How to find out what a file is encrypted with. Working files turned into .xtbl: taming the ransomware virus. File encryption notice

“Sorry to bother you, but... your files are encrypted. To get the decryption key, urgently transfer a certain amount of money to your wallet... Otherwise, your data will be destroyed forever. You have 3 hours, time has gone.” And it's not a joke. An encryption virus is a more than real threat.

Today we’ll talk about what the ransomware malware that has spread in recent years is, what to do if infected, how to cure your computer and whether it’s even possible, and how to protect yourself from them.

We encrypt everything!

A ransomware virus (encryptor, cryptor) is a special type of malicious ransomware whose activity consists of encrypting the user’s files and then demanding a ransom for the decryption tool. The ransom amounts start somewhere from $200 and reach tens and hundreds of thousands of green pieces of paper.

Several years ago, only Windows-based computers were attacked by this class of malware. Today, their range has expanded to seemingly well-protected Linux, Mac and Android. In addition, the variety of encryptors is constantly growing - new products appear one after another, which have something to surprise the world. Thus, it arose due to the “crossing” of a classic encryption Trojan and a network worm (a malicious program that spreads across networks without the active participation of users).

After WannaCry, no less sophisticated Petya and Bad Rabbit appeared. And since the “encryption business” brings good income to its owners, you can be sure that they are not the last.

More and more ransomware, especially those released in the last 3-5 years, use strong cryptographic algorithms, which cannot be cracked either by brute force or other existing means. The only way to recover data is to use the original key, which the attackers offer to buy. However, even transferring the required amount to them does not guarantee receipt of the key. Criminals are in no hurry to reveal their secrets and lose potential profits. And what is the point for them to keep their promises if they already have the money?

Paths of distribution of encrypting viruses

The main way malware gets onto the computers of private users and organizations is email, or more precisely, files and links attached to emails.

An example of such a letter intended for “corporate clients”:

• “Repay your loan debt immediately.”
• “The claim has been filed in court.”
• “Pay the fine/fee/tax.”
• “Additional charge of utility bills.”
• “Oh, is that you in the photo?”
• “Lena asked me to urgently give this to you,” etc.

Agree, only a knowledgeable user would treat such a letter with caution. Most people, without hesitation, will open the attachment and launch the malicious program themselves. By the way, despite the cries of the antivirus.

The following are also actively used to distribute ransomware:

• Social networks (mailing from the accounts of friends and strangers).
• Malicious and infected web resources.
• Banner advertising.
• Mailing via messengers from hacked accounts.
• Vareznik sites and distributors of keygens and cracks.
• Adult sites.
• Application and content stores.

Encryption viruses are often carried by other malicious programs, in particular, advertising demonstrators and backdoor Trojans. The latter, using vulnerabilities in the system and software, help the criminal get remote access to the infected device. The launch of the encryptor in such cases does not always coincide in time with potentially dangerous user actions. As long as the backdoor remains in the system, an attacker can penetrate the device at any time and initiate encryption.

To infect the computers of organizations (after all, more can be extracted from them than from home users), especially sophisticated methods are being developed. For example, the Petya Trojan penetrated devices through the update module of the MEDoc tax accounting program.

Encryptors with the functions of network worms, as already mentioned, spread across networks, including the Internet, through protocol vulnerabilities. And you can become infected with them without doing absolutely anything. Users of Windows operating systems that are rarely updated are at greatest risk because updates close known loopholes.

Some malware, such as WannaCry, exploit 0-day vulnerabilities, that is, those that system developers are not yet aware of. Unfortunately, it is impossible to fully resist infection in this way, but the likelihood that you will be among the victims does not even reach 1%. Why? Yes, because malware cannot infect all vulnerable machines at once. And while it is planning new victims, system developers manage to release a life-saving update.

How ransomware behaves on an infected computer

The encryption process, as a rule, begins unnoticed, and when its signs become obvious, it is too late to save the data: by that time, the malware has encrypted everything it can reach. Sometimes the user may notice how the files in some open folder the extension has changed.

The unreasonable appearance of a new and sometimes a second extension on files, after which they stop opening, absolutely indicates the consequences of an encryptor attack. By the way, by the extension that damaged objects receive, it is usually possible to identify the malware.

An example of what the extensions of encrypted files can be:. xtbl, .kraken, .cesar, .da_vinci_code, .codercsu@gmail_com, .crypted000007, .no_more_ransom, .decoder GlobeImposter v2, .ukrain, .rn, etc.

There are a lot of options, and new ones will appear tomorrow, so there’s no point in listing everything. To determine the type of infection, it is enough to feed several extensions to the search engine.

Other symptoms that indirectly indicate the beginning of encryption:

• Command line windows appear on the screen for a split second. Most often, this is a normal phenomenon when installing system and program updates, but it is better not to leave it unattended.
• UAC requests to launch some program that you did not intend to open.
• Sudden reboot of the computer followed by imitation of operation system utility disk check (other variations are possible). During the “verification”, the encryption process occurs.

After the malicious operation is successfully completed, a message appears on the screen with a ransom demand and various threats.

Ransomware encrypts a significant portion of user files: photos, music, videos, text documents, archives, mail, databases, files with program extensions, etc. But they do not touch operating system objects, because attackers do not need the infected computer to stop working. Some viruses replace boot records of disks and partitions.

After encryption, all shadow copies and recovery points are typically deleted from the system.

