Children of Lieutenant CryptoLocker. Opening DirCrypt, TorLocker, TeslaCrypt, TorrentLocker, Critroni and CryptoWall
About a week or two ago, another piece of work by modern virus makers appeared on the network, which encrypts all user files. Once again, I will consider the question of how to cure a computer after a ransomware virus crypted000007 and recover encrypted files. In this case, nothing new and unique has appeared, just a modification of the previous version.
Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. The details of the work and the scheme of interaction with the customer are below in my article or on the website in the section “Procedure of work”.
Description of the ransomware virus CRYPTED000007
The CRYPTED000007 encryptor does not fundamentally differ from its predecessors. It works almost one to one like. But still there are a few nuances that distinguish it. I'll tell you about everything in order.
He comes, like his counterparts, by mail. Social engineering techniques are used to make the user become interested in the letter and open it. In my case, the letter was about some kind of court and about important information on the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.
In parallel with the opening of the document, file encryption starts. Starts popping up all the time Announcement from Windows User Account Control.
If you agree with the proposal, then backup copies of files in the shadow copies of Windows will be deleted and the recovery of information will be very difficult. Obviously, it is impossible to agree with the proposal in any case. In this ransomware, these requests pop up constantly, one by one, and do not stop, forcing the user to agree and delete the backups. This is the main difference from previous ransomware modifications. I have never seen shadow copy deletion requests going non-stop. Usually, after 5-10 sentences, they stopped.
I'll give you a recommendation for the future. Very often, people turn off warnings from the user account control system. You don't need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is don't constantly work under account computer administrator, if this is not objectively necessary. In this case, the virus will not have the opportunity to do much harm. You will be more likely to resist him.
But even if you answered negatively to ransomware requests all the time, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.
At the same time, there will be many text files on the desktop with the same content.
Your files have been encrypted. To decrypt ux, you need to correct the code: 329D54752553ED978F94|0 to the email address [email protected]. Then you will get all the necessary instructions. Attempts to decipher it yourself will not lead to anything, except for the irretrievable number of information. If you still want to try, then make backup copies of the files beforehand, otherwise, in cases of ux changes, decryption will not be possible under any circumstances. If you have not received a response to the above address within 48 hours (and only in this case!), please use the feedback form. This can be done in two ways: 1) Download and install Tor Browser by link: https://www.torproject.org/download/download-easy.html.en Tor Browser enter the address: http://cryptsen7fo43rr6.onion/ and press Enter. The page with the contact form is loaded. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address gervasiy.menyae [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
Postal address may change. I've seen other addresses like this:
Addresses are constantly updated, so they can be completely different.
As soon as you find that the files are encrypted, immediately turn off the computer. This must be done to abort the encryption process as per local computer, and on network drives. A ransomware virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information, then it will take him a considerable amount of time. Sometimes, even in a couple of hours, the ransomware did not have time to encrypt everything on a network drive with a volume of about 100 gigabytes.
Next, you need to think carefully about how to act. If you by all means need information on your computer and you do not have backup copies, then it is better to contact specialists at this moment. Not necessarily for money in some firms. You just need a person who is well versed in information systems. It is necessary to assess the scale of the disaster, remove the virus, collect all available information on the situation in order to understand how to proceed.
Incorrect actions at this stage can significantly complicate the process of decrypting or recovering files. At worst, they can make it impossible. So take your time, be careful and consistent.
How the CRYPTED000007 ransomware virus encrypts files
After the virus has been launched and finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. And not only the file extension will be replaced, but also the file name, so you won't know exactly what kind of files you had if you don't remember. There will be something like this picture.
In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done on purpose to confuse a person and encourage them to pay for decrypting files.
And if you had encrypted network folders and no full backups, then this can generally stop the work of the entire organization. You will not immediately understand what is ultimately lost in order to begin recovery.
