Modern technologies allow hackers to constantly improve the methods of fraud in relation to ordinary users. As a rule, for these purposes, virus software is used that penetrates the computer. Ransomware viruses are considered especially dangerous. The threat lies in the fact that the virus spreads very quickly, encrypting files (the user simply cannot open any document). And if it is quite simple, then it is much more difficult to decipher the data.
What to do if a virus has encrypted files on your computer
Anyone can be attacked by a ransomware, even users who have powerful antivirus software are not insured. File encryption Trojans are represented by various codes that may be beyond the power of an antivirus. Hackers even manage to attack large companies in this way, which have not taken care of the necessary protection of their information. So, having “picked up” the ransomware program online, it is necessary to take a number of measures.
The main signs of infection are slow computer performance and changing document names (you can see it on the desktop).
- Restart your computer to abort encryption. When enabled, do not confirm the launch of unknown programs.
- Run your antivirus if it has not been attacked by a ransomware.
- In some cases, shadow copies will help you recover information. To find them, open the "Properties" of the encrypted document. This method works with the encrypted data of the Vault extension, about which there is information on the portal.
- Download the latest utility to combat ransomware viruses. The most effective ones are offered by Kaspersky Lab.
Ransomware viruses in 2016: examples
When fighting any virus attack, it is important to understand that the code changes very often, supplemented by new anti-virus protection. Of course, protection programs need some time until the developer updates the databases. We have selected the most dangerous ransomware viruses of recent times.
Ishtar Ransomware
Ishtar is a ransomware that extorts money from the user. The virus was noticed in the fall of 2016, infecting a huge number of computers of users from Russia and several other countries. It is distributed using an email distribution with attached documents (installers, documents, etc.). Data infected by the Ishtar ransomware is given the prefix "ISHTAR" in its name. In the process, a test document is created, which indicates where to go to get a password. Attackers demand from 3000 to 15000 rubles for it.
The danger of the Ishtar virus is that today there is no decryptor that would help users. Antivirus software companies take time to decipher all of the code. Now you can only isolate important information (if it is of particular importance) on a separate medium, waiting for the release of a utility that can decrypt documents. It is recommended that you reinstall the operating system.
Neitrino
The Neitrino ransomware appeared on the Internet in 2015. By the principle of attack, it is similar to other viruses of a similar category. Changes the names of folders and files by adding "Neitrino" or "Neutrino". The virus is difficult to decipher - not all representatives of antivirus companies undertake this, referring to very complex code. Some users may find it helpful to restore a shadow copy. To do this, right-click on the encrypted document, go to Properties, the Previous Versions tab, click Restore. It will not be superfluous to use a free utility from Kaspersky Lab.
Wallet or .wallet.
The Wallet ransomware virus appeared at the end of 2016. In the process of infection, it changes the name of the data to "Name..wallet" or something similar. Like most ransomware viruses, it enters the system through email attachments sent by cybercriminals. Since the threat has appeared very recently, anti-virus programs do not notice it. After encryption, it creates a document in which the fraudster specifies the mail for communication. Currently, antivirus software developers are working on decrypting the code of the ransomware [email protected] The attacked users can only wait. If the data is important, it is recommended to save it to an external drive by cleaning the system.
Enigma
The Enigma ransomware virus began infecting computers of Russian users at the end of April 2016. The encryption model used is AES-RSA, which is found in most ransomware viruses today. The virus enters a computer using a script that the user himself launches by opening files from a suspicious email. There is still no universal tool to combat the Enigma ransomware. Users with an antivirus license can ask for help on the developer's official website. A small "loophole" was also found - Windows UAC. If the user clicks "No" in the window that appears during the virus infection, he will be able to subsequently recover information using shadow copies.
Granit
The new Granit ransomware virus appeared on the Web in the fall of 2016. Infection occurs according to the following scenario: the user launches the installer, which infects and encrypts all data on the PC, as well as on connected drives. Fighting the virus is difficult. To remove it, you can use special utilities from Kaspersky, but the code has not yet been decrypted. Perhaps restoring previous versions of data will help. In addition, a specialist with extensive experience can decipher, but the service is expensive.
Tyson
Was spotted recently. It is an extension of the well-known ransomware no_more_ransom, which you can find out about on our website. It gets to personal computers from e-mail. Many corporate PCs were attacked. The virus creates a text document with instructions for unlocking, offering to pay a ransom. The Tyson ransomware appeared recently, so there is no key to unlock it yet. The only way to recover information is to return previous versions, if they have not been removed by a virus. You can, of course, take the risk by transferring money to the account indicated by the cybercriminals, but there is no guarantee that you will receive a password.
