If the system is infected with malware of the families Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX, then all files on the computer will be encrypted as follows:
- When infected Trojan-Ransom.Win32.Rannoh names and extensions will change to pattern locked-<оригинальное_имя>.<4 произвольных буквы> .
- When infected Trojan-Ransom.Win32.Cryakl a label is added to the end of the file content (CRYPTENDBLACKDC) .
- When infected Trojan-Ransom.Win32.AutoIt the extension resizes by pattern <оригинальное_имя>@<почтовый_домен>_.<набор_символов>
.
For example, [email protected] _.RZWDTDIC. - When infected Trojan-Ransom.Win32.CryptXXX the extension changes by templates <оригинальное_имя>.crypt,<оригинальное_имя>. crypz and <оригинальное_имя>. cryp1.
The RannohDecryptor utility is designed to decrypt files after infection Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 , 2 and 3 .
How to cure the system
To disinfect an infected system:
- Download the RannohDecryptor.zip file.
- Run the RannohDecryptor.exe file on the infected machine.
- In the main window, click Start check.
- Specify the path to the encrypted and unencrypted file.
If the file is encrypted Trojan-Ransom.Win32.CryptXXX, specify the files with the largest size. Decryption will only be available for files of equal or smaller size. - Wait until the end of the search and decryption of encrypted files.
- Restart your computer if required.
- To delete a copy of encrypted files of the form locked-<оригинальное_имя>.<4 произвольных буквы> after successful decryption, select.
If the file was encrypted Trojan-Ransom.Win32.Cryakl, then the utility will save the file in the old location with the extension .decryptedKLR.original_extension... If you chose Delete encrypted files after successful decryption, then the decrypted file will be saved by the utility with its original name.
- By default, the utility outputs a report of its work to the root of the system disk (the disk on which the OS is installed).
The report name is as follows: UtilityName.Version_Date_Time_log.txt
For example, C: \ RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt
On a system infected Trojan-Ransom.Win32.CryptXXX, the utility scans a limited number of file formats. When a user selects a file affected by CryptXXX v2, key recovery may take a long time. In this case, the utility displays a warning.
The fact that the Internet is full of viruses does not surprise anyone today. Many users perceive situations related to their impact on systems or personal data, to put it mildly, turning a blind eye, but only until the encryption virus specifically settles in the system. Most ordinary users do not know how to cure and decrypt data stored on a hard drive. Therefore, this contingent is "led" to the demands put forward by the attackers. But let's see what you can do if such a threat is detected or to prevent it from entering the system.
What is a ransomware virus?
This type of threat uses standard and non-standard file encryption algorithms that completely alter their content and block access. For example, it will be absolutely impossible to open an encrypted text file for reading or editing, as well as to play multimedia content (graphics, video or audio) after exposure to a virus. Even the standard operations for copying or moving objects are not available.
The very software stuffing of the virus is the means that encrypts data in such a way that it is not always possible to restore their original state even after removing the threat from the system. Usually, such malicious programs create their own copies and settle very deeply in the system, so the file encryption virus can sometimes be completely impossible to remove. By uninstalling the main program or deleting the main body of the virus, the user does not get rid of the impact of the threat, let alone restore encrypted information.
How does the threat get into the system?
As a rule, threats of this type are mostly targeted at large commercial structures and can penetrate computers through mail programs when an employee opens an allegedly attached document in an e-mail, which is, say, an addition to some kind of cooperation agreement or the plan for the supply of goods (commercial offers with investments from dubious sources are the first path for the virus).
The trouble is that a ransomware virus on a machine that has access to a local network is able to adapt in it too, creating its own copies not only in a networked environment, but also on the administrator's terminal, if it lacks the necessary protection in the form of antivirus software. firewall or firewall.
Sometimes such threats can also penetrate the computer systems of ordinary users, which, by and large, are not of interest to cybercriminals. This happens at the time of installation of some programs downloaded from dubious Internet resources. Many users, when starting the download, ignore the warnings of the anti-virus protection system, and during the installation process they do not pay attention to the suggestions to install additional software, panels or plug-ins for browsers, and then, as they say, bite their elbows.
Varieties of viruses and a little history
Basically, threats of this type, in particular the most dangerous ransomware virus No_more_ransom, are classified not only as tools for encrypting data or blocking access to it. In fact, all such malicious applications are classified as ransomware. In other words, cybercriminals demand a certain amount of money for decrypting information, believing that this process will be impossible to carry out without an initial program. This is partly the case.
