Recently, there has been a surge in the activity of a new generation of malicious computer programs. They appeared quite a long time ago (6 - 8 years ago), but the pace of their introduction has reached its maximum right now. Increasingly, you can face the fact that a virus encrypted files.
It is already known that this is not just primitive malware, for example, (causing the appearance of a blue screen), but serious programs aimed at damaging, as a rule, accounting data. They encrypt all available files within reach, including 1C accounting data, docx, xlsx, jpg, doc, xls, pdf, zip.
The particular danger of the viruses in question
It consists in the fact that in this case an RSA key is used, which is tied to a specific user's computer, which is why the universal decryptor ( decryptor) missing. Viruses activated in one of the computers may not work in the other.
The danger is also that for more than a year there have been ready-made builder programs on the Internet that allow even kulkhackers to develop this kind of virus (individuals who consider themselves hackers, but do not study programming).
Currently, more powerful modifications have appeared.
How this malware is injected
The virus is sent on a purposeful basis, as a rule, to the company's accounting department. First, e-mails of personnel departments, accounting departments are collected from databases such as, for example, hh.ru. Then the letters are sent. They most often contain a request for acceptance for a certain position. To such a letter with a resume, inside which is a real document with an implanted OLE object (pdf file with a virus).
In situations where the accounting department immediately launched this document, the following happened after a reboot: the virus renamed and encrypted the files, and then self-destructed.
This kind of letter, as a rule, is adequately written and sent from a non-spam mailbox (the name corresponds to the signature). A vacancy is always requested based on the core business of the company, so no suspicions arise.
Neither the licensed "Kaspersky" (antivirus program), nor "Virus Total" (an online service for checking attachments for viruses) can protect the computer in this case. Occasionally, some antivirus programs, when scanning, give out that the attachment contains Gen: Variant.Zusy.71505.
How can I avoid getting this virus?
Each file received should be checked. Particular attention is paid to Word documents that have embedded pdfs.
Variants of "infected" emails
There are a lot of them. The most common options for how the virus encrypted files are presented below. In all cases, the following documents are received by e-mail:
- Notice regarding the start of the process of considering a lawsuit filed against a specific company (the letter suggests checking the data by clicking on the specified link).
- Letter from the Supreme Arbitration Court of the Russian Federation on debt collection.
- A message from Sberbank regarding an increase in existing debt.
- Notification of fixing traffic violations.
- A letter from the Collection Agency indicating the maximum possible delay in payment.
File encryption notification
After infection, it will appear in the root folder of the C drive. Sometimes files of the CHTO_DOE.txt, CONTACT.txt type are placed in all directories with damaged text. There the user is informed about the encryption of his files, which is carried out by means of reliable cryptographic algorithms. And he is also warned about the inexpediency of using third-party utilities, as this can lead to permanent damage to files, which, in turn, will lead to the impossibility of their subsequent decryption.
It is recommended to leave the computer unchanged in the notification. It indicates the storage time of the provided key (as a rule, it is 2 days). The exact date is prescribed, after which any kind of request will be ignored.
At the end, an e-mail is provided. It also says that the user must provide his ID and that any of the following actions can lead to the elimination of the key, namely:
How to decrypt files encrypted by a virus?
This kind of encryption is very powerful: the file is assigned such an extension as perfect, nochance, etc. It is simply impossible to crack, but you can try to connect cryptanalysts and find a loophole (in some situations, Dr. WEB will help).
There is 1 more way to recover files encrypted by a virus, but it does not work for all viruses, moreover, you will need to pull out the original exe along with this malicious program, which is not easy to do after self-destruction.
The request of the virus regarding the introduction of a special code is an insignificant check, since the file already has a decryptor by this moment (the code from, so to speak, the intruders will not be required). The essence of this method is inscribing empty commands into the penetrated virus (in the very place of comparing the entered code). The result is that the malicious program itself starts decrypting files and thereby completely restores them.
Each individual virus has its own special encryption function, which means that a third-party executable (exe format file) cannot be decrypted, or you can try to select the above function, for which you need to perform all actions on WinAPI.
files: what to do?
