Decrypt RSA 3072 without a key. Transcript no_more_ransom

The first examples of malware that encrypt files and then demand money for decryption appeared a long time ago. Suffice it to recall Trojan.Xorist with its primitive XOR-based encryption algorithm or Trojan.ArchiveLock written in PureBasic, which used regular WinRAR for encryption and Sysinternals SDelete to delete encrypted files and demanded as much as five thousand dollars for decryption. However, it was CryptoLocker that started a bad trend among virus writers - to use the latest achievements of cryptography in the form of very strong encryption algorithms. Today we are examining several encryption Trojans that appeared after the sensational march across the Internet of CryptoLocker (or at the same time as it).

WARNING

If you want to follow our example and examine some example of a ransomware locker, be careful. Even when using a virtual machine, you can carelessly encrypt files on shared folders on the main system.

Some statistics

From the point of view of the creators, encryption Trojans are real cash. Organizing spam distribution of infected letters and a service for accepting payments from those who value family photos that suddenly turn out to be encrypted is much simpler and cheaper than, for example, diligently building and developing a botnet (which will then need to be attached somewhere) or collecting data from infected machines, given that this collected data must also be monetized somehow.

Therefore, this type of cyber extortion continues to flourish and bring huge amounts of money to the organizers of this criminal business. For example, according to Kaspersky Lab specialists, in 2014 more than seven million attacks were recorded using encryption Trojans of various families.

Continuation is available only to members

Option 1. Join the “site” community to read all materials on the site

Membership in the community within the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

Ransomware viruses are computer programs that first encrypt your files and then demand money for the ability to decrypt them. Ransomware viruses have become a real epidemic. The Internet is filled with requests for help decrypting files. Most ransomware viruses are very similar to each other. They sneak into your computer and then encrypt your files. The main differences between them are believed to be the encryption algorithm and the amount of the required ransom.

Keep in mind that by paying the ransom, you have no guarantee that your files will be successfully decrypted. You are simply supporting the criminal business of cybercriminals. You can never be sure that they will send you the secret key used to decrypt them. For this reason, never try to contact the criminals or pay a ransom. In addition, ransomware viruses can spread through P2P torrent networks, where users download hacked versions of software. For these reasons, you should be careful when downloading files from unverified sources, as well as when opening files sent from an unknown email recipient.

Desktop wallpaper on a PC infected with ransomware.better_call_saul

Most of these viruses appeared quite recently; .better_call_saul appeared around February. Currently, the.better_call_saul virus is quite aggressively distributed in Russia and other post-Soviet countries. Most users get infected with the .better_call_saul virus when they click on links in emails. Criminals will also spread this virus through spam mailings with infected files attached to emails. Hacked websites are the third most common method of infection with ransomware.better_call_saul. After successfully penetrating the system, this ransomware encrypts various files stored on your hard drives. For encryption, the virus uses the RSA-3072 algorithm.

Please note that this virus adds the .better_call_saul extension to the end of the name of each encrypted file. In addition, it changes the appearance of the desktop (changes the wallpaper) and creates a README.txt file in each folder containing encrypted files. The README.txt text file and also the desktop wallpaper contain a message stating that the files are encrypted and that in order to restore them, the victim must pay a ransom. In the instructions, the victim is recommended to contact the cybercriminals by writing to the specified email address and sending a special code. After this, the victim should supposedly receive further instructions.

Cybercriminals then demand to pay 14-15 thousand rubles to a special QIWI wallet. If the ransom is not paid within 48 hours, then the key used to decrypt the files and stored on servers controlled by the criminals will be deleted. Keep in mind that without this key it is impossible to decrypt your files. Unfortunately, at the moment there are no tools capable of decrypting files encoded by the .better_call_saul virus. One way to solve this problem is to restore the system or files from a backup. Some other options to combat this virus are outlined below.

Remove ransomware.better_call_saul with automatic cleaner

An extremely effective method of working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components and their complete removal with one click. Please note that we are talking about two different processes: uninstalling the infection and restoring files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.

1. . After starting the software, click the button Start Computer Scan(Start scanning).
2. The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.

Restore access to encrypted files

As noted, the .better_call_saul ransomware locks files using a strong encryption algorithm, so that encrypted data cannot be restored with a wave of a magic wand - short of paying an unheard-of ransom amount. But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Automatic file recovery program

A very unusual circumstance is known. This infection erases the original files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This makes it possible for software such as recovery of erased objects, even if the reliability of their removal is guaranteed. It is highly recommended to resort to the file recovery procedure; its effectiveness is beyond doubt.

