How to open virus-encrypted files. How to remove a virus that encrypts files and decrypt files

I continue the infamous column on my website with another story in which I myself was the victim. I will talk about the ransomware virus Crusis (Dharma), which encrypted all files on a network drive and gave them the .combo extension. He worked not only on local files, as happens most often, but also on network ones.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. The details of the work and the scheme of interaction with the customer are below in my article or on the website in the section “Procedure of work”.

Introduction

The story will be in the first person, as the data and infrastructure that I managed suffered from the ransomware. How sad it is to admit this, but I myself am partially to blame for what happened, although I have known cryptographers for a very long time. In my defense, I will say that the data was not lost, everything was quickly restored and investigated in hot pursuit. But first things first.

A boring morning began with the fact that at 9:15 a system administrator called from one remote site and said that there was an encryptor on the network, data on network drives was already encrypted. A chill ran through my skin :) He began to check the source of infection on his own, and I began to check with mine. Of course, I immediately went to the server, disconnected network drives and began to look at the data access log. Network drives are set to , must be enabled . From the log, I immediately saw the source of the infection, the account under which the ransomware ran, and the time the encryption started.

Description of the Crusis ransomware virus (Dharma)

Then the investigation began. Encrypted files got the extension .combo. There were a lot of them. The cryptographer started working late in the evening, at about 11 p.m. Lucky - the backup of the affected disks had just been completed by this time. The data was not lost at all, as they managed to back up at the end of the working day. I immediately started restoring from a backup that is on a separate server without smb access.

During the night, the virus managed to encrypt approximately 400 GB of data on network drives. The banal deletion of all encrypted files with the combo extension took a long time. At first I wanted to delete them all at once, but when only counting these files lasted for 15 minutes, I realized that it was useless at the moment. Instead, he began to roll up the current data, and cleaned the disks of encrypted files after.

Let me tell you the truth right now. Having up-to-date, reliable backups makes any problem solvable. What to do if they are not there, or they are not relevant, I can’t even imagine. I always pay special attention to backups. I cherish them, I cherish them and I do not give anyone access to them.

After I started the recovery of encrypted files, it was time to calmly sort out the situation and take a closer look at the Crusis (Dharma) encryption virus. Here surprises awaited me. The source of the infection was a virtual machine with Windows 7 with the forwarded rdp port through a backup channel. The port was not standard - 33333. I think it was a major mistake to use such a port. Although not standard, it is very popular. Of course, it's better not to forward rdp at all, but in this case it was really necessary. By the way, now, instead of this virtual machine, a virtual machine with CentOS 7 is also used, it has a container with xfce and a browser running in the docker. Well, this virtual machine has no access anywhere, only where you need it.

What's scary about this whole story? The virtual machine was updated. The ransomware began work at the end of August. When the infection of the machine was done, it is definitely not possible to establish. The virus wiped a lot of things in the virtual machine itself. Updates on this system were put in May. That is, there should not be any old open holes on it. Now I don't know at all how to leave the rdp port accessible from the Internet. There are too many cases where it is really needed. For example, a terminal server on rented hardware. You will not rent a vpn gateway for each server.

Now closer to the point and the ransomware itself. The virtual machine had a network interface disabled, then launched it. I was greeted by a standard sign, which I have seen many times with other ransomware.

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 501BED27 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click "Buy bitcoins", and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

There were 2 text files on the desktop with the names FILES ENCRYPTED.TXT the following content:

All your data has been locked us write email [email protected]

It is curious that the rights to the directory have changed Desktop. The user did not have write permissions. Apparently, the virus did this to prevent the user from accidentally deleting information in text files from the desktop. There was a directory on the desktop troy, which contained the virus itself - a file l20VHC_playload.exe.