How to treat your computer and remove the CRYPTED000007 ransomware
The CRYPTED000007 virus is already on your computer. The first and most important question is how to cure a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files by all means, do not touch your computer, but immediately contact professionals. Below I will talk about them and give a link to the site and describe the scheme of their work.
In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from the computer, since the virus does not have the task of remaining on the computer at all costs. After fully encrypting the files, it is even more profitable for him to delete himself and disappear, so that it would be more difficult to investigate the incident and decrypt the files.
Describing the manual removal of a virus is difficult, although I tried to do it before, but I see that most of the time it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Usually, viruses are sent by mail in waves, and each time there is a new modification that has not yet been detected by antiviruses. Universal tools that check autorun and detect suspicious activity in system folders help.
To remove the CRYPTED000007 virus, you can use the following programs:
- Kaspersky Virus Removal Tool- a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool .
- Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit .
- If the first two utilities don't help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com .
Most likely, one of these products will clear the computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave the removal technique as an example and you can see it there. In a nutshell, here's what you need to do:
- We look at the list of processes, having previously added several additional columns to the task manager.
- We find the process of the virus, open the folder in which it sits and delete it.
- We clean the mention of the virus process by the file name in the registry.
- We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.
Where to download the decryptor CRYPTED000007
The question of a simple and reliable decryptor arises first of all when it comes to a ransomware virus. The first thing I advise is to use the https://www.nomoreransom.org service. What if you are lucky, they will have a decryptor for your version of the CRYPTED000007 encryptor. I will say right away that you do not have many chances, but the attempt is not torture. On the home page click Yes:
Then upload a couple of encrypted files and click Go! find out:
At the time of writing, the decoder was not on the site.
Perhaps you will have more luck. You can also see the list of decryptors for download on a separate page - https://www.nomoreransom.org/decryption-tools.html . Maybe there is something useful there. When the virus is very fresh, there is little chance of this, but over time, something may appear. There are examples when decryptors for some modifications of ransomware appeared on the network. And these examples are on the specified page.
Where else can I find a decoder, I do not know. It is unlikely that it will really exist, taking into account the peculiarities of the work of modern ransomware. Only the authors of the virus can have a full-fledged decoder.
How to decrypt and recover files after CRYPTED000007 virus
What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I do not have such information. We can only try to recover files using improvised methods. These include:
- Tool shadow copies windows.
- Programs for recovering deleted data
First, let's check if we have shadow copies enabled. This tool works by default in windows 7 and higher unless you disable it manually. To check, open the properties of the computer and go to the system protection section.
If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I talked about this request in more detail at the beginning of the story, when I talked about the work of the virus.
To easily restore files from shadow copies, I suggest using free program for this - ShadowExplorer . Download the archive, unpack the program and run.
The last copy of the files and the root of the C drive will open. In the left upper corner you can choose a backup if you have more than one. Check different copies for desired files. Compare by dates where the more recent version is. In my example below, I found 2 files on my desktop that were three months old when they were last edited.
I was able to recover these files. To do this, I selected them, right-clicked, selected Export and indicated the folder where to restore them.
You can restore folders immediately in the same way. If shadow copies worked for you and you did not delete them, you have quite a lot of chances to recover all or almost all files encrypted by the virus. Perhaps some of them will be more old version than I would like, but nevertheless, it is better than nothing.
If for some reason you do not have shadow copies of files, the only chance to get at least some of the encrypted files is to restore them using recovery tools deleted files. To do this, I suggest using the free Photorec program.
Run the program and select the disk on which you will recover files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select the folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external HDD for this.
The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged, or they will be some kind of system and useless files. But nevertheless, in this list it will be possible to find some useful files. There are no guarantees here, what you find is what you will find. Best of all, usually, images are restored.
If the result does not satisfy you, then there are still programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:
- R.saver
- Starus File Recovery
- JPEG Recovery Pro
- Active File Recovery Professional
These programs are not free, so I will not provide links. With a strong desire, you can find them yourself on the Internet.