To carry out the decryption procedure, you will need:
How can I avoid data loss due to the malware in question?
It is worth knowing that in a situation where a virus has encrypted files, it will take time to decrypt them. An important point is that there is an error in the aforementioned malware that allows you to save some of the files if you quickly turn off the computer (unplug the power plug, turn off the surge protector, remove the battery in the case of a laptop) as soon as a large number of files with the previously specified extension appear ...
Once again, it should be emphasized that the main thing is to constantly create a backup, but not to another folder, not to a removable media inserted into the computer, since this modification of the virus will reach these places too. It is worth saving backups on another computer, on a hard drive that is not permanently connected to the computer, and in the cloud.
You should treat with suspicion all documents that come to the mail from unknown persons (in the form of a resume, invoice, Resolutions from the Supreme Arbitration Court of the Russian Federation or tax authorities, etc.). You do not need to run them on your computer (for this purpose, you can select a netbook that does not contain important data).
Malicious program * [email protected]: how to eliminate
In a situation where the above virus encrypted files cbf, doc, jpg, etc., there are only three options for the development of the event:
- The easiest way to get rid of it is to delete all infected files (this is acceptable, unless the data is very important).
- Go to the laboratory of an anti-virus program, for example, Dr. WEB. It is mandatory to send several infected files to the developers along with the decryption key, which is located on the computer as KEY.PRIVATE.
- The most expensive way. It involves paying the amount requested by the hackers to decrypt the infected files. As a rule, the cost of this service is in the range of 200 - 500 US dollars. This is acceptable in a situation where a virus has encrypted the files of a large company in which a significant daily flow of information flows, and this malicious program can cause colossal harm in a matter of seconds. Therefore, payment is the fastest option for recovering infected files.
Sometimes the additional option is also effective. In the case when the virus encrypted files ( [email protected] _com or other malware) may help a few days ago.
RectorDecryptor decryption program
If the virus encrypted jpg, doc, cbf, etc. files, then a special program can help. To do this, you first need to go to startup and disable everything except the antivirus. Next, you need to restart your computer. View all files, highlight suspicious ones. The field titled "Command" indicates the location of a specific file (attention should be paid to applications that do not have a signature: manufacturer - no data).
All suspicious files must be deleted, after which you will need to clean browser caches, temporary folders (for this, the CCleaner program is suitable).
To start decryption, you need to download the above program. Then run it and click the "Start scan" button, indicating the modified files and their extension. In modern versions of this program, you can only specify the infected file itself and click the "Open" button. The files will then be decrypted.
Subsequently, the utility automatically checks all computer data, including files located on the mapped network drive, and decrypts them. This recovery process can take several hours (depending on the amount of work and the speed of the computer).
As a result, all damaged files will be decrypted into the same directory where they were originally located. In the end, all that remains is to delete all existing files with a suspicious extension, for which you can tick the box "Delete encrypted files after successful decryption" by clicking the "Change scan settings" button. However, it is better not to install it, since in case of unsuccessful decryption of files, they can be deleted, and later you will have to restore them first.
So, if the virus has encrypted files doc, cbf, jpg, etc., you should not rush to pay for the code. Maybe he won't be needed.
Nuances of deleting encrypted files
When you try to eliminate all damaged files through a standard search and subsequent deletion, your computer may freeze and slow down. In this regard, for this procedure, it is worth using a special one. After starting it, you must enter the following: del «<диск>:\*.<расширение зараженного файла>"/ F / s.
It is imperative to delete files such as "Read-me.txt", for which in the same command line you should specify: del "<диск>:\*.<имя файла>"/ F / s.
Thus, it can be noted that if the virus renamed and encrypted files, then you should not immediately spend money on buying a key from cybercriminals, first you should try to figure out the problem yourself. Better to invest in purchasing a special program to decrypt corrupted files.
Finally, it is worth recalling that this article discussed the question of how to decrypt files encrypted by a virus.