How to cure a computer from ransomware

Removing malicious programs from an infected system is easy—almost all antivirus programs can handle most of them without difficulty. But! It is naive to believe that getting rid of the culprit will solve the problem: whether you remove the virus or not, the files will still remain encrypted. In addition, in some cases this will complicate their subsequent decryption, if possible.

Correct procedure when starting encryption

• Once you notice signs of encryption, Immediately turn off the computer's power by pressing and holding the buttonPower for 3-4 seconds. This will save at least some of the files.
• Create on another computer boot disk or a flash drive with an antivirus program. For example, Kaspersky Rescue Disk 18, DrWeb LiveDisk ESET NOD32 LiveCD etc.
• Boot the infected machine from this disk and scan the system. Remove any viruses found and keep them in quarantine (in case they are needed for decryption). Only after that you can boot your computer from your hard drive.
• Try to recover encrypted files from shadow copies using system tools or using third-party .

What to do if the files are already encrypted

• Don't lose hope. The websites of antivirus product developers contain free decryption utilities for different types malware. In particular, utilities from Avast And Kaspersky Lab.
• Having determined the encoder type, download the appropriate utility, definitely do it copies damaged files and try to decipher them. If successful, decipher the rest.

If the files are not decrypted

If none of the utilities help, it is likely that you have suffered from a virus for which there is no cure yet.

What can you do in this case:

• If you use a paid antivirus product, contact its support team. Send several copies of the damaged files to the laboratory and wait for a response. If technically possible, they will help you.

By the way, Dr.Web is one of the few laboratories that helps not only its users, but all those affected. You can send a request to decrypt the file on this page.

• If it turns out that the files are hopelessly damaged, but they are of great value to you, you can only hope and wait that a rescue remedy will someday be found. The best thing you can do is to leave the system and files as is, that is, completely shut down and not use the hard drive. Deleting malware files, reinstalling the operating system, and even updating it can deprive you and this chance, since when generating encryption/decryption keys, unique system identifiers and copies of the virus are often used.

Paying the ransom is not an option, since the likelihood that you will receive the key is close to zero. And there is no point in financing a criminal business.

How to protect yourself from this type of malware

I would not like to repeat advice that each of the readers has heard hundreds of times. Yes, install good antivirus, do not click on suspicious links and blablabla - this is important. However, as life has shown, a magic pill that will give you a 100% guarantee of security does not exist today.

The only effective method of protection against ransomware of this kind is backup data to other physical media, including cloud services. Backup, backup, backup...

The fact that the Internet is full of viruses does not surprise anyone today. Many users perceive situations related to their impact on systems or personal data, to put it mildly, turning a blind eye, but only until a ransomware virus specifically takes hold in the system. Most ordinary users do not know how to disinfect and decrypt data stored on a hard drive. Therefore, this contingent is “led” to the demands put forward by the attackers. But let's see what can be done if such a threat is detected or to prevent it from entering the system.

What is a ransomware virus?

This type of threat uses standard and non-standard file encryption algorithms that completely change their contents and block access. For example, it will be absolutely impossible to open an encrypted text file for reading or editing, as well as play multimedia content (graphics, video or audio) after exposure to the virus. Even standard actions to copy or move objects are unavailable.

The virus software itself is a tool that encrypts data in such a way that it can be restored the initial state Even after removing the threat from the system, it is not always possible. Typically, such malicious programs create copies of themselves and settle very deeply in the system, so the file encrypting virus may be completely impossible to remove. By uninstalling the main program or deleting the main body of the virus, the user does not get rid of the threat, let alone restore encrypted information.

How does the threat enter the system?

As a rule, threats of this type are mostly aimed at large commercial organizations and can penetrate computers through mail programs when an employee opens a supposedly attached document in e-mail, which is, say, an addition to some kind of cooperation agreement or to a product supply plan (commercial offers with investments from dubious sources are the first path for a virus).

The trouble is that a ransomware virus on a machine that has access to a local network is able to adapt to it, creating its own copies not only in the network environment, but also on the administrator terminal, if it does not have the necessary means of protection in the form of anti-virus software, firewall or firewall.

Sometimes such threats can penetrate into computer systems ordinary users who, by and large, are of no interest to attackers. This happens during the installation of some programs downloaded from dubious Internet resources. Many users ignore the warnings of the anti-virus protection system when starting the download, and during the installation process they do not pay attention to offers to install additional software, panels or browser plug-ins, and then, as they say, bite their elbows.

Types of viruses and a little history

In general, threats of this type, in particular the most dangerous ransomware virus No_more_ransom, are classified not only as tools for encrypting data or blocking access to it. In fact, all such malicious applications fall under the category of ransomware. In other words, attackers demand a certain bribe for decrypting information, believing that without primary program produce this process will be impossible. This is partly true.

But, if you dig into history, you will notice that one of the very first viruses of this type, although it did not demand money, was the infamous I Love You applet, which completely encrypted multimedia files (mainly music tracks) on user systems. Decrypting files after the ransomware virus turned out to be impossible at that time. Now it is precisely this threat that can be fought in an elementary way.

But the development of the viruses themselves or the encryption algorithms used does not stand still. What is there among viruses - here you have XTBL, and CBF, and Breaking_Bad, and [email protected], and a bunch of other crap.

Method of influencing user files

And if until recently most attacks were carried out using RSA-1024 algorithms based on AES encryption with the same bit depth, the same No_more_ransom ransom virus is now presented in several interpretations using encryption keys based on RSA-2048 and even RSA-3072 technologies.