The entire file recovery process is shown in detail in the video at the very end of the article.
Kaspersky, eset nod32 and others in the fight against Filecoder.ED ransomware
Popular antiviruses define the CRYPTED000007 ransomware as Filecoder.ED and then there may be some other designation. I went through the forums of the main antiviruses and did not see anything useful there. Unfortunately, as usual, antiviruses were not ready for the invasion of a new wave of ransomware. Here is a message from the Kaspersky forum.
Antiviruses traditionally skip new modifications of ransomware trojans. However, I recommend using them. If you are lucky and you receive a ransomware in your mail not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. coming out a new version ransomware, antiviruses do not respond to it. As soon as a certain mass of material for research on a new virus accumulates, antiviruses release an update and begin to respond to it.
What prevents antiviruses from responding immediately to any encryption process in the system is not clear to me. Perhaps there is some technical nuance on this topic that does not allow you to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and offer to stop the process.
Where to apply for guaranteed decryption
I happened to meet one company that really decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an example workflow:
- A specialist of the company drives up to your office or home, and signs a contract with you, in which he fixes the cost of the work.
- Runs the decryptor and decrypts all files.
- You make sure that all files are opened, and sign the act of delivery / acceptance of the work performed.
- Payment only upon successful decryption result.
To be honest, I don't know how they do it, but you don't risk anything. Payment only after the demonstration of the decoder. Please write a review about your experience with this company.
Methods of protection against the virus CRYPTED000007
How to protect yourself from the work of a ransomware and do without material and moral damage? There are some simple and effective tips:
- Backup! Backup of all important data. And not just a backup, but a backup to which there is no permanent access. Otherwise, the virus can infect both your documents and backups.
- Licensed antivirus. Although they do not give a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the ransomware, but after 3-4 days they begin to react. This increases your chances of avoiding infection if you are not included in the first wave of mailings of a new ransomware modification.
- Do not open suspicious attachments in mail. There is nothing to comment on here. All cryptographers known to me got to users through mail. And every time new tricks are invented to deceive the victim.
- Do not mindlessly open links sent to you by your friends via social networks or messengers. This is how viruses sometimes spread.
- Enable windows to display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will .exe, .vbs, .src. In everyday work with documents, you are unlikely to come across such file extensions.
I tried to supplement what I already wrote earlier in each article about the ransomware virus. Until then I say goodbye. I will be glad to receive useful comments on the article and the CRYPTED000007 encryption virus in general.
Video with decryption and file recovery
Here is an example of a previous modification of the virus, but the video is fully relevant for CRYPTED000007 as well.
A family of ransomware Trojans that encrypt files and add the “.xtbl” and “.ytbl” extensions to them appeared in late 2014 and early 2015 and rather quickly took a stable position in the top three most common ransomware in Russia (along with and ). According to Kaspersky Lab's classification, this threat received the Trojan-Ransom.Win32.Shade verdict. "Author's" title this ransomware unknown; other antivirus companies detect it under the names Trojan.Encoder.858, Ransom:Win32/Troldesh.
There is practically no evolution of the Trojan: only the format of the encrypted file name, C&C addresses, and the RSA key set change.
We are aware of two main methods for delivering this malware to the victim's computer - spam mailings and exploit kits (in particular, Nuclear EK).
In the first case, the victim receives an email containing an executable malicious file. The system becomes infected after an attempt to open an attachment. Trojan-Ransom.Win32.Shade was distributed using the following file names:
- doc_dlea-subpisi.com
- doc_dlea signature.rar
- documenti_589965465_documenti.com
- documenti_589965465_documenti.rar
- documenti_589965465_doc.scr
- doc_dlea signature.rar
- not verified 308853.scr
- documenti dlea signature 08/05/2015.scr.exe
- akt sverki za 17082015.scr
Note that the file name changes with each distribution wave, and the options are not limited to those listed above.
