Encrypting virus: how to delete and decrypt files after its action? Using special utilities. Is it possible to recover encrypted information

Internet tips

Typically, the work of malware is aimed at gaining control over a computer, including it in a zombie network, or stealing personal data. An inattentive user may not notice for a long time that the system is infected. But ransomware viruses, in particular xtbl, work in a completely different way. They make user files unusable by encrypting them with the most complex algorithm and requiring the owner large sum for the opportunity to recover information.

Cause of the problem: xtbl virus

The xtbl ransomware virus got its name due to the fact that user documents encrypted by it get the .xtbl extension. Usually, encoders leave a key in the body of the file so that a universal decoder program can restore the information in its original form. However, the virus is intended for other purposes, so instead of a key, an offer appears on the screen to pay a certain amount using anonymous account details.

How the xtbl virus works

The virus enters the computer via e-mail messages with infected file attachments office applications... After the user has opened the content of the message, the malware starts searching for photos, keys, videos, documents, and so on, and then, using an original complex algorithm (hybrid encryption), turns them into xtbl storage.

The virus uses system folders to store its files.

The virus adds itself to the startup list. To do this, he adds entries to windows registry in sections:

  • HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ RunOnce;
  • HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Run;
  • HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ RunOnce.

The infected computer works stably, the system does not crash, but in random access memory there is always a small application (or two) with an incomprehensible name. And folders with working files of the user take on a strange look.

Instead of a splash screen, a message appears on the desktop:

Your files have been encrypted. To decrypt them, you need to send the code to email address: [email protected] (the code follows). You will then receive further instructions. Independent attempts to decrypt files will lead to their complete destruction.

The same text is contained in the generated file How to decrypt your files.txt. Address email, code, requested amount may vary.

Quite often, some scammers make money on others - the number of the e-wallet of ransomware is inserted into the body of the virus, which has no way to decrypt the files. So a gullible user, by sending money, does not receive anything in return.

Why you shouldn't pay ransomware

It is impossible to agree to cooperate with extortionists not only because of moral principles. This is unreasonable from a practical point of view.

  1. Fraud. It's not a fact that attackers will be able to decrypt your files. One of the allegedly decrypted photographs returned to you does not serve as evidence either - it may simply be the original stolen before encryption. The money paid will go useless.
  2. Repeatability. By confirming your willingness to pay, you will become more desirable prey for a repeat attack. Maybe next time your files will have a different extension, and a different message will appear on the splash screen, but the money will go to the same people.
  3. Confidentiality. While the files are encrypted, they are on your computer. Having agreed with the "honest villains", you will be forced to send them all your personal information. The algorithm does not provide for obtaining a key and decrypting it on its own, only sending files to a decoder.
  4. Computer infection. Your computer is still infected, so file decryption is not a complete solution to the problem.

How to protect your system from a virus

Universal rules for protecting against malware and minimizing damage will help in this case too.

  1. Beware of casual connections. No need to open emails received from unknown senders, including advertisements and bonus offers. In extreme cases, you can read them by first saving the attachment to the disk and checking it with an antivirus.
  2. Enjoy protection. Antivirus software are constantly replenishing libraries of malicious codes, therefore current version Defender will not let most viruses on your computer.
  3. Distribute access. The virus will do much more harm if it gets through account administrator. It is better to work on behalf of the user, thereby drastically reducing the possibility of infection.
  4. Create backups... Important information should be regularly copied to external media stored separately from your computer. Also, don't forget about creating backup Windows restore points.

Is it possible to recover encrypted information

Good news: data recovery is possible. Bad: you can't do it yourself. The reason for this is the peculiarity of the encryption algorithm, the selection of the key to which requires much more resources and accumulated knowledge than regular user... Fortunately, antivirus developers make it a point of honor to deal with each malware, so even if they are currently unable to deal with your ransomware, they will surely find a solution in a month or two. We'll have to be patient.

Due to the need to contact specialists, the algorithm for working with an infected computer changes. General rule: the fewer changes the better. Antiviruses determine the method of treatment based on the generic characteristics of the malicious program, therefore, infected files are the source of important information... They should be removed only after solving the main problem.