Problems of deciphering the algorithms used

The trouble is that modern systems decryption in the face of such a danger turned out to be powerless. Decryption of files after an AES256-based ransomware virus is still somewhat supported, but given a higher bit depth of the key, almost all developers simply shrug their shoulders. This, by the way, has been officially confirmed by specialists from Kaspersky Lab and Eset.

In the most primitive version, the user contacting the support service is asked to send an encrypted file and its original for comparison and further operations to determine the encryption algorithm and recovery methods. But, as a rule, in most cases this does not give results. But the encrypting virus can decrypt files itself, it is believed, provided that the victim agrees to the attackers’ conditions and pays a certain amount in monetary terms. However, this formulation of the question raises legitimate doubts. And that's why.

Encryptor virus: how to disinfect and decrypt files and can it be done?

Allegedly, after payment, hackers activate decryption through remote access to their virus, which is sitting on the system, or through an additional applet if the virus body is deleted. This looks more than doubtful.

I would also like to note the fact that the Internet is full of fake posts claiming that the required amount was paid and the data was successfully restored. It's all a lie! And really - where is the guarantee that after payment the encryption virus will not be activated again in the system? It is not difficult to understand the psychology of burglars: pay once, pay again. And if we are talking about special important information such as specific commercial, scientific or military developments, the owners of such information are willing to pay whatever they want to ensure that the files remain safe and sound.

The first remedy to eliminate the threat

This is the nature of an encryption virus. How to disinfect and decrypt files after exposure to a threat? No way, if there are no available means, which also do not always help. But you can try.

Let's assume that a ransomware virus has appeared in the system. How to cure infected files? First, you should perform an in-depth scan of the system without using S.M.A.R.T. technology, which detects threats only when boot sectors and system files are damaged.

It is advisable not to use an existing standard scanner, which has already missed the threat, but to use portable utilities. The best option would be to boot from Kaspersky Rescue Disk, which can start even before the operating system starts running.

But this is only half the battle, since in this way you can only get rid of the virus itself. But with a decoder it will be more difficult. But more on that later.

There is another category into which ransomware viruses fall. How to decipher the information will be discussed separately, but for now let’s dwell on the fact that they can completely openly exist in the system in the form of officially installed programs and applications (the impudence of attackers knows no bounds, since the threat does not even try to disguise itself).

In this case, you should use the Programs and Features section, where standard uninstallation is performed. However, you need to pay attention to the fact that the standard uninstaller for Windows systems does not completely delete all program files. In particular, the ransom ransom virus is capable of creating its own folders in the root directories of the system (usually the Csrss directories, where the executable file of the same name csrss.exe is present). The main location is selected Windows folders, System32 or user directories (Users on the system disk).

In addition, the No_more_ransom ransom virus writes its own keys in the registry in the form of a link, seemingly to the official Client Server Runtime Subsystem system service, which misleads many, since this service should be responsible for the interaction of client and server software. The key itself is located in the Run folder, which can be reached through the HKLM branch. It is clear that such keys will need to be deleted manually.

To make it easier, you can use utilities like iObit Uninstaller, which search for residual files and registry keys automatically (but only if the virus is visible on the system as installed application). But this is the simplest thing you can do.

Solutions offered by antivirus software developers

It is believed that decryption of a ransomware virus can be done using special utilities, although if you have technologies with a 2048 or 3072 bit key, you shouldn’t really count on them (in addition, many of them delete files after decryption, and then the recovered files disappear due to the presence of the virus body, which was not deleted before).

Nevertheless, you can try. Of all the programs, it is worth highlighting RectorDecryptor and ShadowExplorer. It is believed that nothing better has been created yet. But the problem may also be that when you try to use a decryptor, there is no guarantee that the files being cured will not be deleted. That is, if you do not get rid of the virus initially, any attempt at decryption will be doomed to failure.

In addition to deleting encrypted information, there can also be a fatal outcome - the entire system will be inoperable. In addition, a modern encryption virus can affect not only data stored on the computer’s hard drive, but also files in cloud storage. But there are no solutions for data recovery. In addition, as it turned out, many services take insufficiently effective protection measures (the same OneDrive built into Windows 10, which is exposed directly from the operating system).

A radical solution to the problem

As is already clear, most modern methods do not give a positive result when infected with such viruses. Of course, if you have the original damaged file, it can be sent for examination to an antivirus laboratory. True, there are very serious doubts that the average user will create backup copies of data, which, when stored on a hard drive, can also be affected malicious code. And that in order to avoid troubles, users copy information to removable media, there is no question at all.

Thus, to fundamentally solve the problem, the conclusion suggests itself: full formatting hard drive and all logical partitions with information deleted. So what to do? You will have to sacrifice if you do not want the virus or its self-saved copy to be activated in the system again.

To do this, you should not use the tools of the Windows systems themselves (this means formatting virtual partitions, since when trying to access system disk a ban will be issued). It is better to boot from optical media such as LiveCD or installation distributions, such as those created using the Media Creation Tool for Windows 10.

Before starting formatting, provided that the virus is removed from the system, you can try to restore the integrity of system components through command line(sfc /scannow), but in terms of decrypting and unlocking data this will not have any effect. Therefore format c: is the only correct one Possible Solution whether you like it or not. This is the only way to completely get rid of threats of this type. Alas, there is no other way! Even treatment standard means, offered by most antivirus packages, turns out to be powerless.

Instead of an afterword

In terms of the obvious conclusions, we can only say that there is no single and universal solution to eliminate the consequences of this type of threat today (sad, but true - this has been confirmed by the majority of anti-virus software developers and experts in the field of cryptography).