Shadow copies of volumes

The approach is based on the Windows file backup process, which is repeated at each restore point. An important condition for this method to work: the “System Restore” function must be activated before the infection. However, any changes to the file made after the restore point will not appear in the restored version of the file.

Backup

This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select the necessary files and launch the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.

Check for possible presence of residual ransomware components.better_call_saul

Manual cleaning risks missing individual pieces of ransomware that could escape removal as hidden operating system objects or registry items. To eliminate the risk of partial retention of individual malicious elements, scan your computer using a reliable security software package that specializes in malicious software.

, VIDEO, MUSIC and other personal files on .NO_MORE_RANSOM, and changes the original name to a random combination of letters and numbers. However, most files of the most important formats .PDF, .DOC, .DOCX, .XLS, .XLSX, .JPG, .ZIP don't open. Accounting 1C does not work. This is what it looks like:

Technical support from Kaspersky Lab, Dr.Web and other well-known companies developing anti-virus software, in response to user requests to decrypt data, reports that it is impossible to do this in an acceptable time.

But don't rush to despair!

The fact is that, having penetrated your computer, the malicious program uses as a tool completely legal GPG encryption software and the popular encryption algorithm - RSA-1024. Since this utility is used in many places and is not a virus in itself, antivirus programs allow it to pass through and do not block its operation. A public and private key is generated to encrypt files. The private key is sent to the attackers' server, while the public key remains on the user's computer. Both keys are required to decrypt files! The attackers carefully overwrite the private key on the affected computer. But this doesn't always happen. For more than three years of history of impeccable work, specialists Dr.SHIFRO We have studied thousands of variations in the activities of malware, and perhaps even in a seemingly hopeless situation, we will be able to offer a solution that will allow you to get your data back.

In this video you can watch the real operation of the decryptor on the computer of one of our clients:

To analyze the possibility of decryption, send 2 samples of encrypted files: one text (doc, docx, odt, txt or rtf up to 100 KB in size), the second graphic (jpg, png, bmp, tif or pdf up to 3 MB in size). You also need a note file from the attackers. After examining the files, we will give you an estimate of the cost. Files can be sent by email [email protected] or use the file submission form on the website (orange button).

COMMENTS (2)

Got the NCOV virus. After searching the Internet for a decryption method, we found this site. The specialist quickly and thoroughly described what needed to be done. To guarantee, 5 test files were decrypted. They announced the cost and after payment everything was deciphered within a few hours. Although not only the computer was encrypted, but also the network drive. Thank you very much for your help!

Good day! I recently had a similar situation with the NCOV virus, which did not have time to encrypt all disks, because... After some time, I opened the folder with the photo and saw an empty envelope and a file name from a different set of letters and numbers, and immediately downloaded and launched the free Trojan removal utility. The virus arrived in the mail and there was a convincing letter that I opened and launched the attachment. The computer has 4 very large hard drives (terabytes). I contacted various companies, of which there are plenty on the Internet and which offer their services, but even with successful decryption, all the files will be in a separate folder and all mixed up. No one gives a guarantee of 100% decryption. I contacted Kaspersky Lab and even there they didn’t help me..html# so I decided to contact. I sent three test photos and after a while received a response with a complete transcript of them. In the mail correspondence I was offered either remotely or at home. I decided to do it at home. We decided on the date and time of the specialist’s arrival. Immediately in the correspondence, the amount for the decoder was agreed upon and after successful decryption, we signed an agreement on the work and I made payment according to the agreement. Decrypting the files took a lot of time, as some of the videos were large. After complete decryption, I made sure that all my files returned to their original form and the correct file extension. The capacity of the hard drives became the same as before they were infected, since during infection the drives were almost completely full. Those who write about scammers, etc., I do not agree with this. This is written either by competitors out of anger, that they are not succeeding, or by people who are offended by something. In my case, everything turned out great, my fears are in the past. I again saw my old family photographs that I had taken from long ago and family videos that I had edited myself. I would like to express my gratitude to the dr.Shifro company and personally to Igor Nikolaevich, who helped me restore all my data. Thank you very much and good luck! Everything that is written is my personal opinion, and you decide who to contact.