The second distribution method (exploit kit) is more dangerous, since infection occurs without user intervention when the victim visits a compromised website. This can be either a site of intruders or a completely legal, but hacked resource. Most often, the user does not know that the site is some kind of danger. Malicious code on the site exploits a vulnerability in the browser or its plug-ins, after which the target Trojan is installed in the system in stealth mode. In this case, unlike a spam email, the victim is not even required to run the executable file.
After Trojan-Ransom.Win32.Shade has entered the system, it connects to the C&C located in the Tor network, reports the infection and requests the RSA-3072 public key, which it subsequently uses to encrypt files (we will discuss how exactly below). If suddenly the connection fails, the malware chooses one of the 100 public keys contained in its body just for this case.
The Trojan then proceeds to encrypt the files. When searching for encryption objects, it uses the static list of extensions shown in the screenshot.
When encryption is completed, a frightening picture is installed on the desktop:
The malware leaves ransom demands in the README1.txt, …, README10.txt files. Their content is always the same:
However, unlike most other ransomware, Trojan-Ransom.Win32.Shade doesn't stop there. It does not terminate its process, but starts endless cycle, in which it requests a list of malware addresses from C&C, and then downloads and installs this software into the system - this functionality is typical for downloader bots. We have identified the facts of downloading representatives of the following families:
- Trojan.Win32.CMSBrute (we'll talk about it in more detail below).
- Trojan.Win32.Muref
- Trojan.Win32.Kovter
- Trojan-Downloader.Win32.Zemot
Download and wait loop code:
In this regard, it is very important to conduct a full anti-virus scan of the computer in case the Shade encryptor (or the results of its work - files with the extensions .xtbl, .ytbl) is detected. If left untreated, there is a high chance that the system will remain infected with several different malware downloaded by this ransomware.
Common features of Shade family Trojans
- Each sample contains the address of one C&C server, in total, addresses of 10 C&C servers were found in different samples, 8 of which are currently active. All servers are located in the Tor network.
- Saves the old wallpaper in the registry before setting its own wallpaper.
- Usually packed with UPX and an additional packer, when unpacked it has a size of 1817 KB.
- On the infected computer creates 10 identical files README1.txt, … README10.txt with ransom demands in Russian and English.
- To encrypt the contents of each file and the name of each file, a unique 256-bit AES key is generated, encryption is carried out in CBC mode with a zero initial vector.
- Contains 100 RSA-3072 public keys with a public exponent of 65537 (a total of 300 different public keys were found in different samples).
- It has the functionality of downloading and launching malware.
Cryptographic scheme
Generation of the id of the infected computer
- The Trojan obtains the computer name (comp_name ) using the GetComputerName API function and the number of processors (num_cpu ) using the GetSystemInfo API function;
- based serial number of the system volume calculates a 32-bit constant and converts it to a hex string (vol_const );
- gets OS version data (os_version ) separated by “;” (for example, “5;1;2600;1;Service Pack 3”);
- forms the string comp_name num_cpu vol_const os_version;
- calculates MD5 from this line;
- converts an MD5 hash to a hex string and takes the first 20 characters from it. The resulting result is used as the computer id.
Getting key data
After generating the id, an attempt is made to connect with the C&C server located in the Tor network, send it the computer id and receive the public RSA key in response. In case of failure, one of the 100 public RSA keys hardwired into the Trojan is selected.
File encryption
Files are encrypted using the AES-256 algorithm in CBC mode. For each encoded file, two random 256-bit AES keys are generated: one is used to encrypt the contents of the file, the second is used to encrypt the file name. These keys are placed in the key_data service structure, which is itself encrypted with the selected RSA key (occupies 384 bytes after encryption) and placed at the end of the encoded file:
In C language syntax this structure can be written as follows:
The Trojan tries to rename the encoded file, choosing the result of the calculation as the new name Base64(AES_encrypt(original filename)).xtbl(for example, ArSxrr+acw970LFQw.xtbl), and in case of failure, simply appends to original name file extension.ytbl. In later versions, the id of the infected computer began to be assigned before the .xtbl extension, for example: ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl.