But if you dig into history, you will notice that one of the very first viruses of this type, although it did not impose money requirements, was the infamous I Love You applet, which completely encrypted multimedia files (mainly music tracks) in user systems. Decryption of files after the ransomware virus turned out to be impossible at that time. Now it is this threat that can be dealt with in an elementary way.
But the development of the viruses themselves or the encryption algorithms used does not stand still. What is missing among viruses - here you have XTBL, and CBF, and Breaking_Bad, and [email protected], and a bunch of other nasty things.
Technique for influencing user files
And if until recently most attacks were carried out using RSA-1024 algorithms based on AES encryption with the same bitness, the same No_more_ransom ransomware virus is today presented in several interpretations, using encryption keys based on RSA-2048 and even RSA-3072 technologies.
Decryption problems for the algorithms used
The trouble is that modern decryption systems are powerless in the face of such a danger. Decryption of files after the AES256-based ransomware virus is still somewhat supported, and with a higher key bit rate, almost all developers just shrug their shoulders. This, by the way, has been officially confirmed by specialists from Kaspersky Lab and Eset.
In the most primitive version, the user who contacted the support service is asked to send an encrypted file and its original for comparison and further operations to determine the encryption algorithm and recovery methods. But, as a rule, in most cases this does not work. But the ransomware virus can decrypt files on its own, as it is believed, provided that the victim agrees to the terms of the attackers and pays a certain amount in monetary terms. However, such a formulation of the question raises legitimate doubts. And that's why.
Encryption virus: how to cure and decrypt files and can it be done?
After the payment is made, the hackers are said to activate decryption via remote access to their virus that sits on the system, or via an additional applet if the virus body has been removed. It looks more than doubtful.
I would also like to note the fact that the Internet is full of fake posts stating that, they say, the required amount was paid, and the data was successfully restored. This is all a lie! And really - where is the guarantee that after payment the encryption virus in the system will not be activated again? It is not difficult to understand the psychology of burglars: if you pay once, you pay again. And if we are talking about particularly important information such as specific commercial, scientific or military developments, the owners of such information are ready to pay as much as necessary, so that the files remain intact and safe.
The first remedy to eliminate the threat
This is the nature of a ransomware virus. How to disinfect and decrypt files after being exposed to a threat? Yes, no way, if there are no tools at hand, which also do not always help. But you can try.
Let's assume that a ransomware virus has appeared on the system. How do I disinfect infected files? First, you should perform an in-depth system scan without the use of S.M.A.R.T. technology, which detects threats only when the boot sectors and system files are damaged.
It is advisable not to use the existing standard scanner, which has already missed the threat, but to use portable utilities. The best option would be to boot from the Kaspersky Rescue Disk, which can start even before the operating system starts working.
But this is only half the battle, since this way you can only get rid of the virus itself. But with the decoder it will be more difficult. But more on that later.
There is another category that ransomware viruses fall into. How to decrypt the information will be said separately, but for now let's dwell on the fact that they can completely openly exist in the system in the form of officially installed programs and applications (the impudence of the attackers knows no bounds, since the threat does not even try to disguise itself).
In this case, you should use the section of programs and components where standard uninstallation is performed. However, you should also pay attention to the fact that the standard Windows uninstaller does not completely delete all program files. In particular, the ransom ransomware virus is able to create its own folders in the system root directories (usually, these are Csrss directories, where the csrss.exe executable file of the same name is present). Windows, System32 or user directories (Users on the system drive) are selected as the main location.
In addition, the No_more_ransom ransomware virus writes its own keys in the registry in the form of a link seemingly to the official system service Client Server Runtime Subsystem, which is misleading for many, since this service should be responsible for interaction between client and server software. The key itself is located in the Run folder, which can be reached through the HKLM branch. It is clear that you will need to manually delete such keys.
To make it easier, you can use utilities like iObit Uninstaller, which search for leftover files and registry keys automatically (but only if the virus is visible on the system as an installed application). But this is the simplest thing to do.
Solutions offered by anti-virus software developers
It is believed that decryption of the ransomware virus can be done using special utilities, although if you have technologies with a 2048 or 3072 bit key, you shouldn't rely on them (besides, many of them delete files after decryption, and then the restored files disappear through the fault the presence of a virus body that has not been removed before).
Nevertheless, you can try. Of all the programs, RectorDecryptor and ShadowExplorer are worth highlighting. It is believed that nothing better has been created so far. But the problem may also be that when you try to use the decryptor, there is no guarantee that the files being disinfected will not be deleted. That is, if you do not get rid of the virus initially, any attempt at decryption will be doomed to failure.
