which also do not always help. But you can try.

Let's assume that a ransomware virus has appeared in the system. How to cure infected files? First, you should perform an in-depth scan of the system without using S.M.A.R.T. technology, which detects threats only when boot sectors and system files are damaged.

It is advisable not to use an existing standard scanner, which has already missed the threat, but to use portable utilities. The best option would be to boot from Kaspersky Rescue Disk, which can start even before the operating system starts running.

But this is only half the battle, since in this way you can only get rid of the virus itself. But with a decoder it will be more difficult. But more on that later.

There is another category into which ransomware viruses fall. How to decrypt information will be discussed separately, but for now let’s focus on the fact that they can exist completely openly in the system in the form of officially installed programs and applications (the impudence of attackers knows no bounds, since the threat does not even try to disguise itself).

In this case, you should use the Programs and Features section, where standard uninstallation is performed. However, you need to pay attention to the fact that the standard uninstaller for Windows systems does not completely delete all program files. In particular, the ransom ransom virus is capable of creating its own folders in the root directories of the system (usually the Csrss directories, where the executable file of the same name csrss.exe is present). The Windows, System32 or user directories (Users on the system drive) are selected as the main location.

In addition, the No_more_ransom ransom virus writes its own keys in the registry in the form of a link, seemingly to the official Client Server Runtime Subsystem system service, which misleads many, since this service should be responsible for the interaction of client and server software. The key itself is located in the Run folder, which can be reached through the HKLM branch. It is clear that such keys will need to be deleted manually.

To make it easier, you can use utilities like iObit Uninstaller, which search for residual files and registry keys automatically (but only if the virus is visible on the system as an installed application). But this is the simplest thing you can do.

Solutions offered by antivirus software developers

Decryption of a ransomware virus, it is believed, can be done using special utilities, although if you have technologies with a 2048 or 3072 bit key, you shouldn’t really count on them (in addition, many of them delete files after decryption, and then the recovered files disappear due to the fault of the presence of a virus body that has not been removed before).

Nevertheless, you can try. Of all the programs, it is worth highlighting RectorDecryptor and ShadowExplorer. It is believed that nothing better has been created yet. But the problem may also be that when you try to use a decryptor, there is no guarantee that the files being disinfected will not be deleted. That is, if you do not get rid of the virus initially, any attempt at decryption will be doomed to failure.

In addition to deleting encrypted information, there can also be a fatal outcome - the entire system will be inoperable. In addition, a modern encryption virus can affect not only data stored on the computer’s hard drive, but also files in cloud storage. But there are no solutions for data recovery. In addition, as it turned out, many services take insufficiently effective protection measures (the same OneDrive built into Windows 10, which is exposed directly from the operating system).

A radical solution to the problem

As is already clear, most modern methods do not give a positive result when infected with such viruses. Of course, if you have the original of the damaged file, it can be sent for examination to an anti-virus laboratory. True, there are also very serious doubts about the fact that the average user will create backup copies of data, which, when stored on a hard drive, can also be exposed to malicious code. And the fact that in order to avoid troubles, users copy information to removable media is not discussed at all.

Thus, in order to radically solve the problem, the conclusion suggests itself: complete formatting of the hard drive and all logical partitions with the removal of information. So what to do? You will have to sacrifice if you do not want the virus or its self-saved copy to be activated in the system again.

To do this, you should not use the tools of the Windows systems themselves (this means formatting virtual partitions, since if you try to access the system disk, a ban will be issued). It is better to boot from optical media such as LiveCD or installation distributions, such as those created using the Media Creation Tool for Windows 10.

Before starting formatting, if the virus is removed from the system, you can try to restore the integrity of system components through the command line (sfc /scannow), but this will not have any effect in terms of decrypting and unlocking data. Therefore format c: is the only correct possible solution, whether you like it or not. This is the only way to completely get rid of threats of this type. Alas, there is no other way! Even treatment with standard remedies offered by most antivirus packages turns out to be powerless.

Instead of an afterword

In terms of the obvious conclusions, we can only say that there is no single and universal solution to eliminate the consequences of this type of threat today (sad, but true - this has been confirmed by the majority of anti-virus software developers and experts in the field of cryptography).

It remains unclear why the emergence of algorithms based on 1024-, 2048- and 3072-bit encryption passed by those directly involved in the development and implementation of such technologies? Indeed, today the AES256 algorithm is considered the most promising and most secure. Notice! 256! This system, as it turns out, is no match for modern viruses. What can we say then about attempts to decrypt their keys?