The body of the Trojan contains the address of one C&C server. The servers themselves are located in the Tor network, communication with them is carried out using a Tor client statically linked to the Trojan.
- Computer name
- Username
- IP address
- Computer domain
- List of logical drives
- Windows OS version
- List of installed software
Request a list of URLs from which to download and run additional malware:
GET http://.onion/cmd.php?i= ID&b= build&v= version
Request a new RSA public key:
GET http://
ID– identifier of the infected computer;
build– identifier of a particular malware sample;
version– version of the malware, versions 1 and 2 were encountered;
stage denotes the stage of encryption - a request for a new RSA public key or a message about the completion of file encryption.
Error message:
GET http://
error– base64-encoded message about the error that occurred during encryption.
Summary of the current stage of the ransomware:
GET http://
count– current number of encrypted files;
finish– Encryption end flag.
System information:
POST http://
key_number– number of the selected RSA key (if the key was not received from the server, but was selected from those contained in the body of the malware);
info– information received from an infected computer:
Ransomware distribution
affiliate program
Code that users are asked to submit via e-mail attackers, may look like ID|0 if the public key was received from the C&C server, or ID|key_number|build|version if one of the RSA public keys embedded in the sample with the number key_number. ID stands for the identifier of the infected computer, and two numbers build and version denote the ID of a particular sample and the version of the encryptor, respectively.
When analyzing malware samples, we found various combinations of build values, email addresses for connecting users with attackers, and C&C addresses. different values build correspond to different mail addresses, while the same C&C can serve several different samples:
| build | C&C | |
| 2 | a4yhexpmth2ldj3v.onion | [email protected] [email protected] |
| 2 | a4yhexpmth2ldj3v.onion | [email protected] [email protected] |
| 4 | a4yhexpmth2ldj3v.onion | [email protected] [email protected] |
| 6 | a4yhexpmth2ldj3v.onion | [email protected] [email protected] |
| 2 | e4aibjtrguqlyaow.onion | [email protected] [email protected] |
| 15 | e4aibjtrguqlyaow.onion | [email protected] [email protected] |
| 12 | gxyvmhc55s4fss2q.onion | [email protected] [email protected] |
| 14 | gxyvmhc55s4fss2q.onion | [email protected] [email protected] |
| 4 | gxyvmhc55s4fss2q.onion | [email protected] [email protected] |
We recorded the distribution of different samples of two versions of the ransomware. At the same time, each specific sample of the same version of the malware had a unique combination of build-email (the ID of a specific sample and the address for contacting the attackers).
Although no partnership ads were found, based on this data, we can assume that the distribution of the Trojan and the acceptance of the ransom are carried out through the partner network. Probably, the sample IDs (build value) and different email addresses correspond to different distribution partners of this malware.
Geography
The most common cases of infection with this Trojan are in Russia, Ukraine, and Germany. According to KSN, Trojan-Ransom.Win32.Shade distribution geography is as follows.
| Russia | 70,88% |
| Germany | 8,42% |
| Ukraine | 6,48% |
| Austria | 3,91% |
| Switzerland | 2,98% |
| Poland | 1,45% |
| Kazakhstan | 1,20% |
| Belarus | 1,07% |
| Brazil | 0,55% |
Downloadable malware: Trojan brute force website passwords
Among malware downloaded by Trojan-Ransom.Win32.Shade, there is a Trojan that brute-forces passwords for websites. In terms of its internal organization, the brute-forcer is very similar to the ransomware itself - most likely, it is a project of the same authors. The downloaded malware received the verdict Trojan.Win32.CMSBrute.
General features of the CMSBrute family
- Written in C++ using STL and native classes.
- Statically linked to the Tor client.
- Uses boost (threads), curl, OpenSSL libraries.