In addition to deleting encrypted information, it can also be fatal - the entire system will be inoperative. In addition, a modern ransomware virus is capable of affecting not only data stored on a computer's hard drive, but also files in cloud storage. And here there are no solutions to restore information. In addition, as it turned out, many services are taking insufficiently effective protection measures (the same built-in OneDrive in Windows 10, which is exposed directly from the operating system).
A radical solution to the problem
As it is already clear, most modern methods do not give a positive result when infected with such viruses. Of course, if there is an original of the damaged file, it can be sent for examination to an anti-virus laboratory. True, there are also very serious doubts that an ordinary user will create backup copies of data that, when stored on a hard disk, can also be exposed to malicious code. And the fact that in order to avoid trouble, users copy information to removable media, we are not talking at all.
Thus, for a radical solution to the problem, the conclusion suggests itself: complete formatting of the hard drive and all logical partitions with the deletion of information. So what to do? You will have to donate if you do not want the virus or its self-saved copy to be activated in the system again.
To do this, you should not use the tools of the Windows systems themselves (I mean formatting virtual partitions, since a ban will be issued when trying to access the system disk). Better to use booting from optical media such as LiveCDs or installation distributions, such as those created using the Media Creation Tool for Windows 10.
Before starting formatting, provided that the virus is removed from the system, you can try to restore the integrity of the system components via the command line (sfc / scannow), but this will have no effect in terms of decrypting and unlocking data. Therefore, format c: is the only correct possible solution, whether you like it or not. This is the only way to completely get rid of this type of threat. Alas, there is no other way! Even treatment with the standard tools offered by most antivirus packages is powerless.
Instead of an afterword
In terms of suggesting conclusions, we can only say that there is no single and universal solution to eliminate the consequences of the impact of such threats today (sadly, but a fact - this is confirmed by the majority of anti-virus software developers and specialists in the field of cryptography).
It remains unclear why the emergence of algorithms based on 1024-, 2048- and 3072-bit encryption passed by those who are directly involved in the development and implementation of such technologies? Indeed, today the AES256 algorithm is considered the most promising and most secure. Notice! 256! This system, as it turns out, is not suitable for modern viruses. What can we say then about attempts to decrypt their keys?
Be that as it may, it is quite easy to avoid introducing a threat into the system. In the simplest version, you should scan all incoming messages with attachments in Outlook, Thunderbird and other mail clients with antivirus immediately after receiving and in no case open attachments until the scan is complete. You should also carefully read the suggestions for installing additional software when installing some programs (usually they are written in very small print or disguised as standard add-ons like updating Flash Player or something else). It is better to update the media components through the official sites. This is the only way to at least somehow prevent the penetration of such threats into your own system. The consequences can be completely unpredictable, considering that viruses of this type instantly spread on the local network. And for the company, such a turn of events can turn into a real collapse of all undertakings.
Finally, the system administrator should not sit idle. It is better to exclude software protection means in such a situation. The same firewall (firewall) should not be software, but "hardware" (of course, with accompanying software on board). And, it goes without saying that it is not worth saving on the purchase of anti-virus packages either. It is better to buy a licensed package, and not install primitive programs that supposedly provide real-time protection only from the words of the developer.
And if a threat has already entered the system, the sequence of actions should include the removal of the virus body itself, and only then attempts to decrypt the damaged data. Ideally - full formatting (mind you, not quick with clearing the table of contents, but full formatting, preferably with restoring or replacing the existing file system, boot sectors and records).
The Kaspresky RakhniDecryptor utility will decrypt files whose extensions have changed according to the following patterns:
- Trojan-Ransom.Win32.Rakhni:
- <имя_файла>.<оригинальное_расширение>.locked;
- <имя_файла>.<оригинальное_расширение>.kraken;
- <имя_файла>.<оригинальное_расширение>.darkness;
- <имя_файла>.<оригинальное_расширение>.oshit;
- <имя_файла>.<оригинальное_расширение>.nochance;
- <имя_файла>.<оригинальное_расширение>[email protected] _com;
- <имя_файла>.<оригинальное_расширение>[email protected] _com;
- <имя_файла>.<оригинальное_расширение>.crypto;
- <имя_файла>.<оригинальное_расширение>[email protected];
- <имя_файла>.<оригинальное_расширение>.p *** [email protected] _com;
- <имя_файла>.<оригинальное_расширение>[email protected] _com;
- <имя_файла>.<оригинальное_расширение>[email protected] _com;
- <имя_файла>.<оригинальное_расширение>[email protected] _com;
- <имя_файла>.<оригинальное_расширение>[email protected] _com;
- <имя_файла>.<оригинальное_расширение>[email protected] _com;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id373;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id371;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id372;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id374;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id375;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id376;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id392;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id357;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id356;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id358;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id359;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id360;
- <имя_файла>.<оригинальное_расширение>[email protected] _com_id20.