How Crusis (Dharma) ransomware encrypts files

Having calmly sorted everything out and read similar messages on the topic of ransomware on the Internet, I found out that I had caught a variant of the well-known encryption virus Crusis (Dharma). Kaspersky detects it as Trojan-Ransom.Win32.Crusis.to. It puts different file extensions, including .combo. My list of files looked like this:

Vanino.docx.id-24EE2FBC..combo
Petropavlovsk-Kamchatsky.docx.id-24EE2FBC..combo
Horol.docx.id-24EE2FBC..combo
Yakutsk.docx.id-24EE2FBC..combo

I’ll tell you some more details about how the ransomware worked. I didn't mention an important thing. This computer was in a domain. Encryption of files was performed from a domain user!!! Here the question arises, where did the virus get it from. On the logs of domain controllers, I did not see information and selection of the user's password. There were no mass of unsuccessful authorizations. Either some kind of vulnerability was exploited, or I don't know what to think. An account was used that has never logged into this system. There was authorization via rdp from a domain user account, and then encryption. On the system itself, there were no traces of enumeration of users and passwords either. Almost immediately there was an rdp login with a domain account. It was necessary to pick up, at a minimum, not only the password, but also the name.

Unfortunately, the account had a password of 123456. It was the only account with such a password that the local admins missed. Human factor. It was the manager and for some reason a whole series of system administrators knew about this password, but did not change it. Obviously, this is the reason for using this particular account. But nevertheless, the mechanism for obtaining even such a simple password and username remains unknown.

I turned off and deleted the virtual machine infected with the ransomware, having previously taken the disk image. I took the virus itself from the image to look at its work. The further story will be based on the launch of the virus in a virtual machine.

Another small detail. The virus scanned the entire local network and simultaneously encrypted information on those computers where there were some shared folders with access for everyone. This is the first time I have seen such a modification of the encryptor. It's really a terrible thing. Such a virus can simply paralyze the entire organization. Let's say, for some reason, you had network access to the backups themselves. Or they used some kind of weak password for the account. It may happen that everything will be encrypted - both data and archived copies. In general, now I'm thinking about storing backups not only in an isolated network environment, but in general on turned off equipment that starts up only to make a backup.

How to heal your computer and remove the Crusis ransomware (Dharma)

In my case, the Crusis ransomware virus (Dharma) did not hide much and removing it should not pose any problems. As I said, it was in a folder on the desktop. In addition, he recorded himself and the informational message in autorun.

The body of the virus itself was duplicated in the launch in the section startup for all users and windows/system32. I did not look more closely, because I do not see the point in this. After being infected with a ransomware, I strongly recommend that you reinstall the system. This is the only way to be sure to remove the virus. You will never be completely sure that the virus is removed, as it could use some as yet unpublished and unknown vulnerabilities in order to leave a bookmark in the system. After a while, through this mortgage, you can get some new virus and everything will repeat in a circle.

So I recommend that immediately after detecting the ransomware, do not treat the computer, but reinstall the system, saving the remaining data. Perhaps the virus did not manage to encrypt everything. These recommendations apply to those who are not going to try to recover files. If you have current backups, then just reinstall the system and restore the data.

If you do not have backups and you are ready to restore files at any cost, then we try not to touch the computer at all. First of all, just unplug the network cable, download a couple of encrypted files and a text file with information on clean flash drive, then shut down the computer. The computer can no longer be turned on. If you do not understand computer matters at all, then you will not be able to cope with the virus yourself, much less decrypt or restore files. Contact someone who knows. If you think that you can do something yourself, then read on.

Where to download Crusis decoder (Dharma)

Next comes my universal advice on all ransomware viruses. There is a site - https://www.nomoreransom.org It could theoretically contain a decryptor for Crusis or Dharma, or some other information on decrypting files. In my practice, this has never happened before, but suddenly you are lucky. It's worth a try. To do this, on the main page, we agree by clicking YES.

We attach 2 files and paste the contents of the information message of the encryptor and click Check.

If you're lucky, get some information. In my case, nothing was found.

All existing decryptors for ransomware are collected on a separate page - https://www.nomoreransom.org/en/decryption-tools.html The existence of this list allows us to expect that there is still some sense in this site and service. Kaspersky has a similar service - https://noransom.kaspersky.com/ru/ You can try your luck there.

I think it’s not worth looking for decoders somewhere else through an Internet search. It is unlikely that they will be found. Most likely it will be either an ordinary scam with junk software at best, or a new virus.

An important addition. If you have a licensed version of some antivirus installed, be sure to create a request to the antivirus TP on the topic of decrypting files. Sometimes it really helps. I have seen reports of successful decryption by antivirus support.

