WannaCry ransomware virus: what to do? Kaspersky Lab about “WannaCry” ransomware A new virus called “Kaspersky ransomware”.

About a week or two ago, another piece of work by modern virus makers appeared on the network, which encrypts all user files. Once again, I will consider the question of how to cure a computer after a ransomware virus crypted000007 and recover encrypted files. In this case, nothing new and unique has appeared, just a modification of the previous version.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. The details of the work and the scheme of interaction with the customer are below in my article or on the website in the section "Procedure of work".

Description of the ransomware virus CRYPTED000007

The CRYPTED000007 encryptor does not fundamentally differ from its predecessors. It works almost one to one like. But still there are a few nuances that distinguish it. I'll tell you about everything in order.

He comes, like his counterparts, by mail. Social engineering techniques are used to make the user become interested in the letter and open it. In my case, the letter was about some kind of court and about important information on the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.

In parallel with the opening of the document, file encryption starts. Starts popping up all the time Announcement from Windows User Account Control.

If you agree with the proposal, then backup copies of files in the shadow copies of Windows will be deleted and the recovery of information will be very difficult. Obviously, it is impossible to agree with the proposal in any case. AT this ransomware these requests pop up constantly, one by one, and do not stop, forcing the user to agree and delete the backups. This is the main difference from previous ransomware modifications. I have never seen shadow copy deletion requests going non-stop. Usually, after 5-10 sentences, they stopped.

I'll give you a recommendation for the future. Very often, people turn off warnings from the user account control system. You don't need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is don't constantly work under account computer administrator, if this is not objectively necessary. In this case, the virus will not have the opportunity to do much harm. You will be more likely to resist him.

But even if you answered negatively to ransomware requests all the time, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files on the desktop with the same content.

Your files have been encrypted. To decrypt ux, you need to correct the code: 329D54752553ED978F94|0 to the email address [email protected]. Then you will get all the necessary instructions. Attempts to decipher it yourself will not lead to anything, except for the irretrievable number of information. If you still want to try, then make backup copies of the files beforehand, otherwise, in cases of ux changes, decryption will not be possible under any circumstances. If you have not received a response to the above address within 48 hours (and only in this case!), please use the feedback form. This can be done in two ways: 1) Download and install Tor Browser by link: https://www.torproject.org/download/download-easy.html.en Tor Browser enter the address: http://cryptsen7fo43rr6.onion/ and press Enter. The page with the contact form is loaded. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Postal address may change. I've seen other addresses like this:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you find that the files are encrypted, immediately turn off the computer. This must be done to abort the encryption process as per local computer, and on network drives. The ransomware virus can encrypt all information that it can reach, including on network drives. But if there is a large amount of information, then it will take him a considerable amount of time. Sometimes, even in a couple of hours, the encryptor did not have time to encrypt everything on network drive about 100 gigabytes in size.

Next, you need to think carefully about how to act. If you by all means need information on your computer and you do not have backup copies, then it is better to contact specialists at this moment. Not necessarily for money in some firms. You just need a person who is well versed in information systems. It is necessary to assess the scale of the disaster, remove the virus, collect all available information on the situation in order to understand how to proceed.

Incorrect actions at this stage can significantly complicate the process of decrypting or recovering files. At worst, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. And not only the file extension will be replaced, but also the file name, so you won't know exactly what kind of files you had if you don't remember. There will be something like this picture.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done on purpose to confuse a person and encourage them to pay for decrypting files.

And if you were encrypted and network folders and there are no full backups, then this can generally stop the work of the entire organization. You will not immediately understand what is ultimately lost in order to begin recovery.

How to treat your computer and remove the CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most important question is how to cure a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files by all means, do not touch your computer, but immediately contact professionals. Below I will talk about them and give a link to the site and describe the scheme of their work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from the computer, since the virus does not have the task of remaining on the computer at all costs. After fully encrypting the files, it is even more profitable for him to delete himself and disappear, so that it would be more difficult to investigate the incident and decrypt the files.