Trojan-Ransom.Win32.Rakhni creates a file exit.hhr.oshit, which contains encrypted password from the user's files. If this file is saved on the infected computer, decryption will be much faster. If the exit.hhr.oshit file has been deleted, restore it using the deleted files recovery programs, and then place it in the% APPDATA% folder and rerun the utility check. You can find the exit.hhr.oshit file in the following path: C: \ Users<имя_пользователя>\ AppData \ Roaming
- Trojan-Ransom.Win32.Mor:<имя_файла>.<оригинальное_расширение>_crypt.
- Trojan-Ransom.Win32.Autoit:<имя_файла>.<оригинальное_расширение>.<[email protected] _. letters>.
- Trojan-Ransom.MSIL.Lortok:
- <имя_файла>.<оригинальное_расширение>.cry;
- <имя_файла>.<оригинальное_расширение>.AES256.
- Trojan-Ransom.AndroidOS.Pletor:<имя_файла>.<оригинальное_расширение>.enc.
- Trojan-Ransom.Win32.Agent.iih:<имя_файла>.<оригинальное_расширение>+
. - Trojan-Ransom.Win32.CryFile:<имя_файла>.<оригинальное_расширение>.encrypted.
- Trojan-Ransom.Win32.Democry:
- <имя_файла>.<оригинальное_расширение>+<._дата-время_$почта@домен$.777>;
- <имя_файла>.<оригинальное_расширение>+<._дата-время_$почта@домен$.legion>.
- Trojan-Ransom.Win32.Bitman version 3:
- <имя_файла>.xxx;
- <имя_файла>.ttt;
- <имя_файла>.micro;
- <имя_файла>.mp3.
- Trojan-Ransom.Win32.Bitman version 4:<имя_файла>.<оригинальное_расширение>(file name and extension do not change).
- Trojan-Ransom.Win32.Libra:
- <имя_файла>.encrypted;
- <имя_файла>.locked;
- <имя_файла>.SecureCrypted.
- Trojan-Ransom.MSIL.Lobzik:
- <имя_файла>.fun;
- <имя_файла>.gws;
- <имя_файла>.btc;
- <имя_файла>.AFD;
- <имя_файла>.porno;
- <имя_файла>.pornoransom;
- <имя_файла>.epic;
- <имя_файла>.encrypted;
- <имя_файла>.J;
- <имя_файла>.payransom;
- <имя_файла>.paybtcs;
- <имя_файла>.paymds;
- <имя_файла>.paymrss;
- <имя_файла>.paymrts;
- <имя_файла>.paymst;
- <имя_файла>.paymts;
- <имя_файла>.gefickt;
- <имя_файла>[email protected]
- Trojan-Ransom.Win32.Mircop:
.<имя_файла>.<оригинальное_расширение>. - Trojan-Ransom.Win32.Crusis (Dharma):
- <имя_файла>.ID<…>.
@ . .xtbl; - <имя_файла>.ID<…>.
@ . .CrySiS; - <имя_файла>.id-<…>.
@ . .xtbl; - <имя_файла>.id-<…>.
@ . .wallet; - <имя_файла>.id-<…>.
@ . .dhrama; - <имя_файла>.id-<…>.
@ . .onion; - <имя_файла>.
@ . .wallet; - <имя_файла>.
@ . .dhrama; - <имя_файла>.
@ . .onion.
- <имя_файла>.ID<…>.
- [email protected];
- [email protected];
- [email protected];
- [email protected];
- [email protected];
- [email protected];
- [email protected];
- [email protected];
- [email protected];
- [email protected];
- [email protected]
- Trojan-Ransom.Win32.Nemchig:<имя_файла>.<оригинальное_расширение>[email protected]
- Trojan-Ransom.Win32.Lamer:
- <имя_файла>.<оригинальное_расширение>.bloked;
- <имя_файла>.<оригинальное_расширение>.cripaaaa;
- <имя_файла>.<оригинальное_расширение>.smit;
- <имя_файла>.<оригинальное_расширение>.fajlovnet;
- <имя_файла>.<оригинальное_расширение>.filesfucked;
- <имя_файла>.<оригинальное_расширение>.criptx;
- <имя_файла>.<оригинальное_расширение>.gopaymeb;
- <имя_файла>.<оригинальное_расширение>.cripted;
- <имя_файла>.<оригинальное_расширение>.bnmntftfmn;
- <имя_файла>.<оригинальное_расширение>.criptiks;
- <имя_файла>.<оригинальное_расширение>.cripttt;
- <имя_файла>.<оригинальное_расширение>.hithere;
- <имя_файла>.<оригинальное_расширение>.aga.