The second rule is to interrupt the work of the virus at any cost. Perhaps he has not spoiled all the information yet, and traces of the encryptor remain in the RAM, with the help of which it is possible to identify him. Therefore, you need to immediately turn off the computer from the network, and turn off the laptop by long pressing the network button. This time, the standard "careful" shutdown procedure, which makes it possible to complete all processes correctly, will not work, since one of them is the encoding of your information.

Recovering encrypted files

If you managed to turn off your computer

If you managed to turn off your computer before the end of the encryption process, then you do not need to turn it on yourself. Take the "patient" directly to the specialists, the interrupted encoding significantly increases the chances of saving personal files. Here you can also safe mode check your storage media and create backups. With a high probability, the virus itself will be known, so the treatment for it will be successful.

If encryption is complete

Unfortunately, the chances of successfully interrupting the encryption process are very small. Usually, the virus has time to encode files and remove unnecessary traces from the computer. And now you have two problems: Windows is still infected, and personal files have become a character set. To solve the second problem, it is necessary to use the help of anti-virus software.

Dr.Web

Dr.Web Lab provides its decryption services for free only to owners of commercial licenses. In other words, if you are not their client yet, but want to restore your files, you will have to buy the program. Given the current situation, this is the right investment.

The next step is to go to the manufacturer's website and fill out the entry form.

If among the encrypted files there are copies of which have been saved on external media, their transfer will greatly facilitate the work of decoders.

Kaspersky

Kaspersky Lab has developed its own decryption utility called RectorDecryptor, which can be downloaded to a computer from the company's official website.

For each version operating system, including Windows 7, has its own utility. After downloading it, click the "Start check" button.

The services may take a while if the virus is relatively new. In this case, the company usually sends a notification. Sometimes decryption can take several months.

Other services

There are more and more services with similar functions, which indicates the demand for decryption services. The algorithm of actions is the same: go to the site (for example, https://decryptcryptolocker.com/), register and send the encrypted file.

Decoder programs

There are a lot of “universal decoders” (of course, paid ones) on the network, but their usefulness is questionable. Of course, if the virus producers themselves write a decoder, it will work successfully, but the same program will be useless for another malicious application. In addition, specialists who regularly encounter viruses usually have a complete package of necessary utilities, so they have all working programs with a high probability. Buying such a decoder is likely to be a waste of money.

How to decrypt files using Kaspersky Lab - video

Self-service information recovery

If for some reason it is impossible to contact third-party specialists, you can try to recover the information on your own. Let's make a reservation that in case of failure, the files may be permanently lost.

Recovering deleted files

After encryption, the virus removes source files... However, Windows 7 stores all deleted information in the form of a so-called shadow copy for some time.

ShadowExplorer is a utility designed to recover files from their shadow copies.

PhotoRec

The free PhotoRec utility works the same way, but in batch mode.

  1. Download the archive from the developer's site and unpack it to disk. The executable file is named QPhotoRec_Win.
  2. After launching the application, a dialog box will show a list of all available disk devices... Select the one in which the encrypted files were stored and specify the path to save the recovered copies.

    For storage, it is better to use an external medium, such as a USB flash drive, since each write to the disk is dangerous by erasing shadow copies.

  3. With the desired directories selected, push the File Formats bezel button.
  4. The drop-down menu is a list of file types that the application can restore. By default, there is a check mark next to each one, however, to speed up the work, you can remove unnecessary "checkboxes", leaving only those corresponding to the types of files being restored. When you are finished with your selection, press the OK button.
  5. Once the selection is complete, the Search button becomes available. Click it. The recovery procedure is a time consuming process, so please be patient.
  6. After waiting for the process to complete, press the Quit on-screen button and exit the program.
  7. The recovered files are located in the previously specified directory and sorted into folders with the same names recup_dir.1, recup_dir.2, recup_dir.3 and so on. Go through each one by one and return them to their former names.

Virus removal

Since the virus entered the computer, the installed security programs did not cope with their task. You can try using third-party help.

Important! Removing the virus cures the computer, but does not restore encrypted files. In addition, installing new software can damage or erase some shadow copies of files that are required to restore them. Therefore, it is better to install applications on other drives.