Describing the manual removal of a virus is difficult, although I tried to do it before, but I see that most of the time it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Usually, viruses are sent by mail in waves, and each time there is a new modification that has not yet been detected by antiviruses. Help universal means, which check autorun and detect suspicious activity in system folders.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool - a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool .
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit .
3. If the first two utilities don't help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com .

Most likely, one of these products will clear the computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave the removal technique as an example and you can see it there. In a nutshell, here's what you need to do:

1. We look at the list of processes, having previously added several additional columns to the task manager.
2. We find the process of the virus, open the folder in which it sits and delete it.
3. We clean the mention of the virus process by the file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor arises first of all when it comes to a ransomware virus. The first thing I advise is to use the https://www.nomoreransom.org service. What if you are lucky, they will have a decryptor for your version of the CRYPTED000007 encryptor. I will say right away that you do not have many chances, but the attempt is not torture. On the home page click Yes:

Then upload a couple of encrypted files and click Go! find out:

At the time of writing, the decoder was not on the site.

Perhaps you will have more luck. You can also see the list of decryptors for download on a separate page - https://www.nomoreransom.org/decryption-tools.html . Maybe there is something useful there. When the virus is very fresh, there is little chance of this, but over time, something may appear. There are examples when decryptors for some modifications of ransomware appeared on the network. And these examples are on the specified page.

Where else can I find a decoder, I do not know. It is unlikely that it will really exist, taking into account the peculiarities of the work of modern ransomware. Only the authors of the virus can have a full-fledged decoder.

How to decrypt and recover files after CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I do not have such information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Programs for recovering deleted data

First, let's check if we have shadow copies enabled. This tool works by default in windows 7 and higher unless you disable it manually. To check, open the properties of the computer and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I talked about this request in more detail at the beginning of the story, when I talked about the work of the virus.

To easily restore files from shadow copies, I suggest using free program for this - ShadowExplorer . Download the archive, unpack the program and run.

The last copy of the files and the root of the C drive will open. In the left upper corner you can choose a backup if you have more than one. Check different copies for desired files. Compare by dates where the more recent version is. In my example below, I found 2 files on my desktop that were three months old when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and indicated the folder where to restore them.

You can restore folders immediately in the same way. If shadow copies worked for you and you did not delete them, you have quite a lot of chances to recover all or almost all files encrypted by the virus. Perhaps some of them will be more old version than I would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of files, the only chance to get at least some of the encrypted files is to restore them using recovery tools deleted files. To do this, I suggest using the free Photorec program.

Run the program and select the disk on which you will recover files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select the folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Plug in a flash drive or external hard disk for it.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged, or they will be some kind of system and useless files. But nevertheless, in this list it will be possible to find some useful files. There are no guarantees here, what you find is what you will find. Best of all, usually, images are restored.

If the result does not satisfy you, then there are still programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. With a strong desire, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against Filecoder.ED ransomware

Popular antiviruses define the CRYPTED000007 ransomware as Filecoder.ED and then there may be some other designation. I went through the forums of the main antiviruses and did not see anything useful there. Unfortunately, as usual, antiviruses were not ready for the invasion of a new wave of ransomware. Here is a message from the Kaspersky forum.

Antiviruses traditionally skip new modifications of ransomware trojans. However, I recommend using them. If you are lucky and you receive a ransomware in your mail not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. coming out a new version ransomware, antiviruses do not respond to it. As soon as a certain mass of material for research on a new virus accumulates, antiviruses release an update and begin to respond to it.

What prevents antiviruses from responding immediately to any encryption process in the system is not clear to me. Perhaps there is some technical nuance on this topic that does not allow you to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and offer to stop the process.

Where to apply for guaranteed decryption

I happened to meet one company that really decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an example workflow:

1. A specialist of the company drives up to your office or home, and signs a contract with you, in which he fixes the cost of the work.
2. Runs the decryptor and decrypts all files.
3. You make sure that all files are opened, and sign the act of delivery / acceptance of the work performed.
4. Payment only upon successful decryption result.