- Trojan-Ransom.Win32.Cryptokluchen:
- <имя_файла>.<оригинальное_расширение>.AMBA;
- <имя_файла>.<оригинальное_расширение>.PLAGUE17;
- <имя_файла>.<оригинальное_расширение>.ktldll.
- Trojan-Ransom.Win32.Rotor:
- <имя_файла>.<оригинальное_расширение>[email protected];
- <имя_файла>.<оригинальное_расширение>[email protected];
- <имя_файла>.<оригинальное_расширение>[email protected];
- <имя_файла>.<оригинальное_расширение>[email protected];
- <имя_файла>.<оригинальное_расширение>[email protected] _.crypt;
- <имя_файла>.<оригинальное_расширение>[email protected] ____. crypt;
- <имя_файла>.<оригинальное_расширение>[email protected] _______. crypt;
- <имя_файла>.<оригинальное_расширение>[email protected] ___. crypt;
- <имя_файла>.<оригинальное_расширение>[email protected]==. crypt;
- <имя_файла>.<оригинальное_расширение>[email protected]= -. crypt.
Examples of some malicious distributor addresses:
If the file is encrypted with the CRYPT extension, decryption may take a long time. For example, on an Intel Core i5-2400 processor, it can take about 120 days.
- Trojan-Ransom.Win32.Chimera:
- <имя_файла>.<оригинальное_расширение>.crypt;
- <имя_файла>.<оригинальное_расширение>.<4 произвольных символа>.
- Trojan-Ransom.Win32.AecHu:
- <имя_файла>.aes256;
- <имя_файла>.aes_ni;
- <имя_файла>.aes_ni_gov;
- <имя_файла>.aes_ni_0day;
- <имя_файла>.lock;
- <имя_файла>[email protected] _hu;
- <имя_файла>[email protected];
- <имя_файла>. ~ xdata.
- Trojan-Ransom.Win32.Jaff:
- <имя_файла>.jaff;
- <имя_файла>.wlu;
- <имя_файла>.sVn.
Trojan-Ransom.Win32.Cryakl: email-<...>.ver-<...>.id-<...>.randomname-<...>.<случайное_расширение>.
Malware version Attackers' email address [email protected] _graf1
[email protected] _mod
[email protected] _mod2
How to decrypt files using the Kaspersky RakhniDecryptor utility
- Download the RakhniDecryptor.zip archive and unpack it. Instructions in the article.
- Go to the folder with the files from the archive.
- Run the RakhniDecryptor.exe file.
- Click on Change scan parameters.
- Select objects to scan: hard drives, removable drives or network drives.
- Check the box Delete encrypted files after successful decryption... In this case, the utility will delete copies of encrypted files with the assigned extensions LOCKED, KRAKEN, DARKNESS, etc.
- Click on OK.
- Click on Start check.
- Select the encrypted file and click Open.
- Read the warning and click OK.
The files will be decrypted.
A file can be encrypted with the CRYPT extension more than once. For example, if the test.doc file is encrypted twice, the first layer of the RakhniDecryptor utility will decrypt into the test.1.doc.layerDecryptedKLR file. The following entry will appear in the utility operation report: "Decryption success: drive: \ path \ test.doc_crypt -> drive: \ path \ test.1.doc.layerDecryptedKLR". This file must be decrypted again by the utility. If decryption is successful, the file will be re-saved with the original name test.doc.
Parameters for running the utility from the command line
For convenience and speeding up the process of decrypting files, Kaspersky RakhniDecryptor supports the following command line parameters:
| Team name | Meaning | Example |
|---|---|---|
| –Threads | Launching the utility with password guessing in several threads. If this parameter is not specified, the number of threads is equal to the number of processor cores. | RakhniDecryptor.exe –threads 6 |
| –Start<число>–End<число> |
Resuming password guessing from a certain state. The minimum number is 0. Stop brute-force password on a certain state. The maximum number is 1,000,000. Password guessing in the range between two states. |
RakhniDecryptor.exe –start 123 RakhniDecryptor.exe –end 123 RakhniDecryptor.exe –start 100 –end 50,000 |
| -l<название файла с указанием полного пути к нему> | Specifying the path to the file where the utility operation report should be saved. | RakhniDecryptor.exe -l C: Users \ Administrator \ RakhniReport.txt |
| -h | Display help about available command line parameters | RakhniDecryptor.exe -h |
By themselves, viruses as a computer threat do not surprise anyone today. But if earlier they influenced the system as a whole, causing malfunctions in its performance, today, with the advent of such a variety as a ransomware virus, the actions of an infiltrating threat concern more user data. It is perhaps even more of a threat than Windows-destructive executable applications or spyware applets.