About a week or two ago, another hack from modern virus makers appeared on the Internet, which encrypts all the user’s files. Once again I will consider the question of how to cure a computer after a ransomware virus encrypted000007 and recover encrypted files. In this case, nothing new or unique has appeared, just a modification of the previous version.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Description of the CRYPTED000007 ransomware virus

The CRYPTED000007 encryptor is no fundamentally different from its predecessors. It works almost exactly the same way. But still there are several nuances that distinguish it. I'll tell you about everything in order.

It arrives, like its analogues, by mail. Social engineering techniques are used to ensure that the user becomes interested in the letter and opens it. In my case, the letter talked about some kind of court and important information about the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.

In parallel with opening the document, file encryption starts. An information message from the Windows User Account Control system begins to constantly pop up.

If you agree to the proposal, then the backup copies of files in shadow copies of Windows will be deleted and restoring information will be very difficult. It is obvious that you cannot agree with the proposal under any circumstances. In this encryptor, these requests pop up constantly, one after another and do not stop, forcing the user to agree and delete the backup copies. This is the main difference from previous modifications of encryptors. I have never encountered requests to delete shadow copies without stopping. Usually, after 5-10 offers they stopped.

I will immediately give a recommendation for the future. It is very common for people to disable User Account Control warnings. There is no need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is to not constantly work under the computer administrator account unless there is an objective need for it. In this case, the virus will not have the opportunity to do much harm. You will have a better chance of resisting him.

But even if you have always answered negatively to the ransomware’s requests, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files with the same content on your desktop.

Your files have been encrypted. To decrypt ux, you need to send the code: 329D54752553ED978F94|0 to the email address [email protected]. Next you will receive all the necessary instructions. Attempts to decipher on your own will not lead to anything other than an irrevocable number of information. If you still want to try, then make backup copies of the files first, otherwise, in the event of a change, decryption will become impossible under any circumstances. If you have not received notification at the above address within 48 hours (only in this case!), use the contact form. This can be done in two ways: 1) Download and install Tor Browser using the link: https://www.torproject.org/download/download-easy.html.en In the Tor Browser address, enter the address: http://cryptsen7fo43rr6 .onion/ and press Enter. The page with the contact form will load. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Mailing address may change. I also came across the following addresses:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you discover that your files are encrypted, immediately turn off your computer. This must be done to interrupt the encryption process both on the local computer and on network drives. An encryption virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information there, then it will take him considerable time. Sometimes, even in a couple of hours, the ransomware did not have time to encrypt everything on a network drive with a capacity of approximately 100 gigabytes.

Next you need to think carefully about how to act. If you need information on your computer at any cost and you do not have backup copies, then it is better at this moment to turn to specialists. Not necessarily for money to some companies. You just need a person who is well versed in information systems. It is necessary to assess the scale of the disaster, remove the virus, and collect all available information on the situation in order to understand how to proceed.

Incorrect actions at this stage can significantly complicate the process of decrypting or restoring files. In the worst case, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and has finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. Moreover, not only the file extension will be replaced, but also the file name, so you won’t know exactly what kind of files you had if you don’t remember. It will look something like this.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done specifically to confuse people and encourage them to pay for file decryption.

And if your network folders were encrypted and there are no full backups, then this can completely stop the work of the entire organization. It will take you a while to figure out what was ultimately lost in order to begin restoration.

How to treat your computer and remove CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most important question is how to disinfect a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I would like to immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files at any cost, do not touch your computer, but immediately contact professionals. Below I will talk about them and provide a link to the site and describe how they work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from a computer, since the virus does not have the task of remaining on the computer at any cost. After completely encrypting the files, it is even more profitable for him to delete himself and disappear, so that it is more difficult to investigate the incident and decrypt the files.

It is difficult to describe how to manually remove a virus, although I have tried to do this before, but I see that most often it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Usually, viruses are sent by mail in waves, and each time there is a new modification that is not yet detected by antiviruses. Universal tools that check startup and detect suspicious activity in system folders help.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool - a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit.
3. If the first two utilities do not help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com.

Most likely, one of these products will clear your computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave an example of the removal method and you can see it there. Briefly, step by step, you need to act like this:

1. We look at the list of processes, after adding several additional columns to the task manager.
2. We find the virus process, open the folder in which it sits and delete it.
3. We clear the mention of the virus process by file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor comes up first when it comes to a ransomware virus. The first thing I recommend is to use the service https://www.nomoreransom.org. What if you are lucky and they have a decryptor for your version of the CRYPTED000007 encryptor. I’ll say right away that you don’t have many chances, but trying is not torture. On the main page click Yes:

Then download a couple of encrypted files and click Go! Find out:

At the time of writing, there was no decryptor on the site.