To be honest, I don't know how they do it, but you don't risk anything. Payment only after the demonstration of the decoder. Please write a review about your experience with this company.

Methods of protection against the virus CRYPTED000007

How to protect yourself from the work of a ransomware and do without material and moral damage? There are some simple and effective tips:

1. Backup! Backup of all important data. And not just a backup, but a backup to which there is no permanent access. Otherwise, the virus can infect both your documents and backups.
2. Licensed antivirus. Although they do not give a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the ransomware, but after 3-4 days they begin to react. This increases your chances of avoiding infection if you are not included in the first wave of mailings of a new ransomware modification.
3. Do not open suspicious attachments in mail. There is nothing to comment on here. All cryptographers known to me got to users through mail. And every time new tricks are invented to deceive the victim.
4. Do not mindlessly open links sent to you by your friends via social networks or messengers. This is how viruses sometimes spread.
5. Enable windows to display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will .exe, .vbs, .src. In everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I already wrote earlier in each article about the ransomware virus. Until then I say goodbye. I will be glad to receive useful comments on the article and the CRYPTED000007 encryption virus in general.

Video with decryption and file recovery

Here is an example of a previous modification of the virus, but the video is fully relevant for CRYPTED000007 as well.

According to the first reports, the ransomware virus activated on Tuesday was attributed to the already known Petya ransomware family, but later it turned out that this was a new family of malware with significantly different functionality. Kaspersky Lab has dubbed the new virus ExPetr.

“The analysis carried out by our experts showed that the victims initially had no chance to return their files. Kaspersky Lab researchers analyzed the part of the malware code that is related to file encryption and found that after the disk is encrypted, the creators of the virus have no way to decrypt it back.

According to the company, a unique identifier for a specific Trojan installation is required for decryption. In earlier known versions For similar Petya/Mischa/GoldenEye ransomware, the installation ID contained the information needed for decryption. In the case of ExPetr, this identifier does not exist. This means that malware creators cannot obtain the information required to decrypt files. In other words, ransomware victims are unable to recover their data, explains Kaspersky Lab.

The virus blocks computers and demands $300 in bitcoins, Group-IB told RIA Novosti. The attack began on Tuesday around 11:00. According to media reports, at 18.00 on Wednesday, the bitcoin wallet, which was indicated for transferring funds to extortionists, received nine transfers. Taking into account the commission for transfers, the victims transferred about 2.7 thousand dollars to the hackers.

Compared to WannaCry, this virus is recognized as more destructive, as it spreads in several ways - using Windows Management Instrumentation, PsExec, and the EternalBlue exploit. In addition, the encryptor is embedded free utility Mimikatz.

The number of users attacked by the new "new Petya" ransomware virus has reached 2,000, Kaspersky Lab, which is investigating a wave of computer infections, said on Wednesday.

According to the antivirus company ESET, the attack began in Ukraine, which suffered from it more than other countries. According to the company's rating by countries affected by the virus, Italy is in second place after Ukraine, and Israel is in third. The top ten also included Serbia, Hungary, Romania, Poland, Argentina, the Czech Republic and Germany. Russia in this list took 14th place.

In addition, Avast told which operating systems were most affected by the virus.

Windows 7 took the first place - 78% of all infected computers. This is followed by Windows XP (18%), Windows 10 (6%) and Windows 8.1 (2%).

Thus, WannaCry practically did not teach the world community anything - computers remained unprotected, systems were not updated, and Microsoft's efforts to release patches even for outdated systems simply went to waste.

It continues its oppressive march on the Web, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - are patches, patches released to decrypt and cure files?

New virus- ransomware 2017 Wanna Cry continues to infect corporate and private PCs. At $1 billion in damage from virus attack. In 2 weeks, the ransomware virus infected at least 300 thousand computers despite warnings and security measures.