What is a ransomware virus?
By itself, the code written in a self-copying virus assumes encryption of almost all user data with special cryptographic algorithms, without affecting the system files of the operating system.
At first, the logic of the impact of the virus was not entirely clear to many. Everything became clear only when the hackers who created such applets began to demand money to restore the initial file structure. At the same time, the penetrated encryption virus itself does not allow decryption of files due to its peculiarities. To do this, you need a special decryptor, if you like, a code, a password or an algorithm required to restore the desired content.
The principle of penetration into the system and the operation of the virus code
As a rule, it is quite difficult to "pick up" such muck on the Internet. The main source of the spread of the "infection" is e-mail at the level of programs installed on a particular computer terminal like Outlook, Thunderbird, The Bat, etc. Note right away: this does not apply to Internet mail servers, since they have a sufficiently high degree of protection, and access to user data is possible only at the level
Another thing is an application on a computer terminal. It is here that the field for the action of viruses is so wide that it is impossible to imagine. True, it is also worth making a reservation here: in most cases, viruses are aimed at large companies, from which you can “rip off” money for providing a decryption code. This is understandable, after all, not only on local computer terminals, but also on the servers of such companies, not only completely, but also files, so to speak, in a single copy, not subject to destruction in any case, can be stored. And then decrypting files after the ransomware virus becomes quite problematic.
Of course, an ordinary user can also be subject to such an attack, but in most cases this is unlikely if you follow the simplest recommendations for opening attachments with extensions of unknown type. Even if the mail client defines an attachment with the .jpg extension as a standard graphic file, first it must be checked with the standard one installed in the system.
If this is not done, when you open it with a double click (standard method), activation of the code will start, and the encryption process will begin, after which the same Breaking_Bad (encryption virus) will not only be impossible to delete, but the files will not be able to be restored after the threat has been eliminated.
The general consequences of the penetration of all viruses of this type
As already mentioned, most viruses of this type enter the system via email. Well, let’s say, in a large organization, a specific registered mail receives a letter with the content like “We changed the contract, scan in the attachment” or “An invoice has been sent to you for the shipment of goods (a copy is there)”. Naturally, an unsuspecting employee opens the file and ...
All user files at the level of office documents, multimedia, specialized AutoCAD projects or any other archival data are instantly encrypted, and if the computer terminal is in the local network, the virus can be transmitted further, encrypting data on other machines (this becomes noticeable immediately upon "Slowing down" of the system and freezing of programs or currently running applications).
At the end of the encryption process, the virus itself, apparently, sends a kind of report, after which the company may receive a message that such and such a threat has entered the system, and that only such and such an organization can decrypt it. Usually it concerns the virus [email protected] Next comes the requirement to pay for decryption services with the proposal to send several files to the client's email, which is most often fictitious.
Harm from code exposure
If anyone has not yet understood: decrypting files after a ransomware virus is a rather laborious process. Even if you do not “be led” to the demands of cybercriminals and try to use official government structures to combat computer crimes and prevent them, usually nothing good will come of it.
If you delete all files, produce and even copy the original data from removable media (of course, if there is such a copy), all the same, when the virus is activated, everything will be encrypted again. So you shouldn't flatter yourself, especially since when the same flash drive is inserted into the USB port, the user will not even notice how the virus will encrypt the data on it. Then you will definitely not get around problems.
Firstborn in the family
Now let's turn our attention to the first ransomware virus. How to cure and decrypt files after exposure to the executable code enclosed in an email attachment with a dating offer, at the time of its appearance, no one had yet thought. Awareness of the scale of the disaster came only with time.
That virus had the romantic name "I Love You". An unsuspecting user opened an attachment in an electronic message and received completely unplayable multimedia files (graphics, video and audio). Then, however, such actions looked more destructive (causing harm to user media libraries), and no one demanded money for this.