- Each sample contains the address of one C&C server; in total, the addresses of three C&C servers were found in different samples. All C&Cs are in the Tor network, they are different from the addresses found in the Trojan-Ransom.Win32.Shade samples.
- All strings (together with the names of imported functions) are encrypted with the AES algorithm, decrypted at program start, after which the import table is dynamically populated.
- Usually packed with UPX, when unpacked it has a size of 2080-2083 KB.
- Copies itself to one of the C drive directories named csrss.exe.
- Downloads additional dll-plugins. Plugins contain code to define installed system content management (CMS) on the attacked website, search for the admin panel and guessing passwords. Plugins have been found that support sites based on Joomla, WordPress, and the DataLife Engine.
Communication with the command and control server
Each Trojan.Win32.CMSBrute contains the address of one C&C server. The servers are located in the Tor network, communication with them is carried out using a Tor client statically linked to the Trojan.
The sample sends the following requests to the C&C server:
Registering a new bot:
GET http://
ID– identifier of the infected computer; calculated according to an algorithm that differs slightly from that in the Shade encryptor;
build– identifier of a particular malware sample; was only met build 1;
version– version of the malware; only version 1 was encountered;
stage– stage of the Trojan’s work.
Request for URLs for downloading or updating plugin-dlls
GET http://
Request for a task to determine the CMS on the site and check logins and passwords:
GET http://
plugins– versions of installed dll-plugins.
The response from the server comes in json format and contains the addresses of attacked sites and a dictionary for guessing passwords.
Sending a brute force report:
POST http://
report– json-string containing a report on found СMS on the website and selected logins and passwords from the admin panel.
In the case of Trojan-Ransom.Win32.Shade, all the already traditional advice on countering ransomware is relevant. Detailed Instructions can be found at:
https://support.kaspersky.com/12015#block2
https://support.kaspersky.com/viruses/common/10952
If the computer has already been affected by this Trojan, it is extremely important to carry out a full scan and treatment with an antivirus product, as Trojan-Ransom.Win32.Shade downloads and installs malware from several different families, listed at the beginning of this article, into a compromised system.
Application
In preparing the article, the following samples were studied:
| Verdict | MD5 |
| Trojan-Ransom.Win32.Shade.ub | |
| Trojan-Ransom.Win32.Shade.ui | |
| Trojan.Win32.CMSBrute.a |
Ransomware viruses are computer programs, which first encrypt your files, and then require money for the ability to decrypt them. Ransomware viruses have become a real epidemic. The Internet is full of requests for help decrypting files. Most ransomware viruses are very similar to each other. They stealthily enter your computer and then encrypt your files. The main differences between them are believed to be in the encryption algorithm, and the amount of the required ransom.
Keep in mind that by paying the ransom, you have no guarantee that your files will be successfully decrypted. You are simply supporting the criminal business of cybercriminals. You can never be sure that they will send you the secret key used to decrypt them. For this reason, never try to contact criminals or pay a ransom. In addition, ransomware can be distributed via P2P torrent networks, where users download hacked versions software. For these reasons, you should be careful when downloading files from unverified sources, as well as when opening files sent from an unknown email address.
Desktop wallpaper on a PC infected with ransomware virus.better_call_saul
Most of these viruses appeared quite recently, .better_call_saul appeared around February. Currently, the.better_call_saul virus is quite aggressively distributed in Russia and other post-Soviet countries. Most users get infected with the .better_call_saul virus when they click on links in emails. Criminals will also spread this virus through spam mailings, where infected files are attached to emails. Hacked websites are the third most common ransomware infection.better_call_saul. After successfully infiltrating the system, this ransomware encrypts various files stored on your hard drives. For encryption, the virus uses the RSA-3072 algorithm.