Be that as it may, avoiding the introduction of a threat into the system is quite simple. In the simplest version, you should scan all incoming messages with attachments in Outlook, Thunderbird and other email clients with an antivirus immediately after receipt and under no circumstances open attachments until the scan is completed. You should also carefully read the suggestions for installing additional software when installing some programs (usually they are written in very small print or disguised as standard add-ons like updating Flash Player or something else). It is better to update multimedia components through official websites. This is the only way to at least somehow prevent such threats from penetrating into your own system. The consequences can be completely unpredictable, given that viruses of this type instantly spread on the local network. And for the company, such a turn of events can result in a real collapse of all endeavors.

Finally, the system administrator should not sit idle. It is better to exclude software protection tools in such a situation. The same firewall (firewall) should not be software, but “hardware” (naturally, with accompanying software on board). And, it goes without saying that you shouldn’t skimp on purchasing antivirus packages either. It is better to buy a licensed package rather than install primitive programs that supposedly provide real-time protection only according to the developer.

And if a threat has already penetrated the system, the sequence of actions should include removing the virus body itself, and only then attempting to decrypt the damaged data. Ideally, a full format (note, not a quick one with clearing the table of contents, but a complete one, preferably with restoration or replacement of the existing file system, boot sectors and records).

It continues its oppressive march across the Internet, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - have patches been released to decrypt and disinfect files?

New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. U Damage from virus attack totals $1 billion. In 2 weeks, the ransomware virus infected at least 300 thousand computers, despite warnings and security measures.

Ransomware virus 2017, what is it?- as a rule, you can “pick up” on seemingly the most harmless sites, for example, bank servers with user access. Once on the victim’s hard drive, the ransomware “settles” in the system folder System32. From there the program immediately disables the antivirus and goes into "Autorun"" After every reboot, ransomware runs into the registry, starting his dirty work. The ransomware begins to download similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks until the victim notices something is wrong.

The ransomware often disguises itself as ordinary pictures or text files, but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; Sometimes - libraries.dll. Most often, the file has a completely innocuous name, for example “ document. doc", or " picture.jpg", where the extension is written manually, and the true file type is hidden.

After encryption is complete, the user sees, instead of familiar files, a set of “random” characters in the name and inside, and the extension changes to a previously unknown one - .NO_MORE_RANSOM, .xdata and others.

Wanna Cry ransomware virus 2017 – how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term for all encryption and ransomware viruses, since recently it has infected computers most often. So, we'll talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.

How to protect Windows from ransomware. – EternalBlue via SMB port protocol.

Protecting Windows from ransomware 2017 – basic rules:

• Windows update, timely transition to a licensed OS (note: the XP version is not updated)
• updating anti-virus databases and firewalls on demand
• extreme care when downloading any files (cute “seals” can result in the loss of all data)
• Backing up important information to removable media.

Ransomware virus 2017: how to disinfect and decrypt files.

Relying on antivirus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses for now no solution for treating infected files was found. At the moment, it is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.

Some try to use decryptors like the RectorDecryptor utility, but this won't help: an algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.

At the moment, the most effective way to recover lost data is to contact technical support. support from the vendor of the antivirus program you use. To do this, you should send a letter or use the feedback form on the manufacturer’s website. Be sure to add the encrypted file to the attachment and, if available, a copy of the original. This will help programmers in composing the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.

Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to completely formatting the hard drive, which entails a complete change of OS. Many will think of restoring the system, but this is not an option - even if a “rollback” will allow you to get rid of the virus, the files will still remain encrypted.

If the system is infected with malware from the families Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX, then all files on the computer will be encrypted as follows:

• When infected Trojan-Ransom.Win32.Rannoh names and extensions will change according to the template locked-<оригинальное_имя>.<4 произвольных буквы> .
• When infected Trojan-Ransom.Win32.Cryakl a label is added to the end of the file contents (CRYPTENDBLACKDC) .
• When infected Trojan-Ransom.Win32.AutoIt extension changes according to template <оригинальное_имя>@<почтовый_домен>_.<набор_символов> .
  For example, [email protected] _.RZWDTDIC.
• When infected Trojan-Ransom.Win32.CryptXXX extension changes according to templates <оригинальное_имя>.crypt,<оригинальное_имя>. crypz And <оригинальное_имя>. cryp1.

RannohDecryptor utility is designed to decrypt files after infection Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 , 2 And 3 .