Kaspersky Virus Removal Tool

Free program of a well-known developer of anti-virus software, which can be downloaded from the Kaspersky Lab website. After launch Kaspersky Virus The Removal Tool immediately prompts you to start checking.

After pressing the large screen button "Start Scan", the program starts scanning your computer.

It remains to wait for the end of the scan and delete the found uninvited guests.

Malwarebytes Anti-malware

Another antivirus software developer providing a free version of the scanner. The algorithm of actions is the same:

  1. Download from official page manufacturer setup file for Malwarebytes Anti-malware, then run the installer by answering the questions and clicking Next.
  2. The main window will offer to immediately update the program (a useful procedure for refreshing virus databases). After that, start the check by clicking on the corresponding button.
  3. Malwarebytes Anti-malware scans the system step by step, displaying interim results.
  4. Found viruses, including ransomware, are shown in the final window. Get rid of them by pressing the "Delete Selected" on-screen button.

    For correct deletion For some malicious applications, Malwarebytes Anti-malware prompts you to reboot the system, you must agree with this. After resuming work Windows antivirus will continue cleaning.

What not to do

The XTBL virus, like other ransomware viruses, damages both the system and user information. Therefore, to reduce the potential damage, some precautions should be taken:

  1. Do not wait for the end of encryption. If file encryption has begun in front of your eyes, do not wait for the end, or try to interrupt the process by software... Unplug the computer immediately and call a service technician.
  2. Do not try to remove the virus yourself if you can trust the professionals.
  3. Do not reinstall the system until the end of treatment. The virus will safely infect the new system as well.
  4. Do not rename encrypted files. This will only complicate the work of the decoder.
  5. Do not try to read infected files on another computer before removing the virus. This can spread the infection.
  6. Don't pay extortionists. It is useless and encourages virus creators and scammers.
  7. Don't forget about prevention. Installing antivirus regularly backup, creating restore points will significantly reduce the potential damage from malware.

Curing a computer infected with a ransomware virus is a long and not always successful procedure. Therefore, it is so important to observe precautions when obtaining information from the network and working with unverified external media.

  1. There won't be a lot of demagoguery, since the article is already quite large! Let's figure out what you can do if your computer is infected with an encryptor: First, you need to find out what kind of encryptor did this bad thing with your files. Below at the end of the article there are links to the Services that will give all the information on your evil harm that operates on your computer. If the name of your evil harm coincided with the names in this article, then this is half the trouble and so we read further what Kaspersky offers us in the fight against ransomware encryptors. Honestly, these viruses are quite strong, you really have problems. You can remove this muck from your computer, this is not a problem, but returning the files is a question:
  2. I list the name of the ransomware and at the end you post the name of the program that might help you:

    3. Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 and 2 ...

    What names will your files have after encryption:

  3. When infected with Trojan-Ransom.Win32.Rannoh, the names and extensions are locked-. ...
  4. When infected with Trojan-Ransom.Win32.Cryakl, (CRYPTENDBLACKDC) is added to the end of the files.
  5. Trojan-Ransom.Win32.AutoIt extension changes according to the @ _ pattern.
  6. For example, _.RZWDTDIC.
  7. When infected, Trojan-Ransom.Win32.CryptXXX changes according to the.crypt template.
  8. We check for reliability with the service that I will post at the end of the article and if everything is the same, then download the utility:
  9. . from office, Kaspersky website
    10. .
  10. .with cloud verified by Kaspersky
  11. After clicking on the start scan button, a window will open in which you need to show the encrypted file.
  12. Then the program will do everything by itself. If he does!))) But let's not talk about bad things, everything will be fine!

    13. XoristDecryptor

  13. Designed to fight against viruses scramblers: Trojan-Ransom.Win32.Xorist, Trojan-Ransom.MSIL.Vandev
  14. You can recognize the encoder by the following steps: It displays a window that looks like the following:
  15. On the C: / drive, it makes files named "Read Me - How to Decrypt Files". By opening such a file, it will contain content similar to the image below.
  16. Also in windows folder there is a file named CryptLogFile.txt. It records everything that was encrypted.

