Encryption virus – what is it, why is it dangerous. WannaCry ransomware virus: what to do? Ransomware virus treatment

A wave of a new encryption virus, WannaCry (other names Wana Decrypt0r, Wana Decryptor, WanaCrypt0r), has swept across the world, which encrypts documents on a computer and extorts 300-600 USD for decoding them. How can you tell if your computer is infected? What should you do to avoid becoming a victim? And what to do to recover?

After installing the updates, you will need to reboot your computer.

How to recover from the Wana Decrypt0r ransomware virus?

When the antivirus utility detects a virus, it will either remove it immediately or ask you whether to treat it or not? The answer is to treat.

How to recover files encrypted by Wana Decryptor?

We can’t say anything reassuring at the moment. No file decryption tool has yet been created. For now, all that remains is to wait until the decryptor is developed.

According to Brian Krebs, a computer security expert, at the moment the criminals have received only 26,000 USD, that is, only about 58 people agreed to pay the ransom to the extortionists. No one knows whether they restored their documents.

How to stop the spread of a virus online?

In the case of WannaCry, the solution to the problem may be to block port 445 on the Firewall, through which the infection occurs.

Viruses themselves as a computer threat do not surprise anyone today. But if previously they affected the system as a whole, causing disruptions in its performance, today, with the advent of such a variety as an encryptor virus, the actions of a penetrating threat affect more user data. It poses perhaps an even greater threat than executable applications destructive to Windows or spyware applets.

What is a ransomware virus?

The code itself, written in a self-copying virus, involves encrypting almost all user data with special cryptographic algorithms, without affecting the system files of the operating system.

At first, the logic of the virus’s impact was not entirely clear to many. Everything became clear only when the hackers who created such applets began demanding money to restore the original file structure. At the same time, the encrypted virus itself does not allow you to decrypt files due to its characteristics. To do this, you need a special decryptor, if you like, a code, a password or an algorithm required to restore the desired content.

The principle of penetration into the system and operation of the virus code

As a rule, it is quite difficult to “pick up” such crap on the Internet. The main source of spread of the “infection” is email at the level of programs installed on a specific computer terminal, such as Outlook, Thunderbird, The Bat, etc. Let us note right away: this does not apply to Internet mail servers, since they have a fairly high degree of protection, and access access to user data is possible only at the level

Another thing is an application on a computer terminal. This is where the field for the action of viruses is so wide that it is impossible to imagine. True, it’s also worth making a reservation here: in most cases, viruses target large companies from which they can “rip off” money for providing a decryption code. This is understandable, because not only on local computer terminals, but also on the servers of such companies, files can be stored, so to speak, in a single copy, which cannot be destroyed under any circumstances. And then decrypting files after a ransomware virus becomes quite problematic.

Of course, an ordinary user can be subject to such an attack, but in most cases this is unlikely if you follow the simplest recommendations for opening attachments with extensions of an unknown type. Even if an email client detects an attachment with a .jpg extension as a standard graphic file, it must first be checked as standard installed on the system.

If this is not done, when you open it by double-clicking (standard method), the activation of the code will start and the encryption process will begin, after which the same Breaking_Bad (encryptor virus) will not only be impossible to remove, but also the files will not be able to be restored after the threat is eliminated.

General consequences of penetration of all viruses of this type

As already mentioned, most viruses of this type enter the system through email. Well, let’s say a large organization receives a letter to a specific registered email with contents like “We have changed the contract, scanned copy is attached” or “You have been sent an invoice for shipping the goods (a copy there).” Naturally, the unsuspecting employee opens the file and...

All user files at the level of office documents, multimedia, specialized AutoCAD projects or any other archival data are instantly encrypted, and if the computer terminal is located on a local network, the virus can be transmitted further, encrypting data on other machines (this becomes noticeable immediately after “braking” of the system and freezing of programs or currently running applications).

At the end of the encryption process, the virus itself apparently sends a kind of report, after which the company may receive a message that such and such a threat has penetrated the system, and that only such and such an organization can decrypt it. This usually involves a virus. [email protected]. Next comes a requirement to pay for decryption services with an offer to send several files to the client’s email, which is most often fictitious.