What is ransomware 2017- as a rule, you can "pick up", it would seem, on the most harmless sites, for example, banking servers with user access. Hitting on HDD victims, the ransomware "settles" in the System32 folder. From there, the program immediately disables the antivirus and goes to "Autorun"". After each reboot, the encryption program starts in the registry starting his dirty work. The ransomware starts downloading similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks - until the victim notices something was wrong.

The ransomware often disguises itself as ordinary pictures, text files, but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; sometimes - libraries.dll. Most often, the file has a completely harmless name, for example " document. doc", or " picture.jpg”, where the extension is written manually, and the true file type is hidden.

After encryption is completed, the user sees instead of familiar files a set of "random" characters in the name and inside, and the extension changes to a hitherto unknown - .NO_MORE_RANSOM, .xdata and others.

2017 Wanna Cry ransomware virus – how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term for all ransomware and ransomware viruses, as it has recently infected computers most often. So, let's talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.

How to protect Windows from ransomware. – Eternal Blue via SMB protocol ports.

Windows ransomware protection 2017 - basic rules:

• Windows update, timely transition to a licensed OS (Note: XP version is not updated)
• updating anti-virus databases and firewalls on demand
• utmost care when downloading any files (cute "cats" can result in the loss of all data)
• backing up important information to removable media.

Ransomware virus 2017: how to cure and decrypt files.

Relying on anti-virus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses no solution found for curing infected files. At the moment, it is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.

Some try to use decryptors like the RectorDecryptor utility but this won't help: algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after the use of such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.

At the moment the most effective way to return the lost data is an appeal to those. supplier support antivirus program which you are using. To do this, send an email, or use the form for feedback on the manufacturer's website. Be sure to add the encrypted file to the attachment and, if any, a copy of the original. This will help programmers in drawing up the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and copies are not found, which complicates the situation at times.

Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to a complete formatting of the hard drive, which entails a complete change of the OS. Many will think of restoring the system, but this is not an option - even if there is a “rollback” that will get rid of the virus, the files will still remain encrypted.

For decades, cybercriminals have successfully exploited weaknesses and vulnerabilities on the World Wide Web. However, in recent years there has been a clear increase in the number of attacks, as well as an increase in their level - attackers are becoming more dangerous, and malware is spreading at a rate that has never been seen before.

Introduction

We are talking about ransomware that made an incredible leap in 2017, causing damage to thousands of organizations around the world. For example, in Australia, ransomware attacks such as WannaCry and NotPetya have even raised concerns at the government level.

Summing up the "successes" of ransomware this year, we will look at the 10 most dangerous ones that caused the most damage to organizations. Let's hope that next year we will learn the lessons and prevent this problem from penetrating our networks.

Not Petya

The attack of this ransomware began with the Ukrainian accounting program M.E.Doc, which replaced 1C, which was banned in Ukraine. In just a few days, NotPetya infected hundreds of thousands of computers in over 100 countries. This malware is a variant of the older Petya ransomware, the only difference being that the NotPetya attacks used the same exploit as the WannaCry attacks.

As it spread, NotPetya affected several organizations in Australia, such as the Cadbury chocolate factory in Tasmania, which had to temporarily shut down their entire IT system. The ransomware also managed to infiltrate the world's largest container ship owned by Maersk, which reportedly lost up to $300 million in revenue.

WannaCry

This ransomware, terrible in its scale, has practically captured the whole world. His attacks used the infamous EternalBlue exploit exploiting a vulnerability in the Microsoft Server Message Block (SMB) protocol.

WannaCry infected victims in 150 countries and over 200,000 machines on the first day alone. We have published this sensational malware.

Locky

Locky was the most popular ransomware in 2016, but it didn't go out of business in 2017 either. New variants of Locky, named Diablo and Lukitus, emerged this year using the same attack vector (phishing) to launch exploits.

It was Locky who was behind the Australia Post email scam scandal. According to the Australian Competition and Consumer Commission, citizens lost more than $80,000 due to this scam.

crysis

This instance was noted for its masterful use of the Remote Desktop Protocol (RDP). RDP is one of the most popular ways spread of ransomware, because in this way cybercriminals can compromise the machines that control entire organizations.