Newest modifications
As you can see, the evolution of technology has become quite a profitable business, especially when you consider that many leaders of large organizations immediately run to pay for decryption actions, completely not thinking about the fact that they can lose both money and information.
By the way, do not look at all these "left" posts on the Internet, they say, "I paid / paid the required amount, they sent me a code, everything was restored." Nonsense! All this is written by the developers of the virus in order to attract potential, excuse me, "suckers". But, by the standards of an ordinary user, the amounts to pay are quite serious: from hundreds to several thousand or tens of thousands of euros or dollars.
Now let's take a look at the newest types of viruses of this type that have been recorded relatively recently. All of them are practically similar and belong not only to the ransomware category, but also to the group of so-called ransomware. In some cases, they act more correctly (like paycrypt), like sending formal business proposals or messages that someone cares about the safety of the user or organization. Such a ransomware virus simply misleads the user with its message. If he takes even the slightest action to pay, everything - the "divorce" will be in full.
XTBL virus
The relatively recent one can be attributed to the classic version of the ransomware. As a rule, it penetrates the system through e-mail messages containing attachments in the form of files from which is standard for the Windows screensaver. The system and the user think everything is in order and activate viewing or saving the attachment.
Alas, this leads to sad consequences: the file names are converted into a set of characters, and .xtbl is added to the main extension, after which a message is sent to the desired mail address about the possibility of decryption after payment of the specified amount (usually 5 thousand rubles).
CBF virus
This type of virus also belongs to the classics of the genre. It appears in the system after opening e-mail attachments, and then renames user files, adding an extension like .nochance or .perfect at the end.
Unfortunately, it is not possible to decrypt this type of ransomware virus to analyze the contents of the code even at the stage of its appearance in the system, since after completing its actions, it self-destructs. Even what many believe is a universal tool like RectorDecryptor does not help. Again, the user receives a letter demanding payment, which is given two days.
Breaking_Bad virus
This type of threat works in the same way, but renames files as standard by adding .breaking_bad to the extension.
The situation is not limited to this. Unlike previous viruses, this one can create another extension - .Heisenberg, so it is not always possible to find all infected files. So Breaking_Bad (ransomware virus) is a rather serious threat. By the way, there are cases when even the licensed Kaspersky Endpoint Security 10 package allows this type of threat to pass through.
Virus [email protected]
Here is another, perhaps the most serious threat, which is directed mostly at large commercial organizations. As a rule, a letter comes to some department, which seems to contain changes to the supply agreement, or even just an invoice. The attachment can contain a regular .jpg file (such as an image), but more often an executable script.js (Java applet).
How to decrypt this type of ransomware virus? Judging by the fact that some unknown RSA-1024 algorithm is used there, no way. As the name suggests, it is a 1024-bit encryption system. But, if anyone remembers, today 256-bit AES is considered the most advanced.
Encryption virus: how to disinfect and decrypt files using antivirus software
To date, no solutions of this type have been found to decrypt threats of this type. Even such masters in the field of anti-virus protection as Kaspersky, Dr. Web and Eset, cannot find the key to solving the problem when a ransomware virus has inherited it in the system. How to disinfect files? In most cases, it is suggested to send a request to the official website of the anti-virus developer (by the way, only if the system has licensed software of this developer).
In this case, you need to attach several encrypted files, as well as their "healthy" originals, if any. In general, by and large, few people save copies of data, so the problem of their absence only exacerbates the already unpleasant situation.
Possible ways to identify and remediate a threat manually
Yes, scanning with conventional antiviruses detects threats and even removes them from the system. But what about the information?
Some people try to use decoder programs like the already mentioned utility RectorDecryptor (RakhniDecryptor). Let's note right away: this will not help. And in the case of the Breaking_Bad virus, it can only do much harm. And that's why.
The fact is that the people who create such viruses are trying to protect themselves and give guidance to others. When using decryption utilities, the virus can react in such a way that the entire system will "fly off", and with the complete destruction of all data stored on hard drives or logical partitions. This is, so to speak, an indicative lesson for the edification of all those who do not want to pay. We can only rely on the official antivirus laboratories.
Cardinal methods
However, if things are really bad, you will have to sacrifice information. To completely get rid of the threat, you need to format the entire hard drive, including virtual partitions, and then reinstall the "operating system".
Unfortunately, there is no other way out. Even up to a certain saved restore point won't help. The virus may disappear, but the files will remain encrypted.