Harm from exposure to code

If anyone has not yet understood: decrypting files after a ransomware virus is a rather labor-intensive process. Even if you don’t give in to the demands of the attackers and try to involve official government agencies in combating and preventing computer crimes, usually nothing good comes of it.

If you delete all files, produce and even copy the original data from removable media (of course, if there is such a copy), everything will still be encrypted again if the virus is activated. So you shouldn’t delude yourself too much, especially since when you insert the same flash drive into a USB port, the user won’t even notice how the virus will encrypt the data on it too. Then you won't have any problems.

Firstborn in the family

Now let's turn our attention to the first encryption virus. At the time of its appearance, no one had yet thought how to cure and decrypt files after being exposed to an executable code contained in an email attachment with a dating offer. Awareness of the scale of the disaster came only with time.

That virus had the romantic name “I Love You”. An unsuspecting user opened an attachment in an email message and received completely unplayable multimedia files (graphics, video and audio). Back then, however, such actions looked more destructive (harm to user media libraries), and no one demanded money for it.

The newest modifications

As we see, the evolution of technology has become quite a profitable business, especially considering that many managers of large organizations immediately run to pay for decryption efforts, without thinking at all that they could lose both money and information.

By the way, don’t look at all these “wrong” posts on the Internet, saying, “I paid/paid the required amount, they sent me a code, everything was restored.” Nonsense! All this is written by the developers of the virus themselves in order to attract potential, excuse me, “suckers.” But, by the standards of an ordinary user, the amounts to pay are quite serious: from hundreds to several thousand or tens of thousands of euros or dollars.

Now let's look at the newest types of viruses of this type, which were recorded relatively recently. All of them are practically similar and belong not only to the category of encryptors, but also to the group of so-called ransomware. In some cases, they act more correctly (like paycrypt), seemingly sending official business offers or messages that someone cares about the security of the user or organization. Such an encrypting virus simply misleads the user with its message. If he takes even the slightest action to pay, that’s it - the “divorce” will be complete.

XTBL virus

This relatively recent one can be classified as a classic version of ransomware. Typically, it enters the system through email messages containing file attachments, which is standard for Windows screensavers. The system and user think everything is fine and activate viewing or saving the attachment.

Unfortunately, this leads to sad consequences: the file names are converted into a set of characters, and .xtbl is added to the main extension, after which a message is sent to the desired email address about the possibility of decryption after paying the specified amount (usually 5 thousand rubles).

CBF virus

This type of virus also belongs to the classics of the genre. It appears on the system after opening email attachments, and then renames user files, adding an extension like .nochance or .perfect at the end.

Unfortunately, decrypting a ransomware virus of this type to analyze the contents of the code even at the stage of its appearance in the system is not possible, since after completing its actions it self-destructs. Even what many believe is a universal tool like RectorDecryptor does not help. Again, the user receives a letter demanding payment, for which two days are given.

Breaking_Bad virus

This type of threat works in the same way, but renames files in the standard version, adding .breaking_bad to the extension.

The situation is not limited to this. Unlike previous viruses, this one can create another extension - .Heisenberg, so it is not always possible to find all infected files. So Breaking_Bad (a ransomware virus) is a fairly serious threat. By the way, there are cases where even the Kaspersky Endpoint Security 10 license package misses this type of threat.

Virus [email protected]

Here is another, perhaps the most serious threat, which is mostly aimed at large commercial organizations. As a rule, some department receives a letter containing seemingly changes to the supply agreement, or even just an invoice. The attachment may contain a regular .jpg file (such as an image), but more often - an executable script.js (Java applet).

How to decrypt this type of encryption virus? Judging by the fact that some unknown RSA-1024 algorithm is used there, no way. Based on the name, you can assume that this is a 1024-bit encryption system. But, if anyone remembers, today 256-bit AES is considered the most advanced.