CrySis victims were forced to pay between $455 and $1,022 to have their files restored.

Nemucode

Nemucod is distributed via a phishing email that looks like a shipping invoice. This ransomware downloads malicious files stored on hacked websites.

When it comes to using phishing emails, Nemucod is second only to Locky.

jaff

Jaff is similar to Locky and uses similar methods. This ransomware is not remarkable for its original methods of distribution or file encryption, but on the contrary, it combines the most successful practices.

The attackers behind him demanded up to $3,700 for access to encrypted files.

Spora

To spread this type of ransomware, cybercriminals break into legitimate websites by adding JavaScript code to them. Users who land on such a site will receive a pop-up warning prompting them to update their Chrome browser in order to continue browsing the site. After downloading the so-called Chrome Font Pack, users became infected with Spora.

cerber

One of the many attack vectors that Cerber uses is called RaaS (Ransomware-as-a-Service). Under this scheme, the attackers offer to pay for the distribution of the Trojan, promising a percentage of the money received in return. Through this "service", cybercriminals send out ransomware and then provide other attackers with the tools to spread it.

Cryptomix

It is one of the few ransomware that does not have a certain type of payment portal available within the dark web. Affected users must wait for the cybercriminals to email them instructions.

Cryptomix victims were users from 29 countries, they were forced to pay up to $3,000.

Jigsaw

Another malware from the list, which began its activity in 2016. Jigsaw inserts an image of the clown from the Saw film series into spam emails. Once the user clicks on the image, the ransomware not only encrypts but also deletes the files in case the user is too late to pay the $150 ransom.

conclusions

As we can see, modern threats use increasingly sophisticated exploits against well-protected networks. While increased employee awareness helps manage the impact of infections, businesses need to go beyond basic cybersecurity standards to protect themselves. For protection against modern threats proactive approaches are needed that use the power of real-time analysis based on a learning mechanism that includes understanding the behavior and context of threats.

is a malicious program that, when activated, encrypts all personal files, such as documents, photos, etc. The number of such programs is very large and it is increasing every day. Just recently, we have come across dozens of ransomware options: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, .da_vinci_code, toste, fff, etc. The purpose of such ransomware is to force users to buy, often for a large amount of money, the program and key necessary for decryption. own files.

Of course, you can recover encrypted files simply by following the instructions that the virus creators leave on the infected computer. But most often the cost of decryption is very significant, you also need to know that some encryption viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just unpleasant to pay for the restoration of your own files.

Below we will talk in more detail about ransomware viruses, how they penetrate the victim's computer, as well as how to remove the ransomware virus and restore files encrypted by it.

How a ransomware virus enters a computer

A ransomware virus is usually spread through Email. The letter contains infected documents. These emails are sent to a huge database of email addresses. The authors of this virus use misleading headers and content of emails, trying to trick the user into opening the document attached to the email. Some letters inform about the need to pay the bill, others offer to see the latest price list, others open a funny photo, etc. In any case, the result of opening the attached file will be the infection of the computer with a ransomware virus.

What is a ransomware virus

A ransomware virus is a piece of malware that infects modern versions of operating systems Windows families, such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. These viruses try to use as strong encryption modes as possible, for example, RSA-2048 with a key length of 2048 bits, which virtually eliminates the possibility of selecting a key to decrypt files on their own.

While infecting a computer, the ransomware virus uses the %APPDATA% system directory to store its own files. For auto start itself when you turn on the computer, the ransomware creates an entry in Windows registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.