How to cure the system

To cure an infected system:

1. Download the RannohDecryptor.zip file.
2. Run RannohDecryptor.exe on the infected machine.
3. In the main window, click Start checking.

1. Specify the path to the encrypted and unencrypted file.
   If the file is encrypted Trojan-Ransom.Win32.CryptXXX, specify the largest files. Decryption will only be available for files of equal or smaller size.
2. Wait until the end of the search and decryption of encrypted files.
3. Restart your computer if required.
4. To delete a copy of encrypted files like locked-<оригинальное_имя>.<4 произвольных буквы> After successful decryption, select .

If the file was encrypted Trojan-Ransom.Win32.Cryakl, then the utility will save the file in the old location with the extension .decryptedKLR.original_extension. If you have chosen Delete encrypted files after successful decryption, then the decrypted file will be saved by the utility with the original name.

1. By default, the utility outputs a work report to the root of the system disk (the disk on which the OS is installed).

   The report name is as follows: UtilityName.Version_Date_Time_log.txt

   For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

In a system infected Trojan-Ransom.Win32.CryptXXX, the utility scans a limited number of file formats. If a user selects a file affected by CryptXXX v2, restoring the key may take a long time. In this case, the utility displays a warning.

About a week or two ago, another hack from modern virus makers appeared on the Internet, which encrypts all the user’s files. Once again I will consider the question of how to cure a computer after a ransomware virus encrypted000007 and recover encrypted files. In this case, nothing new or unique has appeared, just a modification of the previous version.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Description of the CRYPTED000007 ransomware virus

The CRYPTED000007 encryptor is no fundamentally different from its predecessors. It works almost exactly the same way. But still there are several nuances that distinguish it. I'll tell you about everything in order.

It arrives, like its analogues, by mail. Social engineering techniques are used to ensure that the user becomes interested in the letter and opens it. In my case, the letter talked about some kind of court and important information about the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.

In parallel with opening the document, file encryption starts. An information message from the Windows User Account Control system begins to constantly pop up.

If you agree to the proposal, then the backup copies of files in shadow copies of Windows will be deleted and restoring information will be very difficult. It is obvious that you cannot agree with the proposal under any circumstances. In this encryptor, these requests pop up constantly, one after another and do not stop, forcing the user to agree and delete the backup copies. This is the main difference from previous modifications of encryptors. I have never encountered requests to delete shadow copies without stopping. Usually, after 5-10 offers they stopped.

I will immediately give a recommendation for the future. It is very common for people to disable User Account Control alerts. There is no need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is to not constantly work under the computer administrator account unless there is an objective need for it. In this case, the virus will not have the opportunity to do much harm. You will have a better chance of resisting him.

But even if you have always answered negatively to the ransomware’s requests, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files with the same content on your desktop.

Your files have been encrypted. To decrypt ux, you need to send the code: 329D54752553ED978F94|0 to the email address [email protected]. Next you will receive all the necessary instructions. Attempts to decipher on your own will not lead to anything other than an irrevocable number of information. If you still want to try, then make backup copies of the files first, otherwise, in the event of a change, decryption will become impossible under any circumstances. If you have not received notification at the above address within 48 hours (only in this case!), use the contact form. This can be done in two ways: 1) Download and install Tor Browser using the link: https://www.torproject.org/download/download-easy.html.en In the Tor Browser address, enter the address: http://cryptsen7fo43rr6 .onion/ and press Enter. The page with the contact form will load. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Mailing address may change. I also came across the following addresses:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you discover that your files are encrypted, immediately turn off your computer. This must be done to interrupt the encryption process both on the local computer and on network drives. An encryption virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information there, then it will take him considerable time. Sometimes, even in a couple of hours, the ransomware did not have time to encrypt everything on a network drive with a capacity of approximately 100 gigabytes.

Next you need to think carefully about how to act. If you need information on your computer at any cost and you do not have backup copies, then it is better at this moment to turn to specialists. Not necessarily for money to some companies. You just need a person who is well versed in information systems. It is necessary to assess the scale of the disaster, remove the virus, and collect all available information on the situation in order to understand how to proceed.

Incorrect actions at this stage can significantly complicate the process of decrypting or restoring files. In the worst case, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and has finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. Moreover, not only the file extension will be replaced, but also the file name, so you won’t know exactly what kind of files you had if you don’t remember. It will look something like this.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done specifically to confuse people and encourage them to pay for file decryption.