Encryptor virus: how to disinfect and decrypt files using antivirus software

To date, no solutions have yet been found to decipher threats of this type. Even such masters in the field of antivirus protection as Kaspersky, Dr. Web and Eset cannot find the key to solving the problem when the system is infected with an encrypting virus. How to disinfect files? In most cases, it is suggested to send a request to the official website of the antivirus developer (by the way, only if the system has licensed software from this developer).

In this case, you need to attach several encrypted files, as well as their “healthy” originals, if any. In general, by and large, few people save copies of data, so the problem of their absence only aggravates an already unpleasant situation.

Possible ways to identify and eliminate the threat manually

Yes, scanning with conventional antivirus programs identifies threats and even removes them from the system. But what to do with the information?

Some try to use decryption programs like the already mentioned RectorDecryptor (RakhniDecryptor) utility. Let us note right away: this will not help. And in the case of the Breaking_Bad virus, it can only do harm. And that's why.

The fact is that people who create such viruses are trying to protect themselves and provide guidance to others. When using decryption utilities, the virus can react in such a way that the entire system crashes, with the complete destruction of all data stored on hard drives or logical partitions. This, so to speak, is an indicative lesson for the edification of all those who do not want to pay. We can only rely on official antivirus laboratories.

Cardinal methods

However, if things are really bad, you will have to sacrifice information. To completely get rid of the threat, you need to format the entire hard drive, including virtual partitions, and then install the operating system again.

Unfortunately, there is no other way out. Even up to a certain saved restore point will not help. The virus may disappear, but the files will remain encrypted.

Instead of an afterword

In conclusion, it is worth noting that the situation is this: a ransomware virus penetrates the system, does its dirty work and is not cured by any known methods. Anti-virus protection tools were not ready for this type of threat. It goes without saying that it is possible to detect a virus after exposure or remove it. But the encrypted information will remain unsightly. So I would like to hope that the best minds of antivirus software development companies will still find a solution, although, judging by the encryption algorithms, it will be very difficult to do. Just remember the Enigma encryption machine that the German Navy had during World War II. The best cryptographers could not solve the problem of an algorithm for decrypting messages until they got their hands on the device. This is how things are here too.

It continues its oppressive march across the Internet, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - have patches been released to decrypt and disinfect files?

New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. U Damage from virus attack totals $1 billion. In 2 weeks, the ransomware virus infected at least 300 thousand computers, despite warnings and security measures.

Ransomware virus 2017, what is it?- as a rule, you can “pick up” on seemingly the most harmless sites, for example, bank servers with user access. Once on the victim’s hard drive, the ransomware “settles” in the system folder System32. From there the program immediately disables the antivirus and goes into "Autorun"" After every reboot, ransomware runs into the registry, starting his dirty work. The ransomware begins to download similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks until the victim notices something is wrong.

The ransomware often disguises itself as ordinary pictures or text files, but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; Sometimes - libraries.dll. Most often, the file has a completely innocuous name, for example “ document. doc", or " picture.jpg", where the extension is written manually, and the true file type is hidden.

After encryption is complete, the user sees, instead of familiar files, a set of “random” characters in the name and inside, and the extension changes to a previously unknown one - .NO_MORE_RANSOM, .xdata and others.

Wanna Cry ransomware virus 2017 – how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term for all encryption and ransomware viruses, since recently it has infected computers most often. So, we'll talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.

How to protect Windows from ransomware. – EternalBlue via SMB port protocol.

Protecting Windows from ransomware 2017 – basic rules:

• Windows update, timely transition to a licensed OS (note: the XP version is not updated)
• updating anti-virus databases and firewalls on demand
• extreme care when downloading any files (cute “seals” can result in the loss of all data)
• Backing up important information to removable media.

Ransomware virus 2017: how to disinfect and decrypt files.

Relying on antivirus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses for now no solution for treating infected files was found. At the moment, it is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.

Some try to use decryptors like the RectorDecryptor utility, but this won't help: an algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.

At the moment, the most effective way to recover lost data is to contact technical support. support from the vendor of the antivirus program you use. To do this, you should send a letter or use the feedback form on the manufacturer’s website. Be sure to add the encrypted file to the attachment and, if available, a copy of the original. This will help programmers in composing the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.

Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to completely formatting the hard drive, which entails a complete change of OS. Many will think of restoring the system, but this is not an option - even a “rollback” will get rid of the virus, but the files will still remain encrypted.

is a malicious program that, when activated, encrypts all personal files, such as documents, photos, etc. The number of such programs is very large and it is increasing every day. Only recently we have encountered dozens of ransomware variants: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, .da_vinci_code, toste, fff, etc. The goal of such encryption viruses is to force users to buy, often for a large sum of money, the program and key necessary to decrypt their own files.

Of course, you can restore encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often, the cost of decryption is very significant, and you also need to know that some ransomware viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just annoying to pay to restore your own files.

Below we will talk in more detail about encryption viruses, how they penetrate the victim’s computer, as well as how to remove the encryption virus and restore files encrypted by it.

How does a ransomware virus penetrate a computer?

A ransomware virus is usually spread via email. The letter contains infected documents. Such letters are sent to a huge database of email addresses. The authors of this virus use misleading headers and contents of letters, trying to trick the user into opening a document attached to the letter. Some letters inform about the need to pay a bill, others offer to look at the latest price list, others offer to open a funny photo, etc. In any case, opening the attached file will result in your computer being infected with a ransomware virus.

What is a ransomware virus?

A ransomware virus is a malicious program that infects modern versions of Windows operating systems, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. These viruses try to use the strongest possible encryption modes, for example RSA-2048 with the key length is 2048 bits, which practically eliminates the possibility of selecting a key to independently decrypt files.

When infecting a computer, the ransomware virus uses the system directory %APPDATA% to store its own files. To automatically launch itself when you turn on the computer, the ransomware creates an entry in the Windows registry: sections HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKCU\Software\Microsoft\Windows\CurrentVersion\ Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.

Immediately after launching, the virus scans all available drives, including network and cloud storage, to determine files that will be encrypted. A ransomware virus uses a filename extension as a way to identify a group of files that will be encrypted. Almost all types of files are encrypted, including such common ones as:

0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata , .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, . mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta , .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, . apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, . js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2 , .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, . rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf , .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm, .wma, .wmd, .wmf, .wmv, .wn, .wot, .wp, .wp4, .wp5, . wp6, .wp7, .wpa, .wpb, .wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm , .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, . zif, .zip, .zw

Immediately after a file is encrypted, it receives a new extension, which can often be used to identify the name or type of ransomware. Some types of these malware can also change the names of encrypted files. The virus then creates a text document with names like HELP_YOUR_FILES, README, which contains instructions for decrypting the encrypted files.

During its operation, the encryption virus tries to block the ability to restore files using the SVC (shadow copy of files) system. To do this, the virus, in command mode, calls the utility for administering shadow copies of files with a key that starts the procedure for completely deleting them. Thus, it is almost always impossible to restore files by using their shadow copies.

The ransomware virus actively uses intimidation tactics by giving the victim a link to a description of the encryption algorithm and displaying a threatening message on the Desktop. In this way, he tries to force the user of the infected computer, without hesitation, to send the computer ID to the email address of the virus’s author in order to try to get his files back. The response to such a message is most often the ransom amount and the e-wallet address.

Is my computer infected with a ransomware virus?

It is quite easy to determine whether a computer is infected with an encryption virus or not. Pay attention to the extensions of your personal files, such as documents, photos, music, etc. If the extension has changed or your personal files have disappeared, leaving behind many files with unknown names, then your computer is infected. In addition, a sign of infection is the presence of a file named HELP_YOUR_FILES or README in your directories. This file will contain instructions for decrypting the files.

If you suspect that you have opened an email infected with a ransomware virus, but there are no symptoms of infection yet, then do not turn off or restart your computer. Follow the steps described in this manual, section. I repeat once again, it is very important not to turn off the computer; in some types of ransomware, the file encryption process is activated the first time you turn on the computer after infection!

How to decrypt files encrypted with a ransomware virus?

If this disaster happens, then there is no need to panic! But you need to know that in most cases there is no free decryptor. This is due to the strong encryption algorithms used by such malware. This means that without a private key, it is almost impossible to decrypt files. Using the key selection method is also not an option, due to the large length of the key. Therefore, unfortunately, only paying the authors of the virus the entire requested amount is the only way to try to obtain the decryption key.