Please note that this virus adds a .better_call_saul extension to the end of the name of each encrypted file. In addition, it changes the look of the desktop (changes the wallpaper) and creates a README.txt file in each folder containing encrypted files. The README.txt text file and also the desktop wallpaper contain a message that the files are encrypted and that the victim must pay a ransom in order to recover them. In the instructions, the victim is encouraged to contact the cybercriminals by writing to the specified email address, and send special code. After that, the victim supposedly should receive further instructions.
Cybercriminals then put forward demands to pay 14-15 thousand rubles for a special QIWI wallet. If the ransom is not paid within 48 hours, then the key used to decrypt the files and stored on the criminals' controlled servers will be deleted. Keep in mind that without this key, it is impossible to decrypt your files. Unfortunately, on this moment there are no tools capable of decrypting files encoded by the .better_call_saul virus. One way to solve this problem is to restore the system or files from backup. Some other options for dealing with this virus are outlined below.
Remove ransomware.better_call_saul with automatic cleaner
An extremely effective method of dealing with malware in general and ransomware in particular. The use of a proven security complex guarantees the thoroughness of the detection of any viral components, their complete removal with one click. Please note that we are talking about two different processes: uninstalling the infection and restoring files on your PC. However, the threat certainly needs to be removed, as there is information about the introduction of other computer Trojans with its help.
- . After launching the software, click the button Start Computer Scan(Start scan).
- The installed software will provide a report on threats detected during the scan. To remove all found threats, select the option Fix Threats(Remove threats). The malware in question will be completely removed.
Restore access to encrypted files
As noted, the .better_call_saul ransomware locks files using a strong encryption algorithm so that the encrypted data cannot be restored with a wave of a magic wand - if you do not take into account the payment of an unheard-of ransom. But some methods can really become a lifesaver that will help you recover important data. Below you can familiarize yourself with them.
Program automatic recovery files
A very unusual circumstance is known. This infection destroys source files in unencrypted form. The extortionate encryption process thus targets copies of them. This makes it possible for software tools such as the recovery of deleted objects, even if the reliability of their removal is guaranteed. It is strongly recommended to resort to the file recovery procedure, its effectiveness is beyond doubt. 
Volume Shadow Copies
The approach is based on the Windows procedure Reserve copy files, which is repeated in every restore point. An important working condition this method: System Restore must be activated prior to infection. However, any changes made to the file after the restore point will not be reflected in the restored version of the file.
Backup
This is the best among all non-buyout methods. If the procedure for backing up data to an external server was used before the ransomware attacked your computer, to restore encrypted files, you simply need to enter the appropriate interface, select the necessary files and start the data recovery mechanism from the backup. Before performing the operation, you need to make sure that the ransomware is completely removed.
Check for possible presence of residual ransomware components.better_call_saul
Cleaning in manual mode is fraught with missing pieces of ransomware that can avoid removal in the form of stealthy objects operating system or registry entries. To eliminate the risk of partial preservation of individual malicious elements, scan your computer using a reliable security software package specializing in malware.
, VIDEO , MUSIC and other personal files on .NO_MORE_RANSOM, and the original name is changed to a random combination of letters and numbers. However, most of the files of the most important formats .PDF, .DOC, .DOCX, .XLS, .XLSX, .JPG, .ZIP do not open. Accounting 1C does not work. Here's what it looks like:
Technical support of Kaspersky Lab, Dr.Web and other well-known companies involved in the development of anti-virus software, in response to users' requests to decrypt data, reports that it is impossible to do this in a reasonable time.
But do not rush to despair!
The fact is that, having penetrated your computer, a malicious program uses completely legal GPG encryption software and the popular RSA-1024 encryption algorithm as a tool. Since this utility is used in many places and is not a virus in itself, antiviruses skip and do not block its work. A public and private key is generated to encrypt files. private key is sent to the attackers' server, the open remains on the user's computer. Both keys are required to decrypt files! The attackers carefully overwrite the private key on the affected computer. But this is not always the case. For more than a three-year history of impeccable work, specialists Dr.SHIFRO studied thousands of variations of malware activity, and, perhaps, even in a seemingly hopeless situation, we will be able to offer a solution that will allow you to return your data.