  17. Decrypting files

  18. from office, Kaspersky website
  19. cloud tested by Kaspersky
  20. We launch and display the encrypted file and wait while the utility tries to decrypt the file.
  21. If the XoristDecryptor utility does not detect the file, it will offer to send it by mail. Kaspersky Lab will examine the file and update the XoristDecryptor anti-virus database. That with repeated treatment there is an option to return your files.

    The next utility is called RectorDecryptor

  22. Like the above, it is from Kaspersky and serves to decrypt files infected with ransomware ransomware: Trojan-Ransom.Win32.Rector
    23. What files does it encrypt:
  23. jpg, .doc, .pdf, .rar.
  24. File names after encryption:
  25. vscrypt, .infected, .bloc, .korrektor
  26. Author's signature in the form of †† KOPPEKTOP †† and contact with him can be kept:
  27. ICQ: 557973252 or 481095
  28. In some cases, the attacker asks to leave a message in the guest book of one of his sites that are not working or are working at the time he needs:
  29. https: //trojan....sooot.cn/
  30. https: //malware....66ghz.com/
  31. Also, a banner on the desktop of the form below indicates that your files are encrypted with this encryptor:
  32. How to try to get your files back:
  33. Download a utility from Kaspersky called
  34. from office, Kaspersky website
  35. cloud tested by Kaspersky
  36. As with all the other utilities above from Kaspersky. Run the downloaded utility and click on the Start scan button in the opened window to specify the encrypted file.
  37. The progress report, as in the examples above with the programs, can be found at: C: \\ RectorDecryptor.2.3.7.0_10.05.2010_15.45.43_log.txt Time and date are approximate, you will have yours.

    38. RakhniDecryptor utility

  38. To combat ransomware from Kaspersky:
  39. Trojan-Ransom.Win32.Rakhni, Trojan-Ransom.Win32.Autoit, Trojan-Ransom.Win32.Agent.iih, Trojan-Ransom.Win32.Aura, Trojan-Ransom.AndroidOS.Pletor, Trojan-Ransom.Win32.Rotor, Trojan-Ransom.Win32.Lamer, Trojan-Ransom.MSIL.Lortok, Trojan-Ransom.Win32.Cryptokluchen, Trojan-Ransom.Win32.Democry, Trojan-Ransom.Win32.Bitman versions 3 and 4, Trojan-Ransom.Win32. Libra, Trojan-Ransom.MSIL.Lobzik and Trojan-Ransom.Win32.Chimera

The number of viruses in their usual understanding is becoming less and less, and the reason for this free antivirusthat work well and protect users' computers. At the same time, not everyone cares about the security of their data, and they risk becoming infected not only with malicious programs, but also with standard viruses, among which Trojan remains the most widespread. He can manifest himself different ways, but one of the most dangerous is file encryption. If a virus has encrypted files on a computer, it is not a fact that it will return the data, but there are some effective methods, and they will be discussed below.

An encrypting virus: what it is and how it works

There are hundreds of viruses on the web that encrypt files. Their actions lead to one consequence - the user's data on the computer receives unknown formatwhich cannot be opened with standard programs... Here are just some of the formats in which data on a computer can be encrypted as a result of viruses: .locked, .xtbl, .kraken, .cbf, .oshit and many others. In some cases, it is written directly into the file extension e-mail address the creators of the virus.

Among the most common viruses that encrypt files are Trojan-Ransom.Win32.Aura and Trojan-Ransom.Win32.Rakhni... They take many forms, and the virus may not even bear the name Trojan (for example, CryptoLocker), but their actions are practically the same. New versions of encryption viruses are regularly released to make it harder for antivirus software developers to deal with new formats.

If an encrypting virus has penetrated the computer, then it will certainly manifest itself not only by blocking files, but also by offering the user to unblock them for a fee. A banner may appear on the screen, on which it will be written where you need to transfer money in order to remove the lock from files. When such a banner does not appear, you should look for a "letter" from the developers of the virus on the desktop, such a file in most cases is called ReadMe.txt.

Depending on the virus developers, the file decryption rates may vary. At the same time, it is far from the fact that when sending money to the creators of the virus, they will send back an unlocking method. In most cases, the money goes "nowhere", and the computer user does not receive a decryption method.