How to decrypt and recover files after Crusis virus (Dharma)

What to do when the Crusis (Dharma) virus encrypted your files, none of the previously described methods helped, and you really need to restore the files? The technical implementation of encryption does not allow decrypting files without a key or decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I do not have such information. We can only try to recover files using improvised methods. These include:

Tool shadow copies windows.
Programs for recovering deleted data

Before further manipulations, I recommend making a sector-by-sector image of the disk. This will fix the current state and if nothing happens, then at least you can return to the starting point and try something else. Next, you need to remove the ransomware itself with any antivirus with the latest set of antivirus databases. Suitable CureIt or Kaspersky Virus Removal Tool. You can install any other antivirus in trial mode. This is enough to remove the virus.

After that, we boot into the infected system and check if we have shadow copies enabled. This tool works by default in windows 7 and higher unless you disable it manually. To check, open the properties of the computer and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. For convenient file recovery from shadow copies, I suggest using a free program for this - ShadowExplorer. Download the archive, unpack the program and run.

The last copy of the files and the root of drive C will open. In the upper left corner, you can select a backup if you have more than one. Check different copies for the necessary files. Compare by dates where the more recent version is. In my example below, I found 2 files on my desktop that were three months old when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and indicated the folder where to restore them.

You can restore folders immediately in the same way. If shadow copies worked for you and you did not delete them, you have quite a lot of chances to recover all or almost all files encrypted by the virus. Perhaps some of them will be an older version than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of files, the only chance to get at least some of the encrypted files is to restore them using the tools for recovering deleted files. To do this, I suggest using the free Photorec program.

Run the program and select the disk on which you will recover files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select the folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard drive for this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged, or they will be some kind of system and useless files. But nevertheless, in this list it will be possible to find some useful files. There are no guarantees here, what you find is what you will find. Best of all, usually, images are restored.

If the result does not satisfy you, then there are still programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

R.saver
Starus File Recovery
JPEG Recovery Pro
Active File Recovery Professional

These programs are not free, so I will not provide links. With a strong desire, you can find them yourself on the Internet.

The entire process of recovering files using the listed programs is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Crusis ransomware (Dharma)

As usual, I went through the forums of popular antiviruses in search of information about the encryptor that puts the .combo extension. The trend towards the spread of the virus is clearly visible. A lot of requests start from mid-August. Now it seems that they are not visible, but, perhaps temporarily, or the extension of the encrypted files has simply changed.

Here is an example of a typical message from the Kaspersky forum.

The moderator's comment is below.

The EsetNod32 forum has long been familiar with the virus that puts the .combo extension. As I understand it, the virus is not unique and not new, but a variation of the long-known series of Crusis (Dharma) viruses. Here is a typical request to decrypt data:

I noticed that there are a lot of reviews on the Eset forum that the virus entered the server via rdp. It seems that this is a really strong threat and it is impossible to leave rdp without cover. The only question that arises is how does the virus enter via rdp. It picks up a password, connects with a known user and password, or something else.

Where to apply for guaranteed decryption

I happened to meet one company that really decrypts data after the work of various encryption viruses, including Crusis (Dharma). Their address is http://www.dr-shifro.ru. Payment only after decryption and your verification. Here is an example workflow:

A specialist of the company drives up to your office or home, and signs a contract with you, in which he fixes the cost of the work.
Launches the decryptor on his computer and decrypts some files.
You make sure that all files are opened, and sign the act of acceptance / acceptance of work performed, you receive a decoder.
Decrypt your files and arrange the rest of the documents.

You risk nothing. Payment only after the demonstration of the decoder. Please write a review about your experience with this company.

Methods of protection against ransomware virus

I will not list the obvious things about launching unknown programs from the Internet and opening email attachments. This is what everyone knows now. In addition, I wrote about this many times in my article in the pro section. I will pay attention to backups. They should not just be, but be inaccessible from the outside. If this is some kind of network drive, then a separate account with a strong password should have access to it.

If you back up your personal files to a flash drive or external drive, don't keep them permanently connected to the system. After creating backup copies, disconnect devices from the computer. Ideally, I see a backup to a separate device, which turns on only to make a backup, and then again physically disconnects from the network by disconnecting the network wire or simply shutting down.