On this video you can see the real operation of the decryptor on the computer of one of our clients:
To analyze the possibility of decryption, send 2 samples of encrypted files: one text (doc, docx, odt, txt or rtf up to 100 Kb), the second graphic (jpg, png, bmp, tif or pdf up to 3 Mb). You also need a note file from intruders. After examining the files, we will orient you on the cost. Files can be sent by email. [email protected] or use the file upload form on the site (orange button).
COMMENTS (2)
Got the NCOV virus. After searching the Internet for a decryption method, we found this site. The specialist quickly and in detail explained what needs to be done. For a guarantee, 5 test files were decrypted. They announced the cost and after payment everything was deciphered within a few hours. Although not only the computer was encrypted, but also network drive. Thank you very much for your help!
Good day! I recently had a similar situation with the NCOV virus, which did not have time to encrypt all the disks, because. after some time I opened the folder with the photo and saw an empty envelope and a file name from a different set of letters and numbers, and immediately downloaded and launched free utility to remove Trojans. The virus came in the mail and there was a convincing email which I opened and ran the attachment. There are 4 very large hard drives (terabytes) installed on the computer. I contacted various companies, which are full on the Internet and which offer their services, but even with successful decryption, all files will be in a separate folder and everything is mixed. Nobody gives a guarantee for 100% decryption. There were appeals to the Kaspersky Lab, and even there they did not help me..html# and decided to apply. I sent three test photos and after a while I received a response with their full transcript. In the mail correspondence, I was offered either remotely or with home visits. I decided that would be at home. Determined by the date and time of arrival of a specialist. Immediately in the correspondence, the amount for the decoder was agreed and after a successful decryption, we signed an agreement on the performance of work and I made the payment, according to the agreement. It took a very long time to decrypt the files, as some of the videos were large. After full decryption, I made sure that all my files were in their original form and the correct file extension. Volume hard drives became as it was before they were infected, since during the infection the disks were almost completely full. Those who write about scammers, etc., I do not agree with this. This is written either by competitors out of anger, that nothing works out for them, or by people who are offended by something. In my case, everything turned out fine, my fears are in the past. I saw again my old family photos that I took from a long time ago and family videos that I edited myself. I want to say thanks to dr.Shifro and personally to Igor Nikolaevich, who helped me recover all my data. Thank you very much and good luck! All that is written is my personal opinion, and you decide who to contact.
The first samples of malware that encrypts files and then demands money for decryption appeared a very long time ago. Suffice it to recall Trojan.Xorist with its primitive XOR-based encryption algorithm, or Trojan.ArchiveLock written in PureBasic, which used ordinary WinRAR for encryption, and Sysinternals SDelete to delete encrypted files and demanded as much as five thousand dollars for decryption. However, it was CryptoLocker that founded a bad trend among virus writers - to use the latest achievements in cryptography in the form of very strong encryption algorithms. Today we are examining several ransomware trojans that appeared after (or at the same time as) the sensational procession of CryptoLocker on the Internet.
WARNING
If you want to follow our example and explore some sample encryption locker, be careful. Even when using a virtual machine, you can inadvertently encrypt files on the shared folders of the main system.Some statistics
From the point of view of the creators, ransomware trojans are real money. It is much easier and cheaper to organize spamming of infected emails and a service for accepting payments from those who value family photos that suddenly turned out to be encrypted than, for example, diligently building and developing a botnet (which will then need to be attached somewhere) or collecting data from infected machines, given that this collected data must also be monetized somehow.
Therefore, this type of cyber extortion continues to flourish and bring a lot of money to the organizers of this criminal business. For example, according to Kaspersky Lab experts, in 2014 more than seven million attacks were recorded using ransomware Trojans of various families.
Continued available to members only
Option 1. Join the "site" community to read all the materials on the site
Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!