After the virus has appeared on your computer and you see a code on the screen that needs to be sent to a specific address in order to receive a decryptor, you should not do this. First of all, copy this code onto a piece of paper, since the newly created file may also be encrypted. After that, you can close information from the developers of the virus and try to find on the Internet a way to get rid of the file encryptor in your particular case. Below we list the main programs that allow you to remove the virus and decrypt files, but they cannot be called universal, and the creators antivirus software regularly expand the list of solutions.

Getting rid of a virus that encrypts files is quite easy with free versions antivirus software. Three free programs cope well with viruses that encrypt files:

The apps noted above are completely free or have trial versions... We recommend using a solution from Dr.Web or Kespersky after you scan the system when malwarebytes help Antimalware. Let us remind you once again that it is not recommended to install 2 or more antiviruses on a computer at the same time, therefore, before installing each new solution, you must uninstall the previous one.

As we noted above, the ideal solution to the problem in this situation would be the selection of instructions that allows you to deal specifically with your problem. Such instructions are most often posted on the websites of antivirus developers. Below we will provide a few relevant antivirus utilitiesthat allow you to deal with various types of Trojans and other types of ransomware.


The above is just a small part of the anti-virus utilities that can decrypt infected files. It is worth noting that if you just try, trying to get back the data, on the contrary, it will be lost forever - you should not do this.

If the system is infected with malware of the families Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX, then all files on the computer will be encrypted as follows:

  • When infected Trojan-Ransom.Win32.Rannoh names and extensions will change to pattern locked-<оригинальное_имя>.<4 произвольных буквы> .
  • When infected Trojan-Ransom.Win32.Cryakl a label is added to the end of the file content (CRYPTENDBLACKDC) .
  • When infected Trojan-Ransom.Win32.AutoIt the extension changes by pattern <оригинальное_имя>@<почтовый_домен>_.<набор_символов> .
    For instance, [email protected]_.RZWDTDIC.
  • When infected Trojan-Ransom.Win32.CryptXXX the extension changes by templates <оригинальное_имя>.crypt,<оригинальное_имя>. crypz and <оригинальное_имя>. cryp1.

The RannohDecryptor utility is designed to decrypt files after infection Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 , 2 and 3 .

How to cure the system

To disinfect an infected system:

  1. Download the RannohDecryptor.zip file.
  2. Run the RannohDecryptor.exe file on the infected machine.
  3. In the main window, click Start check.
  1. Specify the path to the encrypted and unencrypted file.
    If the file is encrypted Trojan-Ransom.Win32.CryptXXX, specify the files itself big size... Decryption will only be available for files of equal or smaller size.
  2. Wait until the end of the search and decryption of encrypted files.
  3. Reboot your computer if required.
  4. To delete a copy of encrypted files of the form locked-<оригинальное_имя>.<4 произвольных буквы> after successful decryption, select.

If the file was encrypted Trojan-Ransom.Win32.Cryakl, then the utility will save the file in the old location with the extension .decryptedKLR.original_extension... If you chose Delete encrypted files after successful decryption, then the decrypted file will be saved by the utility with its original name.

  1. By default, the utility outputs a report of the work to the root system disk (the disk where the OS is installed).

    The report name has next view: UtilityName.Version_Date_Time_log.txt

    For instance, C: \\ RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

In a system infected Trojan-Ransom.Win32.CryptXXX, the utility scans a limited number of file formats. When a user selects a file affected by CryptXXX v2, key recovery may take long time... In this case, the utility displays a warning.

By themselves, viruses as a computer threat do not surprise anyone today. But if earlier they influenced the system as a whole, causing malfunctions in its performance, today, with the appearance of such a variety as a ransomware virus, the actions of an infiltrating threat concern more user data. It is perhaps even more of a threat than Windows-destructive executable applications or spyware applets.

What is a ransomware virus?

By itself, the code written in a self-copying virus assumes encryption of almost all user data with special cryptographic algorithms without affecting system files operating system.

At first, the logic of the virus's impact was not entirely clear to many. Everything became clear only when the hackers who created such applets began to demand money to restore the initial file structure. At the same time, the penetrated encryption virus itself does not allow decryption of files due to its peculiarities. To do this, you need a special decryptor, if you like, a code, password or algorithm required to restore the desired content.