Backups must be incremental. This is necessary in order to avoid a situation where the encryptor encrypted all the data, and you did not notice it. A backup was performed, which replaced the old files with new ones, but already encrypted. As a result, you have an archive, but there is no sense in it. You need to have an archive depth of at least a few days. I think that in the future there will be, if not yet, cryptographers that will quietly encrypt part of the data and wait for a while without showing themselves. This will be done in the expectation that encrypted files will end up in archives and over time replace real files there.

This will be a difficult time for the corporate sector. I have already given an example above from the eset forum, where network drives with 20TB of data were encrypted. Now imagine that you have such a network drive, but only 500G of data is encrypted in directories that are not constantly accessed. A couple of weeks pass, no one notices the encrypted files, because they are in the archive directories, and they are not constantly worked with. But at the end of the reporting period, data is needed. They go there and see that everything is encrypted. They turn to the archive, and there the storage depth is, say, 7 days. And that's it, the data is gone.

Here we need a separate careful approach to the archives. You need software and resources for long-term data storage.

Video with decryption and file recovery

Here is an example of a similar modification of the virus, but the video is completely relevant for combo.

Fight against new virus threats - ransomware

We recently wrote that new threats are spreading on the network - ransomware viruses or viruses that encrypt files in more detail, you can read more about them on our website, at this link.

In this topic, we will tell you how you can return data encrypted by a virus, for this we will use two decryptors, from Kaspersky and Doctor Web antiviruses, these are the most effective methods for returning encrypted information.

1. Download utilities for decrypting files using the links: Kaspersky and Dr.WEB

Or decryptors for a specific type of encrypted files that are in .

2. First, we will try to decrypt files using a program from Kaspersky:

2.1. Launching the Kaspersky decryptor program, if it asks for some actions, for example, permission to launch, we launch it, if it asks to update, we update it, this will increase the chances of returning encrypted data

2.2. In the program window that appears for decrypting files, we see several buttons. Set advanced options and start checking.

2.3. If necessary, select additional options and specify the search locations for encrypted files and, if necessary, delete after decryption, I do not advise choosing this option, files are not always decrypted correctly!

2.4. We start the scan and wait for the decryption of our data encrypted by the virus.

3. If the first method did not work. Trying to decrypt files using Dr. WEB

3.1. After you have downloaded the decryption application, put it for example in the root of the "C:" drive, so the file "te102decrypt.exe" should be available at "c:\te102decrypt.exe"

3.2. Now go to command line(Start-Search-Enter "CMD" without quotes-launch by pressing Enter)

3.3. To start decrypting files write the command "c:\te102decrypt.exe -k 86 -e (encryptor code)". The ransomware code is an extension appended to the end of the file, such as " [email protected] _45jhj" - we write it without quotes and brackets, respecting the spaces. You should get something like c:\te102decrypt.exe -k 86 -e [email protected] _45jhj

3.4. Press Enter and wait for the files to be decrypted that have been encrypted, in some cases several copies of the decrypted files are created, try to run them, save the copy of the decrypted file that opens normally, the rest can be deleted.

Download other file decoders:

Attention: be sure to save a copy of the encrypted files on external media or another PC. The decryptors presented below may not decrypt files, but only corrupt them!

It is best to run the decryptor on a virtual machine or on a specially prepared computer, after downloading several files to them.

The decoders below work as follows: For example, your files are encrypted with the amba encoder and the files look like "Agreement.doc.amba" or "Invoice.xls.amba", then download the decryptor for amba files and just run it, it will find all the files with this extension and decrypt it, but again, protect yourself and first make a copy of the encrypted files, otherwise you may lose incorrectly decrypted data forever!

If you do not want to take risks, then send a few files to us, after contacting us via the feedback form, we will run the decryptor on a specially prepared computer isolated from the Internet.

The submitted files have been scanned by the latest version of Kaspersky Anti-Virus and with the latest database updates.

is a malicious program that, when activated, encrypts all personal files, such as documents, photos, etc. The number of such programs is very large and it is increasing every day. Just recently, we have come across dozens of ransomware options: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, .da_vinci_code, toste, fff, etc. The purpose of such ransomware is to force users to buy, often for a large amount of money, the program and key needed to decrypt their own files.

Of course, you can recover encrypted files simply by following the instructions that the virus creators leave on the infected computer. But most often the cost of decryption is very significant, you also need to know that some encryption viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just unpleasant to pay for the restoration of your own files.