Perhaps you will have better luck. You can also see the list of decryptors for download on a separate page - https://www.nomoreransom.org/decryption-tools.html. Maybe there's something useful there. When the virus is completely fresh, there is little chance of this happening, but over time, something may appear. There are examples when decryptors for some modifications of encryptors appeared on the network. And these examples are on the specified page.

I don’t know where else you can find a decoder. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encryptors. Only the authors of the virus can have a full-fledged decryptor.

How to decrypt and recover files after the CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

First, let's check if we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I spoke in more detail about this request at the beginning of the story, when I talked about the work of the virus.

To easily restore files from shadow copies, I suggest using a free program for this - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the upper left corner, you can select a backup copy if you have several of them. Check different copies for the required files. Compare by date for the most recent version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and specified the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be an older version than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using deleted file recovery tools. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard drive to do this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here; what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Filecoder.ED encryptor

Popular antiviruses detect the ransomware CRYPTED000007 as Filecoder.ED and then there may be some other designation. I looked through the major antivirus forums and didn't see anything useful there. Unfortunately, as usual, antivirus software turned out to be unprepared for the invasion of a new wave of ransomware. Here is a post from the Kaspersky forum.

Antiviruses traditionally miss new modifications of ransomware Trojans. Nevertheless, I recommend using them. If you are lucky and receive a ransomware email not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. A new version of ransomware is released, but antiviruses do not respond to it. As soon as a certain amount of material for research on a new virus accumulates, antivirus software releases an update and begins to respond to it.

I don’t understand what prevents antiviruses from responding immediately to any encryption process in the system. Perhaps there is some technical nuance on this topic that does not allow us to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and offer to stop the process.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are opened and sign the certificate of delivery/acceptance of completed work.
4. Payment is made solely upon successful decryption results.

I'll be honest, I don't know how they do it, but you don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against the CRYPTED000007 virus

How to protect yourself from ransomware and avoid material and moral damage? There are some simple and effective tips:

1. Backup! Backup of all important data. And not just a backup, but a backup to which there is no constant access. Otherwise, the virus can infect both your documents and backup copies.
2. Licensed antivirus. Although they do not provide a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the encryptor, but after 3-4 days they begin to respond. This increases your chances of avoiding infection if you were not included in the first wave of distribution of a new modification of the ransomware.
3. Do not open suspicious attachments in mail. There is nothing to comment here. All ransomware known to me reached users via email. Moreover, every time new tricks are invented to deceive the victim.
4. Do not thoughtlessly open links sent to you from your friends via social networks or instant messengers. This is also how viruses sometimes spread.
5. Enable windows to display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will be .exe, .vbs, .src. In your everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I have already written before in every article about the ransomware virus. In the meantime, I say goodbye. I would be glad to receive useful comments on the article and the CRYPTED000007 ransomware virus in general.

Video about file decryption and recovery

Here is an example of a previous modification of the virus, but the video is completely relevant for CRYPTED000007.

At the end of 2016, the world was attacked by a very non-trivial Trojan virus that encrypts user documents and multimedia content, called NO_MORE_RANSOM. How to decrypt files after exposure to this threat will be discussed further. However, it is worth immediately warning all users who have been attacked that there is no uniform technique. This is due to the use of one of the most advanced ones and the degree of penetration of the virus into a computer system or even into a local network (although it was not initially designed for network impact).

What is the NO_MORE_RANSOM virus and how does it work?

In general, the virus itself is usually classified as a class of Trojans such as I Love You, which penetrate a computer system and encrypt user files (usually multimedia). True, if the progenitor differed only in encryption, then this virus borrowed a lot from the once sensational threat called DA_VINCI_COD, combining the functions of a ransomware.

After infection, most files of audio, video, graphics or office documents are assigned a long name with the extension NO_MORE_RANSOM containing a complex password.

When you try to open them, a message appears on the screen stating that the files are encrypted, and to decrypt them you need to pay a certain amount.

How does the threat enter the system?

Let’s leave alone for now the question of how to decrypt files of any of the above types after exposure to NO_MORE_RANSOM, and let’s turn to the technology for how a virus penetrates a computer system. Unfortunately, no matter how it sounds, the old proven method is used for this: an email with an attachment is sent to the email address, and upon opening it, the user receives a malicious code.