Of course, there is absolutely no guarantee that after payment the authors of the virus will contact you and provide the key necessary to decrypt your files. In addition, you need to understand that by paying money to virus developers, you yourself encourage them to create new viruses.

How to remove a ransomware virus?

Before you begin, you need to know that by starting to remove the virus and attempt to restore the files yourself, you are blocking the ability to decrypt the files by paying the authors of the virus the amount they requested.

Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types of active ransomware viruses and will easily remove them from your computer, BUT they cannot recover encrypted files.

5.1. Remove ransomware using Kaspersky Virus Removal Tool

By default, the program is configured to recover all file types, but to speed up the work, it is recommended to leave only the file types that you need to recover. When you have completed your selection, click OK.

At the bottom of the QPhotoRec program window, find the Browse button and click it. You need to select the directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a flash drive or external drive).

To start the procedure for searching and restoring original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

When the search is complete, click the Quit button. Now open the folder you have chosen to save the recovered files.

The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3, etc. The more files the program finds, the more directories there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need among a large number of recovered ones, use the built-in Windows search system (by file contents), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort option, since QPhotoRec attempts to restore this property when restoring a file.

How to prevent a ransomware virus from infecting your computer?

Most modern anti-virus programs already have a built-in protection system against the penetration and activation of encryption viruses. Therefore, if you do not have an antivirus program on your computer, be sure to install it. You can find out how to choose it by reading this.

Moreover, there are specialized protection programs. For example, this is CryptoPrevent, more details.

A few final words

By following these instructions, your computer will be cleared of the ransomware virus. If you have any questions or need help, please contact us.

According to the first reports, the encrypting virus activated by attackers on Tuesday was classified as a member of the already known Petya family of ransomware, but it later turned out that this was a new family of malware with significantly different functionality. Kaspersky Lab has dubbed the new virus ExPetr.

“The analysis carried out by our experts showed that the victims initially had no chance of getting their files back. “Kaspersky Lab researchers analyzed the part of the malware code that is associated with file encryption and found that once the disk is encrypted, the creators of the virus no longer have the ability to decrypt it back,” the laboratory reports.

As the company notes, decryption requires a unique identifier for a specific Trojan installation. In previously known versions of similar encryptors Petya/Mischa/GoldenEye, the installation identifier contained the information necessary for decryption. In the case of ExPetr, this identifier does not exist. This means that the creators of the malware cannot obtain the information they need to decrypt files. In other words, victims of the ransomware have no way to get their data back, explains Kaspersky Lab.

The virus blocks computers and demands $300 in bitcoins, Group-IB told RIA Novosti. The attack began on Tuesday around 11:00. According to media reports, as of 6 p.m. Wednesday, the Bitcoin wallet that was specified for transferring funds to the extortionists had received nine transfers. Taking into account the commission for transfers, the victims transferred about 2.7 thousand dollars to the hackers.

Compared to WannaCry, this virus is considered more destructive, as it spreads using several methods - using Windows Management Instrumentation, PsExec and the EternalBlue exploit. In addition, the ransomware includes the free Mimikatz utility.

The number of users attacked by the new “new Petya” encryption virus has reached 2 thousand, Kaspersky Lab, which is investigating the wave of computer infections, reported on Wednesday.

According to the antivirus company ESET, the attack began in Ukraine, which suffered more than other countries. According to the company’s rating of countries affected by the virus, Italy is in second place after Ukraine, and Israel is in third place. The top ten also included Serbia, Hungary, Romania, Poland, Argentina, the Czech Republic and Germany. Russia took 14th place in this list.

In addition, Avast said which operating systems were most affected by the virus.

Windows 7 was in first place - 78% of all infected computers. Next comes Windows XP (18%), Windows 10 (6%) and Windows 8.1 (2%).

Thus, WannaCry taught the global community virtually nothing - computers remained unprotected, systems were not updated, and Microsoft's efforts to issue patches even for outdated systems simply went to waste.