Below we will talk in more detail about ransomware viruses, how they penetrate the victim's computer, as well as how to remove the ransomware virus and restore files encrypted by it.

How a ransomware virus enters a computer

A ransomware virus is usually distributed via email. The letter contains infected documents. These emails are sent to a huge database of email addresses. The authors of this virus use misleading headers and content of emails, trying to trick the user into opening the document attached to the email. Some letters inform about the need to pay the bill, others offer to see the latest price list, others open a funny photo, etc. In any case, the result of opening the attached file will be the infection of the computer with a ransomware virus.

What is a ransomware virus

A ransomware virus is a malicious program that infects modern versions of the Windows family of operating systems, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. These viruses try to use the strongest possible encryption modes, such as RSA-2048 with the key length is 2048 bits, which practically excludes the possibility of choosing a key for self-decryption of files.

While infecting a computer, the ransomware virus uses the %APPDATA% system directory to store its own files. To automatically launch itself when the computer is turned on, the ransomware creates an entry in the Windows registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKCU\Software\Microsoft\Windows\CurrentVersion\ Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.

Immediately after launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension as a way to determine the group of files that will be encrypted. Almost all types of files are encrypted, including such common ones as:

0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata , .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, . mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta , .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, . apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, . js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2 , .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, . rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf , .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, . wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm , .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, . zif, .zip, .zw

Immediately after the file is encrypted, it receives a new extension, which can often be used to identify the name or type of cryptor. Some types of these malware can also change the names of encrypted files. The virus then creates a text document with names like HELP_YOUR_FILES, README, which contains instructions for decrypting the encrypted files.

During its operation, the ransomware tries to block the possibility of recovering files using the SVC system (shadow copies of files). To do this, the virus in command mode calls the utility for administering shadow copies of files with a key that starts the procedure for their complete removal. Thus, it is almost always impossible to recover files by using their shadow copies.

The ransomware virus actively uses scare tactics by giving the victim a link to a description of the encryption algorithm and displaying a threatening message on the desktop. It tries in this way to force the user of the infected computer to send the computer ID to the e-mail address of the virus author without hesitation, in order to try to return their files. The response to such a message is most often the amount of the ransom and the address of the electronic wallet.

Is my computer infected with a ransomware virus?

It is quite easy to determine whether a computer is infected with a ransomware virus or not. Pay attention to the extensions of your personal files such as documents, photos, music, etc. If the extension has changed or your personal files have disappeared, leaving behind a lot of files with unknown names, then the computer is infected. In addition, a sign of infection is the presence of a file with the name HELP_YOUR_FILES or README in your directories. This file will contain instructions for decrypting the files.

If you suspect that you have opened a letter infected with a ransomware virus, but there are no symptoms of infection yet, then do not turn off or restart your computer. Follow the steps described in this manual, section. Once again, it is very important not to turn off the computer, in some types of ransomware, the file encryption process is activated the first time the computer is turned on after infection!

How to decrypt files encrypted by a ransomware virus?

If this misfortune happened, then there is no need to panic! But you need to know that in most cases there is no free decryptor. The reason for this is the strong encryption algorithms used by such malware. This means that it is almost impossible to decrypt files without a private key. Using the key selection method is also not an option, due to the large length of the key. Therefore, unfortunately, only paying the authors of the virus the entire amount requested is the only way to try to get the decryption key.

Of course, there is absolutely no guarantee that after payment, the authors of the virus will get in touch and provide the key needed to decrypt your files. In addition, you need to understand that by paying money to virus developers, you yourself are pushing them to create new viruses.

How to remove the ransomware virus?

Before proceeding with this, you need to know that when you start removing the virus and trying to restore the files yourself, you block the ability to decrypt the files by paying the authors of the virus the amount they requested.

Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types of active ransomware viruses and will easily remove them from your computer, BUT they cannot recover encrypted files.

5.1. Remove ransomware with Kaspersky Virus Removal Tool

By default, the program is configured to recover all types of files, but to speed up the work, it is recommended to leave only the types of files that you need to recover. When you have completed your selection, press the OK button.

At the bottom of the QPhotoRec window, find the Browse button and click it. You need to select a directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a USB flash drive or an external drive).