It remains unclear why the emergence of algorithms based on 1024-, 2048- and 3072-bit encryption passed by those directly involved in the development and implementation of such technologies? Indeed, today the AES256 algorithm is considered the most promising and most secure. Notice! 256! This system, as it turns out, is no match for modern viruses. What can we say then about attempts to decrypt their keys?

Be that as it may, avoiding the introduction of a threat into the system is quite simple. In the very simple version You should check all incoming messages with attachments in Outlook programs, Thunderbird and others mail clients antivirus immediately after receiving it and under no circumstances open attachments until the scan is completed. You should also carefully read the suggestions for installing additional software when installing some programs (usually they are written in very small print or disguised as standard add-ons like Flash updates Player or something else). It is better to update multimedia components through official websites. This is the only way to at least somehow prevent such threats from penetrating into your own system. The consequences can be completely unpredictable, given that viruses of this type instantly spread on the local network. And for the company, such a turn of events can result in a real collapse of all endeavors.

Finally, the system administrator should not sit idle. Software It is better to exclude protection in such a situation. The same firewall (firewall) should not be software, but “hardware” (naturally, with accompanying software on board). And, it goes without saying that you shouldn’t skimp on purchasing antivirus packages either. It is better to buy a licensed package rather than install primitive programs that supposedly provide real-time protection only according to the developer.

And if a threat has already penetrated the system, the sequence of actions should include removing the virus body itself, and only then attempting to decrypt the damaged data. Ideally, a full format (note, not a quick one with clearing the table of contents, but a complete one, preferably with restoration or replacement of the existing file system, boot sectors and records).

The first ransomware Trojans of the Trojan.Encoder family appeared in 2006-2007. Since January 2009, the number of their varieties has increased by approximately 1900%! Currently, Trojan.Encoder is one of the most dangerous threats for users, having several thousand modifications. From April 2013 to March 2015, the Doctor Web virus laboratory received 8,553 requests to decrypt files affected by encoder Trojans.
Encryption viruses have almost won first place in requests to forums on information security. Every day, on average, 40 requests for decryption are received only by the employees of the Doctor Web virus laboratory from users infected various types ransomware Trojans ( Trojan.Encoder, Trojan-Ransom.Win32.Xorist, Trojan-Ransom.Win32.Rector, Trojan.Locker, Trojan.Matsnu, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.GpCode, Digital Safe, Digital Case, lockdir.exe, rectorrsa, Trojan-Ransom.Win32.Rakhn, CTB-Locker, vault and so on). The main signs of such infections are changes in user file extensions, such as music files, image files, documents, etc., when you try to open them, a message appears from the attackers demanding payment for obtaining the decryptor. It is also possible to change the background image of the desktop, the appearance of text documents and windows with corresponding messages about encryption, violation licensing agreements and so on. Encryption Trojans are especially dangerous for commercial companies, since lost data from databases and payment documents can block the company’s work for an indefinite period of time, leading to loss of profits.

Trojans from the Trojan.Encoder family use dozens of different algorithms for encrypting user files. For example, to find the keys to decrypt files encrypted by the Trojan.Encoder.741 using a brute force method, you will need:
107902838054224993544152335601 year

Decryption of files damaged by the Trojan is possible in no more than 10% of cases. This means that most user data is lost forever.

Today, ransomware demands up to 1,500 bitcoins.

Even if you pay a ransom to the attacker, it will not give you any guarantee of data recovery.

It comes to oddities - a case was recorded when, despite the ransom paid, the criminals were unable to decrypt files encrypted by the Trojan.Encoder they created, and sent the affected user for help... to the technical support service of an antivirus company!

How does infection occur?

• Through email attachments; Using social engineering, attackers force the user to open the attached file.
• Using Zbot infections disguised as PDF attachments.
• Through exploit kits located on hacked websites that exploit vulnerabilities on the computer to install an infection.
• Through Trojans that offer to download the player necessary to watch online videos. This usually happens on porn sites.
• Via RDP, using password guessing and vulnerabilities in this protocol.
• Using infected keygens, cracks and activation utilities.

When using RDP password guessing, an attacker he comes in on his own under a hacked account, turns it off himself or downloads an antivirus product and launches itself encryption.

Until you stop being scared of letters with the headings “Debt”, “Criminal Proceedings”, etc., attackers will take advantage of your naivety.

Think about it... Learn yourself and teach others the simplest basics of safety!

• Never open attachments from emails received from unknown recipients, no matter how scary the header may be. If the attachment arrived as an archive, take the trouble to simply view the contents of the archive. And if there is an executable file (extension .exe, .com, .bat, .cmd, .scr), then this is 99.(9)% a trap for you.
• If you are still afraid of something, do not be lazy to find out the true email address the organization from whose behalf the letter came to you. This is not so difficult to find out in our information age.
• Even if the sender’s address turns out to be true, do not be lazy to check by phone whether such a letter has been sent. The sender's address can be easily faked using anonymous smtp servers.
• If the sender says Sberbank or Russian Post, then this does not mean anything. Normal letters should ideally be signed with an electronic signature. Please carefully check the files attached to such emails before opening them.
• Regularly make backup copies of information on separate media.
• Forget about using simple passwords that are easy to guess and get into local network organizations under your data. For RDP access, use certificates, VPN access, or two-factor authentication.
• Never work with Administrator rights, pay attention to messages UAC even if they have "Blue colour" signed application, do not click "Yes", if you have not run installations or updates.
• Regularly install security updates not only for the operating system, but also for application programs.
• Install password for antivirus program settings, different from the password account, enable the self-defense option

Let us quote the recommendations of Dr.Web and Kaspersky Lab:

• immediately turn off your computer to stop the Trojan, the Reset button on your computer can save a significant part of the data;
• Comment site: Despite the fact that such a recommendation is given by well-known laboratories, in some cases its implementation will complicate decryption, since the key may be stored in random access memory and after rebooting the system, it will be impossible to restore it. To stop further encryption, you can freeze the execution of the ransomware process using Process Explorer or for further recommendations.