And if your network folders were encrypted and there are no full backups, then this can completely stop the work of the entire organization. It will take you a while to figure out what was ultimately lost in order to begin restoration.

How to treat your computer and remove CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most important question is how to disinfect a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I would like to immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files at any cost, do not touch your computer, but immediately contact professionals. Below I will talk about them and provide a link to the site and describe how they work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from a computer, since the virus does not have the task of remaining on the computer at any cost. After completely encrypting the files, it is even more profitable for him to delete himself and disappear, so that it is more difficult to investigate the incident and decrypt the files.

It is difficult to describe manual removal of a virus, although I have tried to do this before, but I see that most often it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Usually, viruses are sent by mail in waves, and each time there is a new modification that is not yet detected by antiviruses. Universal tools that check startup and detect suspicious activity in system folders help.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool - a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit.
3. If the first two utilities do not help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com.

Most likely, one of these products will clear your computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave an example of the removal method and you can see it there. Briefly, step by step, you need to act like this:

1. We look at the list of processes, after adding several additional columns to the task manager.
2. We find the virus process, open the folder in which it sits and delete it.
3. We clear the mention of the virus process by file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor comes up first when it comes to a ransomware virus. The first thing I recommend is to use the service https://www.nomoreransom.org. What if you are lucky and they have a decryptor for your version of the CRYPTED000007 encryptor. I’ll say right away that you don’t have many chances, but trying is not torture. On the main page click Yes:

Then download a couple of encrypted files and click Go! Find out:

At the time of writing, there was no decryptor on the site.

Perhaps you will have better luck. You can also see the list of decryptors for download on a separate page - https://www.nomoreransom.org/decryption-tools.html. Maybe there's something useful there. When the virus is completely fresh, there is little chance of this happening, but over time, something may appear. There are examples when decryptors for some modifications of encryptors appeared on the Internet. And these examples are on the specified page.

I don’t know where else you can find a decoder. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encryptors. Only the authors of the virus can have a full-fledged decryptor.

How to decrypt and recover files after the CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

First, let's check if we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I spoke in more detail about this request at the beginning of the story, when I talked about the work of the virus.

To easily restore files from shadow copies, I suggest using a free program for this - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the upper left corner, you can select a backup copy if you have several of them. Check different copies for the required files. Compare by date for the most recent version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and specified the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be an older version than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using deleted file recovery tools. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard drive to do this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here; what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Filecoder.ED encryptor

Popular antiviruses detect the ransomware CRYPTED000007 as Filecoder.ED and then there may be some other designation. I looked through the major antivirus forums and didn't see anything useful there. Unfortunately, as usual, antivirus software turned out to be unprepared for the invasion of a new wave of ransomware. Here is a post from the Kaspersky forum.

Antiviruses traditionally miss new modifications of ransomware Trojans. Nevertheless, I recommend using them. If you are lucky and receive a ransomware email not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. A new version of ransomware is released, but antiviruses do not respond to it. As soon as a certain amount of material for research on a new virus accumulates, antivirus software releases an update and begins to respond to it.

I don’t understand what prevents antiviruses from responding immediately to any encryption process in the system. Perhaps there is some technical nuance on this topic that does not allow us to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and offer to stop the process.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are opened and sign the delivery/acceptance certificate for completed work.
4. Payment is made solely upon successful decryption results.

I'll be honest, I don't know how they do it, but you don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against the CRYPTED000007 virus

How to protect yourself from ransomware and avoid material and moral damage? There are some simple and effective tips:

1. Backup! Backup of all important data. And not just a backup, but a backup to which there is no constant access. Otherwise, the virus can infect both your documents and backup copies.
2. Licensed antivirus. Although they do not provide a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the encryptor, but after 3-4 days they begin to respond. This increases your chances of avoiding infection if you were not included in the first wave of distribution of a new modification of the ransomware.
3. Do not open suspicious attachments in mail. There is nothing to comment here. All ransomware known to me reached users via email. Moreover, every time new tricks are invented to deceive the victim.
4. Do not thoughtlessly open links sent to you from your friends via social networks or instant messengers. This is also how viruses sometimes spread.
5. Enable windows to display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will be .exe, .vbs, .src. In your everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I have already written before in every article about the ransomware virus. In the meantime, I say goodbye. I would be glad to receive useful comments on the article and the CRYPTED000007 ransomware virus in general.

Video about file decryption and recovery

Here is an example of a previous modification of the virus, but the video is completely relevant for CRYPTED000007.