To start the procedure for searching and restoring the original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

When the search is finished, click the Quit button. Now open the folder you chose to save the recovered files.

The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3 and so on. The more files the program finds, the more directories there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need among a large number of recovered ones, use the built-in Windows search system (by the contents of the file), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort parameter, since QPhotoRec attempts to restore this property when restoring a file.

How to prevent a computer from being infected by a ransomware virus?

Most modern anti-virus programs already have a built-in protection system against the penetration and activation of ransomware viruses. Therefore, if your computer does not have an antivirus program, then be sure to install it. You can find out how to choose it by reading this.

Moreover, there are specialized protective programs. For example, this is CryptoPrevent, more details.

A few final words

By following this instruction, your computer will be cleared of the ransomware virus. If you have questions or need help, please contact us.

Ransomware (cryptolockers) is a family of malicious programs that block users' access to files on a computer using various encryption algorithms (for example, сbf, chipdale, just, foxmail inbox com, watnik91 aol com, etc.).

Typically, the virus encrypts popular types of user files: documents, spreadsheets, 1C databases, any data arrays, photographs, etc. File decryption is offered for money - the creators require you to transfer a certain amount, usually in bitcoins. And if the organization did not take proper measures to ensure the safety of important information, transferring the required amount to attackers may be the only way to restore the company's performance.

In most cases, the virus spreads via e-mail, disguised as quite ordinary letters: notification from the tax office, acts and contracts, information about purchases, etc. By downloading and opening such a file, the user, without realizing it, launches malicious code. The virus sequentially encrypts the necessary files, and also deletes the original instances using guaranteed destruction methods (so that the user cannot recover recently deleted files using special tools).

Modern ransomware

Ransomware and other viruses that block user access to data are not a new problem in information security. The first versions appeared back in the 90s, but they mainly used either “weak” (unstable algorithms, small key size) or symmetric encryption (files from a large number of victims were encrypted with one key, it was also possible to recover the key by examining the virus code ), or even come up with their own algorithms. Modern instances do not have such shortcomings, attackers use hybrid encryption: using symmetric algorithms, the contents of files are encrypted at a very high speed, and the encryption key is encrypted with an asymmetric algorithm. This means that to decrypt files, you need a key that only the attacker owns; it cannot be found in the source code of the program. For example, CryptoLocker uses the RSA algorithm with a key length of 2048 bits in combination with the symmetric AES algorithm with a key length of 256 bits. These algorithms are currently recognized as crypto-resistant.

The computer is infected with a virus. What to do?

It should be borne in mind that although encryption viruses use modern encryption algorithms, they are not able to encrypt all files on the computer instantly. Encryption proceeds sequentially, the speed depends on the size of the encrypted files. Therefore, if you find in the course of work that the usual files and programs have ceased to open correctly, then you should immediately stop working on the computer and turn it off. Thus, you can protect some files from encryption.

Once you have encountered a problem, the first step is to get rid of the virus itself. We will not dwell on this in detail; it is enough to try to cure the computer using antivirus programs or remove the virus manually. It is only worth noting that a virus often self-destructs after the completion of the encryption algorithm, thereby making it difficult to decrypt files without resorting to intruders for help. In this case, the antivirus program may not detect anything.

The main question is how to recover encrypted data? Unfortunately, recovering files after a ransomware virus is almost impossible. At the very least, no one will guarantee complete data recovery in the event of a successful infection. Many manufacturers of anti-virus tools offer their help in decrypting files. To do this, you need to send an encrypted file and additional information (a file with the attackers' contacts, a public key) through special forms posted on the manufacturers' websites. There is a small chance that they found a way to deal with a specific virus and your files will be successfully decrypted.

Try using a file recovery utility. It is possible that the virus did not use guaranteed destruction methods and some files can be recovered (this can especially work with large files, for example, with files of several tens of gigabytes). There is also a chance to recover files from shadow copies. When you use System Restore, Windows creates snapshots ("snapshots") that may contain file data at the time the restore point was created.

If your data was encrypted in cloud services, contact technical support or explore the capabilities of the service you use: in most cases, services provide a “rollback” function to previous versions of files, so they can be restored.

What we strongly recommend not to do is follow the ransomware and pay for decryption. There were cases when people gave money, but did not receive the keys. No one guarantees that the attackers, having received the money, will actually send the encryption key and you will be able to recover the files.