Spoiler: Footnote

No encoder is capable of encrypting all the data instantly, so until the encryption is completed, some part of it remains untouched. And the more time has passed since the start of encryption, the less untouched data remains. Since our task is to save as many of them as possible, we need to stop the operation of the encoder. You can, in principle, start analyzing the list of processes, look for where the Trojan is in them, try to terminate it... But, believe me, unplugging the power cord is much faster! Regular completion Windows operation is a good alternative, but it may take some time, or the Trojan may interfere with it through its actions. So my choice is to pull the cord. Undoubtedly, this step has its drawbacks: the possibility of damaging the file system and the impossibility of further taking a RAM dump. Damaged file system For an unprepared person, the problem is more serious than the encoder. At least the files remain after the encoder, but damage to the partition table will make it impossible to boot the OS. On the other hand, a competent data recovery specialist will repair the same partition table without any problems, but the encoder may simply not have time to reach many files.

To initiate criminal proceedings against attackers, law enforcement agencies need a procedural reason - your statement about the crime. Sample application

Be prepared for your computer to be seized for some time for examination.

If they refuse to accept your application, receive a written refusal and file a complaint with a higher police authority (the police chief of your city or region).

• Do not under any circumstances try to reinstall the operating system;
• do not delete any files or email messages on your computer;
• do not run any “cleaners” of temporary files and registry;
• You should not scan and treat your computer with antiviruses and antivirus utilities, and especially with antivirus LiveCDs; as a last resort, you can move infected files to antivirus quarantine;

Spoiler: Footnote

For decryption, an inconspicuous 40-byte file in a temporary directory or an incomprehensible shortcut on the desktop may be of greatest importance. You probably don't know whether they will be important for decryption or not, so it's better not to touch anything. Cleaning the registry is generally a dubious procedure, and some encoders leave traces of operation there that are important for decoding. Antiviruses, of course, can find the body of an encoder Trojan. And they can even delete it once and for all, but then what will be left for analysis? How will we understand how and what the files were encrypted with? Therefore, it is better to leave the animal on the disk. Another important point: I do not know of any system cleaning product that takes into account the possibility of the encoder operating and retains all traces of its operation. And, most likely, such funds will not appear. Reinstalling the system will definitely destroy all traces of the Trojan, except for encrypted files.

• do not try to recover encrypted files on one's own;

Spoiler: Footnote

If you have a couple of years of writing programs under your belt, you really understand what RC4, AES, RSA are and what the differences are between them, you know what Hiew is and what 0xDEADC0DE means, you can give it a try. I don't recommend it to others. Let's say you found some miracle method for decrypting files and you even managed to decrypt one file. This is not a guarantee that the technique will work on all your files. Moreover, this is not a guarantee that using this method you will not damage the files even more. Even in our work there are unpleasant moments when serious errors are discovered in the decryption code, but in thousands of cases up to this point the code has worked as it should.

Now that it is clear what to do and what not to do, you can start deciphering. In theory, decryption is almost always possible. This is if you know all the data necessary for it or have an unlimited amount of money, time and processor cores. In practice, something can be deciphered almost immediately. Something will wait its turn for a couple of months or even years. In some cases, you don’t even have to tackle it: no one will rent a supercomputer for free for 5 years. It’s also bad that a seemingly simple case turns out to be extremely complex when examined in detail. It's up to you to decide who to contact.

• contact the anti-virus laboratory of a company that has a department of virus analysts dealing with this problem;
• Attach a Trojan-encrypted file to the ticket (and, if possible, an unencrypted copy of it);
• wait for the virus analyst's response. Due to the high volume of requests, this may take some time.

How to recover files?

Addresses with forms for sending encrypted files:

• Dr.Web (Applications for free decryption are accepted only from users of the comprehensive Drweb antivirus)
• Kaspersky Lab (Requests for free decryption are accepted only from users of Kaspersky Lab commercial products)
• ESET, LLC ( Applications for free decryption are accepted only from users of ESET commercial products)
• The No More Ransom Project (selection of codebreakers)
• Encryptors - extortionists (selection of decipherers)
• ID Ransomware (selection of decryptors)

We We absolutely do not recommend restore files yourself, since if you do it ineptly, you can lose all the information without restoring anything!!! In addition, recovery of files encrypted by certain types of Trojans it's simply impossible due to the strength of the encryption mechanism.

Recovery utilities deleted files :
Some types of encryption Trojans create a copy of the encrypted file, encrypt it, and delete the original file. In this case, you can use one of the file recovery utilities (it is advisable to use portable versions of the programs, downloaded and recorded on a flash drive on another computer):

• R.saver
• Recuva
• JPEG Ripper - utility for recovering damaged images
• JPGscan description)
• PhotoRec - a utility for restoring damaged images (description)

Method to solve problems with some versions Lockdir

Folders encrypted with some versions of Lockdir can be opened using an archiver 7-zip

After successful data recovery, you need to check the system for malware; to do this, you should run and create a topic describing the problem in the section

Recovering encrypted files using the operating system.