Immediately after launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension as a way to determine the group of files that will be encrypted. Almost all types of files are encrypted, including such common ones as:

0, .1, .1st, .2bp, .3dm, .3ds, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata , .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, . mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta , .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, . apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, . js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2 , .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb , .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, . odp, .ods, .odt, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf, .wdb, .wdp, .webdoc, .webp, .wgz, .wire, .wm .wma .wmd .wmf .wmv .wn .wot .wp .wp4 .wp5 .wp6 .wp7 .wpa .wpb .wpd .wpe .wpg , .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, . xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm, .xwp, .xx, .xy3, .xyp, .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, .zif, .zip, .zw

Immediately after the file is encrypted, it receives a new extension, which can often be used to identify the name or type of the encryptor. Some types of these malware can also change the names of encrypted files. The virus then creates text document with names like HELP_YOUR_FILES, a README that contains instructions for decrypting encrypted files.

During its operation, the ransomware tries to block the possibility of recovering files using the SVC system (shadow copies of files). To do this, the virus in command mode calls the utility for administering shadow copies of files with the key that starts the procedure complete removal. Thus, it is almost always impossible to recover files by using their shadow copies.

The ransomware virus actively uses scare tactics by giving the victim a link to a description of the encryption algorithm and displaying a threatening message on the desktop. It tries in this way to force the user of the infected computer to send the computer ID to the e-mail address of the virus author without hesitation, in order to try to return their files. The response to such a message is most often the amount of the ransom and the address of the electronic wallet.

Is my computer infected with a ransomware virus?

It is quite easy to determine whether a computer is infected with a ransomware virus or not. Pay attention to the extensions of your personal files such as documents, photos, music, etc. If the extension has changed or your personal files have disappeared, leaving behind a lot of files with unknown names, then the computer is infected. In addition, a sign of infection is the presence of a file with the name HELP_YOUR_FILES or README in your directories. This file will contain instructions for decrypting the files.

If you suspect that you have opened a letter infected with a ransomware virus, but there are no symptoms of infection yet, then do not turn off or restart your computer. Follow the steps described in this manual, section. Once again, it is very important not to turn off the computer, in some types of ransomware, the process of encrypting files is activated the first time the computer is turned on after infection!

How to decrypt files encrypted by a ransomware virus?

If this misfortune happened, then there is no need to panic! But you need to know that in most cases there is no free decryptor. This is due to the strong encryption algorithms used by such malware. This means that it is almost impossible to decrypt files without a private key. Using the key selection method is also not an option, due to the large length of the key. Therefore, unfortunately, only payment to the authors of the virus of the entire amount requested - the only way try to get the decryption key.

Of course, there is absolutely no guarantee that after payment, the authors of the virus will get in touch and provide the key needed to decrypt your files. In addition, you need to understand that by paying money to virus developers, you yourself are pushing them to create new viruses.

How to remove the ransomware virus?

Before proceeding with this, you need to know that when you start removing the virus and attempting to restore the files yourself, you block the ability to decrypt the files by paying the authors of the virus the amount they requested.

Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types active ransomware viruses and will easily remove them from the computer, BUT they cannot restore encrypted files.

5.1. Remove ransomware with Kaspersky Virus Removal Tool

By default, the program is configured to recover all types of files, but to speed up the work, it is recommended to leave only the types of files that you need to recover. When you have completed your selection, press the OK button.

At the bottom of the QPhotoRec window, find the Browse button and click it. You need to select a directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a USB flash drive or an external drive).

To start the procedure for searching and restoring the original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

When the search is finished, click the Quit button. Now open the folder you chose to save the recovered files.

The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3 and so on. How more files finds the program, the more directories there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need among a large number of recovered ones, use the built-in system Windows Search(by the contents of the file), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort parameter, since QPhotoRec attempts to restore this property when restoring a file.

How to prevent a computer from being infected with a ransomware virus?

Most modern anti-virus programs already have a built-in protection system against the penetration and activation of ransomware viruses. Therefore, if your computer does not have an anti-virus program, then be sure to install it. You can find out how to choose it by reading this.

Moreover, there are specialized protective programs. For example, this is CryptoPrevent, more details.

A few final words

By following this instruction, your computer will be cleared of the ransomware virus. If you have questions or need help, please contact us.