Spora
In early 2017, a number of users fell victim to the new Spora ransomware. According to the principle of work, it does not differ much from its counterparts, but it can boast of a more professional performance: the instructions for obtaining a password are better compiled, the website looks prettier. Created a Spora ransomware virus in C language, uses a combination of RSA and AES to encrypt the victim's data. As a rule, computers on which 1C accounting software are actively used were attacked. The virus, hiding under the guise of a simple .pdf invoice, makes company employees launch it. No cure has been found yet.
1C.Drop.1
This ransomware virus for 1C appeared in the summer of 2016, disrupting the work of many accounting departments. It was developed specifically for computers that use 1C software. Getting through a file in an e-mail on a PC, it invites the owner to update the program. Whichever button the user presses, the virus will start encrypting files. Dr.Web specialists are working on decryption tools, but no solutions have been found yet. This is due to the complex code, which can be in several modifications. Protection against 1C.Drop.1 is only the vigilance of users and regular archiving of important documents.
da_vinci_code
New ransomware with an unusual name. The virus appeared in the spring of 2016. It differs from its predecessors by improved code and strong encryption mode. da_vinci_code infects a computer thanks to an executive application (usually attached to an e-mail), which the user launches on his own. The da vinci code copies the body to the system directory and registry, ensuring that it starts automatically when Windows starts up. Each victim's computer is assigned a unique ID (helps to obtain a password). It is almost impossible to decipher the data. You can pay money to cybercriminals, but no one guarantees that you will receive a password.
[email protected] / [email protected]
Two email addresses that were frequently associated with ransomware viruses in 2016. It is they who serve to connect the victim with the attacker. Attached were addresses for various types of viruses: da_vinci_code, no_more_ransom, and so on. It is highly discouraged to contact and transfer money to fraudsters. Users in most cases are left without passwords. Thus, showing that the cybercriminals' ransomware are working to generate income.
Breaking Bad
It appeared at the beginning of 2015, but only spread actively a year later. The principle of infection is identical to other ransomware: installing a file from an email, encrypting data. Regular antiviruses usually do not notice the Breaking Bad virus. Some code cannot bypass Windows UAC, so the user has the option to restore previous versions of documents. No anti-virus software company has provided a decoder yet.
XTBL
A very common ransomware that caused trouble for many users. Once on a PC, the virus changes the file extension to .xtbl in a matter of minutes. A document is created in which an attacker extorts money. Certain varieties of XTBL virus cannot destroy System Restore files, allowing important documents to be returned. The virus itself can be removed by many programs, but it is very difficult to decrypt documents. If you are the owner of a licensed anti-virus, use technical support by attaching samples of infected data.
Kukaracha
The ransomware "Cucaracha" was spotted in December 2016. A virus with an interesting name hides user files using the RSA-2048 algorithm, which is highly resistant. Kaspersky Anti-Virus designated it as Trojan-Ransom.Win32.Scatter.lb. Kukaracha can be removed from your computer so that other documents are not infected. However, those infected today are almost impossible to decrypt (very powerful algorithm).
How does a ransomware virus work
There are a huge number of ransomware, but they all work on a similar principle.
- Contact with a personal computer. Typically, thanks to an email attachment. The installation is initiated by the user himself by opening the document.
- File infection. Almost all file types are encrypted (depending on the virus). A text document is created that contains contacts for communication with the attackers.
- Everything. The user cannot access any document.
Control remedies from popular laboratories
The widespread use of ransomware, which are recognized as the most dangerous threats to user data, has become the impetus for many antivirus laboratories. Each popular company provides its users with programs to help them fight ransomware. In addition, many of them help with the decryption of documents by protecting the system.
Kaspersky and ransomware viruses
One of the most famous antivirus laboratories in Russia and the world today offers the most effective means to combat ransomware viruses. The first obstacle for the ransomware virus will be Kaspersky Endpoint Security 10 with the latest updates. The antivirus will simply not let the threat onto the computer (although it may not stop new versions). To decrypt information, the developer presents several free utilities at once: XoristDecryptor, RakhniDecryptor and Ransomware Decryptor. They help to find the virus and guess the password.
Dr. Web and ransomware
This lab recommends using their antivirus program, whose main feature is file backups. The storage with copies of documents is also protected from unauthorized access by intruders. Owners of the licensed product Dr. Web, the function of contacting technical support is available. True, even experienced specialists are not always able to withstand this type of threat.
ESET Nod 32 and ransomware
This company did not stand aside either, providing its users with good protection against viruses entering the computer. In addition, the laboratory recently released a free utility with up-to-date databases - Eset Crysis Decryptor. The developers claim that it will help in the fight against even the newest ransomware.