In order to restore files using the operating system, you must enable system protection before the ransomware Trojan gets onto your computer. Most ransomware Trojans will try to delete any shadow copies on your computer, but sometimes this will not be possible (if you do not have administrative privileges and installed Windows updates), and you can use shadow copies to recover damaged files.

Please remember that the command to delete shadow copies:

Code:

Vssadmin delete shadows

works only with administrator rights, so after enabling protection, you must work only as a user with limited rights and carefully pay attention to all UAC warnings about an attempt to escalate rights.

Spoiler: How to enable system protection?

How to restore previous versions of files after they are damaged?

Note:

Restoring from the properties of a file or folder using the " tab Previous versions» available only in editions of Windows 7 not lower than “Professional”. Home editions of Windows 7 and all editions of newer Windows operating systems have a workaround (under the spoiler).

Spoiler

Second way - this is the use of the utility ShadowExplorer(you can download both the installer and the portable version of the utility).

Run the program
Select the drive and date for which you want to recover files

Select the file or folder to recover and right-click on it
Select menu item Export and specify the path to the folder where you want to restore files from the shadow copy.

Ways to protect yourself from ransomware Trojans

Unfortunately, methods of protection against ransomware Trojans for ordinary users are quite complex, since security policy or HIPS settings are required to allow access to files only to certain applications and do not provide 100% protection in cases where a Trojan is introduced into the address space of a trusted application. Therefore the only in an accessible way protection is backing up user files to removable media. Moreover, if such media is an external hard drive or flash drive, these media should be connected to the computer only for the duration of the backup and be disconnected the rest of the time. For greater security, backups can be performed by booting from LiveCD. Backups can also be carried out on the so-called " cloud storage " provided by some companies.

Settings antivirus programs to reduce the likelihood of infection by encryption Trojans.

Applies to all products:

It is necessary to enable the self-defense module and set a complex password for the antivirus settings!!!

ATTENTION! Company ESET warns that Lately increased activity and risk of infection have been recorded corporate network malware, the consequences of which are:

1) Encryption of confidential information and files, including databases 1C, documents, images. The type of encrypted files depends on the specific modification of the encryptor. The encryption process is carried out according to complex algorithms and in each case, encryption occurs according to a certain pattern. Thus, encrypted data is difficult to recover.

2) In some cases, after performing malicious actions, the encryptor is automatically removed from the computer, which complicates the procedure for selecting a decryptor.

After performing malicious actions, a window appears on the screen of the infected computer with the information “ Your files are encrypted", as well as the ransomware requirements that must be met to obtain the decryptor.

2) Use antivirus solutions with a built-in firewall module ( ESET NOD32 Smart Security ) to reduce the likelihood of an attacker exploiting a vulnerability in RDP even if the necessary operating system updates are not available. It is recommended to enable advanced heuristics for launching executable files (Additional settings(F5) - Computer - Virus and spyware protection programs - Protection in real time - Additional settings. Besides, Please check if ESET Live Grid is enabled(Advanced settings (F5) - Utilities - ESET Live Grid).

3) On mail server reception and transmission of executable files should be prohibited *.exe, and *.js, since encryptors are often sent by attackers as attachments to email with fictitious information about debt collection, information about it and other similar content, which can induce the user to open a malicious attachment from an email from an attacker and thereby launch the encryptor.

4) Disable running macros in all applications included in Microsoft Office, or similar software from third parties. Macros can contain a command to download and execute malicious code that is executed when you normally view a document (for example, opening a document called " Debt collection notice.doc"from a letter from cybercriminals can lead to infection of the system even if the server did not allow a malicious attachment with an executable file of the encryptor to pass through, provided that you have not disabled the execution of macros in the settings office programs).

5) Exercise regularly Backup(backup) important information stored on your computer. Starting with OS Windows Vista part operating systems Windows includes System Protection across all drives, which backs up files and folders when you back up or create a system restore point. By default, this service is only enabled for system partition. It is recommended to enable this feature for all sections.

What to do if infection has already occurred?

If you have become a victim of criminals and your files are encrypted, do not rush to transfer money to their account to select a decryptor. Provided that you are our client, contact technical support, we may be able to select a decoder for your case or such a decoder is already available. To do this, you need to add a sample of the encryptor and other suspicious files, if any, to the archive and send this archive to us using . Also include several samples of encrypted files in the archive. In the comments, indicate the circumstances under which the infection occurred, as well as your license data and contact email For feedback.

You can try to restore the original, unencrypted version of files from shadow copies, provided that this function was enabled and if the shadow copies were not damaged by an encryptor virus. More about this:

For getting additional information contact .

I continue the notorious section on my website with another story in which I myself was a victim. I will talk about the ransomware virus Crusis (Dharma), which encrypted all files on a network drive and gave them the .combo extension. He worked not only on local files, as is most often the case, but also on network ones.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Introduction

The story will be in the first person, since the data and infrastructure that I managed were affected by the encryptor. As sad as it is to admit this, I am partly to blame for what happened, although I have known cryptographers for a very long time. In my defense, I will say that no data was lost, everything was quickly restored and investigated without delay. But first things first.

The boring morning began with the fact that at 9:15 the system administrator from one remote site called and said that there was an encryptor on the network, the data on the network drives had already been encrypted. A chill ran through my skin :) He began to check the source of infection on his own, and I began to check with my own. Of course, I immediately went to the server, disconnected network drives and began looking at the data access log. Network drives are configured to, must be enabled. From the log, I immediately saw the source of the infection, the account the ransomware was running under, and the start time of encryption.