The principle of penetration into the system and the operation of the virus code

As a rule, it is quite difficult to "pick up" such muck on the Internet. The main source of the spread of the "infection" is e-mail at the level of programs installed on a specific computer terminal like Outlook, Thunderbird, The bat and so on. Note right away: this does not apply to Internet mail servers, since they have a sufficiently high degree of protection, and access to user data is possible only at the level

An application on a computer terminal is another matter. It is here that the field for the action of viruses is so wide that it is impossible to imagine. True, here it is also worth making a reservation: in most cases, viruses are aimed at large companies, from which you can "rip off" money for providing the decryption code. This is understandable, because not only on local computer terminals, but also on the servers of such companies, not only completely, but also files, so to speak, in a single copy can be stored, which cannot be destroyed in any case. And then decryption of files after the ransomware virus becomes quite problematic.

Of course, an ordinary user can be subjected to such an attack, but in most cases it is unlikely if you follow the simplest recommendations for opening attachments with extensions of unknown type. Even mail client defines attachment with extension .jpg as standard graphic file, first it must be checked with the standard installed in the system.

If this is not done, when you open it with a double click (standard method), activation of the code will start, and the encryption process will begin, after which the same Breaking_Bad (encryption virus) will not only be impossible to delete, but the files will not be able to be restored after the threat has been eliminated.

General consequences of the penetration of all viruses of this type

As already mentioned, most viruses of this type enter the system via email. Well, let's say a large organization receives a letter to a specific registered mail with the content like "We changed the contract, scan in the attachment" or "An invoice has been sent to you for the shipment of goods (a copy is there)." Naturally, an unsuspecting employee opens the file and ...

All user files at the level of office documents, multimedia, specialized AutoCAD projects or any other archival data are instantly encrypted, and if the computer terminal is in local network, the virus can be transmitted further, encrypting data on other machines (this becomes noticeable immediately when the system is "slowed down" and programs or currently running applications freeze).

At the end of the encryption process, the virus itself, apparently, sends a kind of report, after which the company may receive a message that such and such a threat has entered the system, and that only such and such an organization can decrypt it. Usually it concerns the virus [email protected] Next comes the requirement to pay for decryption services with the proposal to send several files to the client's email, which is most often fictitious.

Harm from code exposure

If someone has not yet understood: decrypting files after a ransomware virus is a rather laborious process. Even if you do not "lead" to the demands of cybercriminals and try to involve official government agencies in the fight against computer crimes and their prevention, usually nothing good will work.

If you delete all files, produce and even copy the original data from removable media (of course, if there is such a copy), everything will be encrypted again when the virus is activated. So you shouldn't flatter yourself, especially since when you insert the same flash drive into the USB port, the user will not even notice how the virus encrypts the data on it. Then you will definitely not have problems.

Firstborn in the family

Now let's turn our attention to the first ransomware virus. How to cure and decrypt files after exposure to the executable code enclosed in an email attachment with a dating offer, at the time of its appearance, no one thought. Awareness of the scale of the disaster came only with time.

That virus had the romantic name "I Love You". An unsuspecting user opened an attachment in an e-mail message and received completely non-playable multimedia files (graphics, video and audio). Then, however, such actions looked more destructive (causing harm to user media libraries), and no one demanded money for this.

Newest modifications

As you can see, the evolution of technology has become quite a profitable business, especially when you consider that many leaders of large organizations immediately run to pay for decryption actions, completely not thinking that this way they can lose money and information.

By the way, do not look at all these "left" posts on the Internet, they say, "I paid / paid the required amount, they sent me a code, everything was restored." Nonsense! All this is written by the developers of the virus themselves in order to attract potential, excuse me, "suckers". But, by the standards of an ordinary user, the amounts for payment are quite serious: from hundreds to several thousand or tens of thousands of euros or dollars.

Now let's take a look at the latest types of viruses of this type that have been recorded relatively recently. All of them are practically similar and belong not only to the ransomware category, but also to the group of so-called ransomware. In some cases, they act more correctly (like paycrypt), like sending formal business proposals or messages that someone cares about the safety of the user or organization. Such a ransomware virus simply misleads the user with its message. If he takes even the slightest action to pay, everything - "divorce" will be in full.