As we see, this technique is not original. However, the message may be disguised as meaningless text. Or, on the contrary, for example, if we are talking about large companies, to change the terms of some contract. It is clear that an ordinary clerk opens an investment, and then gets a disastrous result. One of the brightest outbreaks was the encryption of databases of the popular 1C package. And this is already a serious matter.

NO_MORE_RANSOM: how to decrypt documents?

But it is still worth addressing the main issue. Surely everyone is interested in how to decrypt files. The NO_MORE_RANSOM virus has its own sequence of actions. If the user tries to decrypt immediately after infection, there is still some way to do this. If the threat has firmly established itself in the system, alas, it cannot be done without the help of specialists. But they often turn out to be powerless.

If the threat was detected in a timely manner, there is only one way - contact the support services of anti-virus companies (not all documents have been encrypted yet), send a couple of inaccessible files and, based on an analysis of the originals saved on removable media, try to restore already infected documents, first by copying onto the same flash drive everything that is still available for opening (although there is also no complete guarantee that the virus has not penetrated into such documents). After this, to be sure, the media must be checked with at least an anti-virus scanner (you never know).

Algorithm

It is also worth mentioning that the virus uses the RSA-3072 algorithm for encryption, which, unlike the previously used RSA-2048 technology, is so complex that choosing the right password, even if the entire contingent of anti-virus laboratories is involved in this , may take months or years. Thus, the question of how to decrypt NO_MORE_RANSOM will require quite a lot of time. But what if you need to restore information immediately? First of all, remove the virus itself.

Is it possible to remove a virus and how to do it?

Actually, this is not difficult to do. Judging by the impudence of the creators of the virus, the threat in the computer system is not disguised. On the contrary, it is even beneficial for her to “remove herself” after completing the actions performed.

Nevertheless, at first, following the lead of the virus, it should still be neutralized. The first step is to use portable security utilities like KVRT, Malwarebytes, Dr. Web CureIt! and the like. Please note: the programs used for testing must be of a portable type (without installation on a hard drive and, optimally, launched from removable media). If a threat is discovered, it should be removed immediately.

If such actions are not provided, you must first go to the “Task Manager” and end all processes associated with the virus in it, sorting the services by name (usually this is the Runtime Broker process).

After removing the task, you need to call the system registry editor (regedit in the “Run” menu) and search for the name “Client Server Runtime System” (without quotes), and then use the menu for moving through the results “Find next...” to delete all found elements. Next, you need to restart the computer and check in the “Task Manager” to see if the process you are looking for is there.

In principle, the question of how to decrypt the NO_MORE_RANSOM virus at the infection stage can be solved using this method. The probability of its neutralization is, of course, small, but there is a chance.

How to decrypt files encrypted with NO_MORE_RANSOM: backups

But there is another technique that few people know about or even guess. The fact is that the operating system itself constantly creates its own shadow backups (for example, in case of recovery), or the user intentionally creates such images. As practice shows, it is precisely these copies that the virus does not affect (this is simply not provided for in its structure, although it is not excluded).

So the problem of how to decipher NO_MORE_RANSOM comes down to using them. However, it is not recommended to use standard Windows tools for this (and many users will not have access to hidden copies at all). Therefore, you need to use the ShadowExplorer utility (it is portable).

To restore, you just need to run the executable, sort the information by dates or sections, select the desired copy (of a file, folder or the entire system) and use the export line through the RMB menu. Next, you simply select the directory in which the current copy will be saved, and then use the standard recovery process.

Third party utilities

Of course, to the problem of how to decipher NO_MORE_RANSOM, many laboratories offer their own solutions. For example, Kaspersky Lab recommends using its own software product Kaspersky Decryptor, presented in two modifications - Rakhini and Rector.

Similar developments like the NO_MORE_RANSOM decoder from Dr. look no less interesting. Web. But here it’s worth immediately taking into account that the use of such programs is justified only if a threat is quickly detected, before all the files have been infected. If the virus is firmly established in the system (when encrypted files simply cannot be compared with their unencrypted originals), such applications may also be useless.

As a result

Actually, only one conclusion suggests itself: it is necessary to fight this virus exclusively at the infection stage, when only the first files are encrypted. In general, it is best not to open attachments in email messages received from dubious sources (this applies exclusively to clients installed directly on the computer - Outlook, Oulook Express, etc.). In addition, if a company employee has at his disposal a list of addresses of clients and partners, opening “inappropriate” messages becomes completely impractical, since most people sign non-disclosure agreements on trade secrets and cybersecurity when applying for a job.