Description of the Crusis (Dharma) ransomware virus

Then the investigation began. Encrypted files received the extension .combo. There were a lot of them. The cryptographer began working late in the evening, at approximately 11 p.m. We were lucky - the backup of the affected disks had just been completed by this time. The data was not lost at all, since it was backed up at the end of the working day. I immediately started restoring from the backup, which is on a separate server without SMB access.

Overnight, the virus managed to encrypt approximately 400 GB of data on network drives. The banal deletion of all encrypted files with the combo extension took a long time. At first I wanted to delete them all at once, but when just counting these files lasted for 15 minutes, I realized that it was useless this moment time. Instead, I started downloading the latest data, and cleaned the disks of encrypted files after.

I’ll tell you the simple truth right away. Having up-to-date, reliable backups makes any problem solvable. I can’t even imagine what to do if they are not there or they are not relevant. I always pay special attention to backups. I take care of them, I cherish them, and I don’t give anyone access to them.

After I launched the recovery of encrypted files, I had time to calmly understand the situation and take a closer look at the Crusis (Dharma) encryption virus. Surprises and surprises awaited me here. The source of infection was a virtual machine with Windows 7 with abandoned rdp port via a backup channel. The port was not standard - 33333. I think it was the main mistake to use such a port. Although it is not standard, it is very popular. Of course, it’s better not to forward rdp at all, but in this case it was really necessary. By the way, now, instead of this virtual machine, a virtual machine with CentOS 7 is also used; it runs a container with xfce and a browser in Docker. Well, this virtual machine has no access anywhere, only where it is needed.

What's scary about this whole story? The virtual machine was updated. The cryptographer started working at the end of August. It is impossible to determine exactly when the machine was infected. The virus wiped out a lot of things in the virtual machine itself. Updates to this system were installed in May. That is, there should not be any old open holes on it. Now I don’t even know how to leave the rdp port accessible from the Internet. There are too many cases where this is really needed. For example, a terminal server on rented hardware. You won’t also rent a VPN gateway for each server.

Now let’s get closer to the point and the ransomware itself. The virtual machine had it disabled network interface, after that I launched it. I was greeted by a standard sign, which I had already seen many times from other cryptographers.

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 501BED27 In case of no answer in 24 hours write us to these e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click "Buy bitcoins", and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

There were 2 text files on the desktop named FILES ENCRYPTED.TXT the following content:

All your data has been locked us Do you want to return? write email [email protected]

It’s interesting that the directory permissions have changed Desktop. The user did not have write permissions. Apparently, the virus did this to prevent the user from accidentally deleting information in text files from the desktop. There was a directory there on the desktop troy, which contained the virus itself - a file l20VHC_playload.exe.

How the Crusis (Dharma) ransomware virus encrypts files

Having calmly figured it all out and read similar messages on the topic of ransomware on the Internet, I learned that I had caught a version of the famous Crusis (Dharma) ransomware virus. Kaspersky detects it like Trojan-Ransom.Win32.Crusis.to. It puts different extensions on files, including and.combo. My list of files looked something like this:

• Vanino.docx.id-24EE2FBC..combo
• Petropavlovsk-Kamchatsky.docx.id-24EE2FBC..combo
• Khorol.docx.id-24EE2FBC..combo
• Yakutsk.docx.id-24EE2FBC..combo

I’ll tell you some more details about how the ransomware worked. I didn't mention an important thing. This computer was in the domain. The files were encrypted from a domain user!!! This is where the question arises: where did the virus get it from? I did not see information on the domain controller logs and the selection of the user's password. There weren't a ton of failed logins. Either some kind of vulnerability was exploited, or I don't know what to think. An account used that has never logged in this system. There was authorization via rdp from a domain user account, and then encryption. There were also no traces of brute-force attacks on users and passwords on the system itself. Almost immediately I had a login using rdp domain account. It was necessary to choose, at a minimum, not only a password, but also a name.

Unfortunately, the account had a password of 123456. This was the only account with that password that was missed by the local admins. Human factor. It was the leader and for some reason a whole series of system administrators knew about this password, but did not change it. Obviously, this is the reason for using this particular account. But nevertheless, the mechanism for obtaining even such simple password and username.

Infected with ransomware virtual machine I turned it off and deleted it, after taking the disk image. The virus itself took the image out of it to look at its work. The further story will be based on running the virus in a virtual machine.

One more small detail. The virus scanned the entire local network and at the same time encrypted information on those computers where there were some shared folders with access to everyone. This is the first time I have seen such a modification of the encryptor. This is truly a scary thing. Such a virus can simply paralyze the work of the entire organization. Let's say, for some reason, you had network access to the backups themselves. Or they used some kind of weak password for the account. It may happen that everything will be encrypted - both data and archived copies. In general, I’m now thinking about storing backups not only in an isolated network environment, but generally on switched off equipment that is started only to make a backup.

How to treat your computer and remove Crusis (Dharma) ransomware

In my case, the Crusis (Dharma) ransomware virus was not particularly hidden and removing it should not pose any problems. As I said, it was in a folder on my desktop. In addition, he recorded himself and an information message in the autorun.

The body of the virus itself was duplicated in the launch section Startup for all users and windows/system32. I didn’t look more closely because I don’t see the point in it. After being infected with ransomware, I strongly recommend reinstalling the system. This is the only way to be sure to remove the virus. You will never be completely sure that the virus has been removed, since it could have used some as yet unpublished and unknown vulnerabilities to leave a bookmark on the system. After some time, through this mortgage you can get some new virus and everything will repeat itself in a circle.