XTBL virus

The relatively recent one can be attributed to the classic ransomware version. As a rule, it enters the system through e-mail messages containing attachments in the form of files from which is standard for the Windows screensaver. The system and the user think everything is in order and activate viewing or saving the attachment.

Alas, this leads to sad consequences: the file names are converted to a set of characters, and .xtbl is added to the main extension, after which a message is sent to the desired mail address about the possibility of decryption after payment of the specified amount (usually 5 thousand rubles).

CBF virus

This type of virus also belongs to the classics of the genre. It appears in the system after opening e-mail attachments, and then renames user files, adding an extension like .nochance or .perfect at the end.

Unfortunately, it is not possible to decrypt this type of ransomware virus to analyze the contents of the code even at the stage of its appearance in the system, since it self-destructs after completing its actions. Even what many believe is a universal tool like RectorDecryptor does not help. Again, the user receives a letter demanding payment, which is given two days.

Breaking_Bad virus

This type of threat works in the same way, but renames files as standard by adding .breaking_bad to the extension.

The situation is not limited to this. Unlike previous viruses, this one can create another extension - .Heisenberg, so it is not always possible to find all infected files. So Breaking_Bad (ransomware virus) is quite a serious threat. By the way, there are cases when even the licensed Kaspersky Endpoint Security 10 package allows this type of threat to pass through.

Virus [email protected]

Here is another, perhaps the most serious threat, which is mainly directed at large commercial organizations. As a rule, a letter comes to some department containing seemingly changes to the supply agreement, or even just an invoice. The attachment can contain a regular .jpg file (such as an image), but more often an executable script.js (Java applet).

How to decrypt this type of ransomware virus? Judging by the fact that some unknown RSA-1024 algorithm is used there, no way. As the name suggests, it is a 1024-bit encryption system. But, if anyone remembers, today 256-bit AES is considered the most advanced.

Encryption virus: how to disinfect and decrypt files using antivirus software

To date, no solutions of this type have been found to decrypt threats of this type. Even such masters in the area antivirus protectionlike Kaspersky, Dr. Web and Eset, cannot find the key to solving the problem when the ransomware virus has inherited it in the system. How to disinfect files? In most cases, it is proposed to send a request to the official website of the antivirus developer (by the way, only if the system has licensed software of this developer).

In this case, you need to attach several encrypted files, as well as their "healthy" originals, if any. In general, by and large, few people save copies of data, so the problem of their absence only aggravates the already unpleasant situation.

Possible ways to identify and eliminate the threat manually

Yes, scanning with conventional anti-viruses detects threats and even removes them from the system. But what about the information?

Some people try to use decoder programs like the already mentioned RectorDecryptor utility (RakhniDecryptor). Let's note right away: this will not help. And in the case of the Breaking_Bad virus, it can only do harm. And that's why.

The fact is that the people who create such viruses are trying to protect themselves and give guidance to others. When using utilities for decryption, the virus can react in such a way that the entire system will "fly off", and with the complete destruction of all data stored on hard drives or in logical partitions... This is, so to speak, an indicative lesson for the edification of all those who do not want to pay. We can only hope for the official antivirus laboratories.

Cardinal methods

However, if things are really bad, you will have to sacrifice information. To completely get rid of the threat, you need to format the entire hard drive, including virtual partitions, and then install the "operating system" again.

Unfortunately, there is no other way out. Even up to a certain saved restore point won't help. The virus may disappear, but the files will remain encrypted.

Instead of an afterword

In conclusion, it should be noted that the situation is as follows: a ransomware virus penetrates the system, does its dirty deed and is not cured by any known methods. Antivirus tools defenses were not ready for this type of threat. It goes without saying that the virus can be detected after exposure or removed. But the encrypted information will remain unsightly. So one would like to hope that the best minds of antivirus software companies will nevertheless find a solution, although, judging by the encryption algorithms, it will be very difficult to do. Recall, for example, the Enigma encryption machine, which the German navy had during World War II. The best cryptographers couldn't solve the problem of the algorithm for decrypting messages until they got their hands on the device. This is the case here.

Did you like the article? To share with friends:
You may also be interested in