Instead of an afterword
In conclusion, it should be noted that the situation is as follows: a ransomware virus penetrates the system, does its dirty deed and is not cured by any known methods. Antivirus defenses were not prepared for this type of threat. It goes without saying that you can detect a virus after exposure or remove it. But the encrypted information will remain unsightly. So one would like to hope that the best minds of antivirus software companies will nevertheless find a solution, although, judging by the encryption algorithms, it will be very difficult to do. Recall, for example, the Enigma encryption machine, which the German navy had during World War II. The best cryptographers couldn't solve the problem of the algorithm for decrypting messages until they got their hands on the device. This is the case here as well.
Locked ransomware virus Is a malicious program that, when activated, encrypts all personal files (such as photos and documents) using the very strong AES + RSA hybrid encryption system. After the file is encrypted, its extension is changed to .locked. As before, the purpose of the Locked virus is to force users to buy the program and the key needed to decrypt their own files.
At the end of the file encryption process, the Locked virus displays a message similar to the one above. It tells you how the files can be decrypted. The user is invited to transfer the authors of the virus an amount of $ 250, which is about 17,000 rubles.
How Locked ransomware virus infiltrates a computer
The Locked ransomware virus usually spreads via email. The letter contains infected documents. These emails are sent to a huge database of email addresses. The authors of this virus use misleading headers and contents of letters in an attempt to trick the user into opening the document attached to the letter. Some of the letters inform about the need to pay the bill, others offer to see the latest price list, others to open a funny photo, etc. In any case, the result of opening the attached file will be the infection of the computer with an encryption virus.
What is Locked ransomware virus
Locked ransomware virus is a malicious program that infects modern versions of Windows operating systems, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This virus uses a hybrid encryption mode AES + RSA, which practically excludes the possibility of brute-force key for self-decryption of files.
While infecting a computer, the Locked ransomware virus uses system directories to store its own files. To start automatically every time the computer is turned on, the ransomware creates an entry in the Windows registry: HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The Locked ransomware virus uses the file name extension as a way to determine the group of files to be encrypted. Almost all types of files are encrypted, including such common ones as:
0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata , .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos,. mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta , .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa,. apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv,. js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2 , .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb , .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm,. odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf, .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, .wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg , .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb,. xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm, .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, .zif, .zip, .zw
After the file is encrypted, its extension is changed to locked. Then the virus creates a text document named UNLOCK_FILES_INSTRUCTIONS.txt, which contains instructions for decrypting encrypted files.
The Locked ransomware virus actively uses intimidation tactics, giving the victim a brief description of the encryption algorithm and displaying a threatening message on the Desktop. In this way, he tries to force the user of the infected computer, without hesitation, to pay the ransom in order to try to get his files back.
Is my computer infected with Locked ransomware virus?
Determining whether a computer is infected or not with the Locked virus is quite easy. Please note that all of your personal files such as documents, photos, music, etc. normally open in the corresponding programs. If, for example, when opening a document, Word reports that the file is of an unknown type, then most likely the document is encrypted, and the computer is infected. Of course, the presence on the Desktop of a message from the Locked virus or the appearance of the UNLOCK_FILES_INSTRUCTIONS.txt file on the disk is also a sign of infection.
If you suspect that you have opened a message infected with the Locked virus, but there are no symptoms of infection yet, then do not turn off or restart your computer. First of all, turn off the Internet! Then follow the steps described in this manual, section. Another option is to shut down your computer, remove the hard drive and test it on another computer.
How to decrypt files encrypted by Locked virus?
If this misfortune has happened, then there is no need to panic! But you need to know that there is no free decryptor. This is due to the strong encryption algorithms used by this virus. This means that it is almost impossible to decrypt files without a private key. Using the key selection method is also not an option, due to the large key length. Therefore, unfortunately, only paying the authors of the virus for the entire requested amount is the only way to try to get the decryption key.
Of course, there is absolutely no guarantee that after payment the authors of the virus will get in touch and provide the key necessary to decrypt your files. In addition, you need to understand that by paying money to virus developers, you yourself are pushing them to create new viruses.
How to remove Locked ransomware virus?
Before proceeding with this, you need to know that by starting to remove the virus and trying to restore files on your own, you block the ability to decrypt files by paying the authors of the virus the amount they requested.
Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types of active ransomware viruses and can easily remove them from your computer, BUT they cannot recover encrypted files.
5.1. Remove Locked ransomware virus using Kaspersky Virus Removal Tool
Moreover, there are specialized security programs. For example, this is CryptoPrevent, in more detail (eng).
A few final words
By following this instruction, your computer will be cleaned of the Locked ransomware virus. If you have any questions or need help, please contact us.