So I recommend that immediately after detecting the ransomware, you do not treat your computer, but reinstall the system, saving the remaining data. Perhaps the virus did not manage to encrypt everything. These recommendations apply to those who do not intend to attempt to recover files. If you have current backups, then simply reinstall the system and restore the data.

If you don’t have backups and are ready to restore files at any cost, then we try not to touch the computer at all. First of all, simply disconnect the network cable, download a couple of encrypted files and a text file with information on clean flash drive, then shut down the computer. The computer can no longer be turned on. If you do not understand computer matters at all, then you will not be able to deal with the virus yourself, much less decrypt or restore files. Contact someone who knows. If you think that you can do something yourself, then read on.

Where to download the Crusis (Dharma) decryptor

What follows is my universal advice on all ransomware viruses. There is a website - https://www.nomoreransom.org It could theoretically contain a decryptor for Crusis or Dharma, or some other information on decrypting files. In my practice, this has never happened before, but maybe you’ll get lucky. It's worth a try. To do this on home page agree by clicking YES.

Attach 2 files and paste the contents of the ransomware’s information message and click Check.

If you're lucky, you'll get some information. In my case nothing was found.

All existing decryptors for ransomware are collected on a separate page - https://www.nomoreransom.org/ru/decryption-tools.html The existence of this list allows us to expect that there is still some sense in this site and service. Kaspersky has a similar service - https://noransom.kaspersky.com/ru/ You can try your luck there.

I don’t think it’s worth looking for decryptors anywhere else through an Internet search. It is unlikely that they will be found. Most likely it will be either a regular scam with junk software at best, or a new virus.

Important addition. If you have a licensed version of an antivirus installed, be sure to create a request to the antivirus TP for file decryption. Sometimes it really helps. I have seen reviews of successful decryption by antivirus support.

How to decrypt and recover files after the Crusis (Dharma) virus

What to do when the Crusis (Dharma) virus has encrypted your files, none of the previously described methods helped, and you really need to restore the files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

Before further manipulations, I recommend making a sector-by-sector disk image. This will allow you to record Current state and if nothing works out, then at least you can go back to the starting point and try something else. Next you need to remove the ransomware itself using any antivirus with the latest set antivirus databases. Will do CureIt or Kaspersky Virus Removal Tool. You can install any other antivirus in trial mode. This is enough to remove the virus.

After that, we boot into the infected system and check if we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. To easily restore files from shadow copies, I suggest using free program for this purpose - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the left top corner can choose backup copy, if you have several of them. Check different copies for availability necessary files. Compare by dates, where more latest version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and specified the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be more old version, than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using deleted file recovery tools. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard drive to do this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, in this list you can find some useful files. There are no guarantees here; what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire process of recovering files using the listed programs is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Crusis (Dharma) ransomware

As usual, I went through the forums of popular antiviruses in search of information about the ransomware that installs the .combo extension. There is a clear trend towards the spread of the virus. A lot of requests start from mid-August. Now it seems they are not visible, but perhaps temporarily, or the extension of the encrypted files has simply changed.

Here is an example of a typical request from the Kaspersky forum.

There is also a comment from the moderator below.

The EsetNod32 forum has long been familiar with the virus that installs the .combo extension. As I understand it, the virus is not unique and not new, but a variation of the long-known Crusis (Dharma) series of viruses. Here is a typical request to decrypt data:

I noticed that there are many reviews on the Eset forum that the virus penetrated the server via rdp. It looks like this is a really strong threat and you can’t leave rdp without cover. The only question that arises is how does the virus enter via rdp? It guesses a password, connects with a known user and password, or something else.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including Crusis (Dharma). Their address is http://www.dr-shifro.ru. Payment only after decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor on your computer and decrypts some files.
3. You make sure that all files are opened, sign the acceptance certificate for completed work, and receive a decryptor.
4. You decrypt your files and complete the remaining documents.

You don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against ransomware virus

I will not list the obvious things about launching unknown programs from the Internet and opening attachments in mail. Everyone knows this now. In addition, I wrote about this many times in my articles in the about section. I'll pay attention to backups. They must not only exist, but be inaccessible from the outside. If this is some kind of network drive, then a separate account with a strong password must have access to it.

If you back up personal files to a flash drive or external drive, do not keep them constantly connected to the system. After creation archival copies, disconnect devices from the computer. I see the ideal backup on a separate device, which is turned on only to make a backup, and then physically disconnected from the network again by disconnecting the network cable or simply shutting down the work.

Backups must be incremental. This is necessary in order to avoid a situation where the encryptor encrypted all the data without you noticing. A backup was performed, which replaced the old files with new, but already encrypted ones. As a result, you have an archive, but it is of no use. You need to have an archive depth of at least several days. I think that in the future there will be, if they have not yet appeared, ransomware that will quietly encrypt part of the data and wait for some time without revealing themselves. This will be done in the expectation that the encrypted files will end up in archives and there, over time, replace the real files.

This will be a tough time for the corporate sector. I have already given an example above from the eset forum, where network drives with 20 TB of data were encrypted. Now imagine that you have such a network drive, but only 500G of data is encrypted in directories that are not accessed constantly. A couple of weeks pass, no one notices the encrypted files, because they are in archive directories and are constantly not being worked with. But at the end of the reporting period, data is needed. They go there and see that everything is encrypted. They go to the archive, and there the storage depth is, say, 7 days. And that's all, the data is gone.

This requires a separate, careful approach to archives. Need to software and resources for long-term data storage.

Video about file decryption and recovery

Here is an example of a similar modification of the virus, but the video is completely relevant for combo.