How to protect yourself from a ransomware virus. Preventive measures

It is easier to prevent dangerous consequences than to correct them:

Use reliable anti-virus tools and regularly update anti-virus databases. Sounds trite, but this will greatly reduce the chances of successfully introducing a virus to your computer.
Keep backup copies of your data.

The best way to do this is with specialized backup tools. Most cryptolockers can encrypt backups as well, so it makes sense to store backups on other computers (for example, on servers) or on alienated media.

Restrict the rights to modify files in folders with backups, allowing only appending. In addition to the consequences of the ransomware, backup systems neutralize many other threats associated with data loss. The spread of the virus once again demonstrates the relevance and importance of using such systems. Data recovery is much easier than decryption!

Restrict the software environment in the domain.

Another effective way to combat this is to limit the launch of some potentially dangerous file types, for example, with the extensions .js, .cmd, .bat, .vba, .ps1, etc. This can be done using the AppLocker tool (in Enterprise- revisions) or SRP policies centrally in the domain. There are quite detailed guides on the web on how to do this. In most cases, the user does not need to use the script files mentioned above, and the ransomware will have less chance of successful implementation.

Be carefull.

Mindfulness is one of the most effective methods of preventing a threat. Be suspicious of every email you receive from unknown people. Do not rush to open all attachments, if in doubt, it is better to contact the administrator with a question.

Alexander Vlasov, senior engineer of the department of implementation of information security systems of the company "SKB Kontur"

Recovery of encrypted files is a problem faced by a large number of personal computer users who have fallen victim to various encryption viruses. The number of malicious programs in this group is very large and it is increasing every day. Just recently, we have come across dozens of ransomware options: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, etc.

Of course, you can recover encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often the cost of decryption is very significant, you also need to know that some encryption viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just unpleasant to pay for the restoration of your own files.

Ways to recover encrypted files for free

There are several ways to recover encrypted files using completely free and proven programs such as ShadowExplorer and PhotoRec. Before and during recovery, try to use the infected computer as little as possible, thus you increase your chances of a successful file recovery.

The instruction described below must be followed step by step, if something does not work out for you, then STOP, ask for help by writing a comment on this article or creating a new topic on our site.

1. Remove ransomware virus

1.1. Remove ransomware with Kaspersky Virus Removal Tool

Click the button Scan to start scanning your computer for ransomware.

Wait for the end of this process and remove the malware found.

1.2. Remove ransomware with Malwarebytes Anti-malware

Download the program. After the download is complete, run the downloaded file.

The program update procedure will start automatically. When it's over press the button Run check. Malwarebytes Anti-malware will start scanning your computer.

Immediately after the scan of the computer is completed, Malwarebytes Anti-malware will open a list of found components of the ransomware virus.

Click the button Delete selected to clean up your computer. During malware removal, Malwarebytes Anti-malware may require you to restart your computer to continue the process. Confirm this by selecting Yes.

After the computer restarts, Malwarebytes Anti-malware will automatically continue the disinfection process.

2. Recover encrypted files using ShadowExplorer

ShadowExplorer is a small utility that allows you to restore shadow copies of files that are created automatically by the Windows operating system (7-10). This will allow you to restore the original state of the encrypted files.

Download the program. The program is in a zip archive. Therefore, right-click on the downloaded file and select Extract all. Then open the ShadowExplorerPortable folder.

Launch ShadowExplorer. Select the disk you need and the date the shadow copies were created, respectively, numbers 1 and 2 in the figure below.

Right-click on the directory or file you want to restore a copy of. Select Export from the menu that appears.

Lastly, select the folder where the recovered file will be copied.

3. Recover encrypted files using PhotoRec

PhotoRec is a free program designed to recover deleted and lost files. Using it, you can restore the original files that ransomware viruses deleted after creating their encrypted copies.

Download the program. The program is in the archive. Therefore, right-click on the downloaded file and select Extract all. Then open the testdisk folder.

Find QPhotoRec_Win in the list of files and run it. A program window will open in which all partitions of available disks will be shown.

In the list of partitions, select the one containing the encrypted files. Then click on the File Formats button.

To start the procedure for searching and restoring the original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

When the search is finished, click the Quit button. Now open the folder you chose to save the recovered files.