The virus encrypted the files and renamed. How to decrypt files encrypted with a virus

Recently there has been a surge in activity of a new generation of malicious computer programs. They appeared long enough (6 - 8 years ago), but the pace of their implementation reached their maximum right now. Increasingly, you can see that the virus has encrypted the files.

It is already known that these are not just primitive malicious software, for example, blocking the computer (causing the appearance of a blue screen), but serious programs aimed at damaging, as a rule, accounting data. They encrypt all available files within reach, including 1C accounting data, docx, xlsx, jpg, doc, xls, pdf, zip.

The special danger of the viruses under consideration

It consists in that at the same time an RSA-key is used, which is attached to a specific user's computer, so the universal decryptor ( decryptor ) is absent. Viruses activated in one of the computers may not work in another.

The danger is also that for more than a year already ready-made builders (builders) have been placed on the Internet, allowing even such kulhackers (those who consider themselves hackers, but do not learn programming) to develop this kind of virus.

At the present time, more powerful modifications have appeared.

The way of malware data introduction

The virus is dispatched purposefully, as a rule, to the company's accounting department. Firstly, e-mails of personnel departments are being collected, accounting departments from such databases as, for example, hh.ru. Then we send out letters. They most often contain a request for admission to a certain position. To this letter is attached a file with a summary, inside of which is a real document with an implanted OLE object (pdf file with a virus).

In situations where accountants immediately started this document, after a reboot, the following occurred: the virus renamed and encrypted the files, and then self-destructed.

Such a letter, as a rule, is adequately written and sent from a non-box box (the name corresponds to the signature). The vacancy is always requested on the basis of the company's profiling activity, so that suspicions do not arise.

Neither the licensed "Kaspersky" (antivirus program) nor the "Virus Total" (online service for testing attachments to viruses) can not secure the computer in this case. Occasionally, some anti-virus software scans when it says that the attachment contains Gen: Variant.Zusy.71505.

How to avoid infection with this virus?

You should check each file received. Particular attention is paid to Vordovian documents, which have embedded pdf.

Variants of "infected" letters

There are a lot of them. The most common variants of how the virus encrypted the files are presented below. In all cases the following documents are sent to e-mail:

1. Notification regarding the commencement of the process of consideration of a lawsuit filed against a specific company (the letter suggests checking the data by clicking on the link).
2. A letter from the RF Supreme Arbitration Court for the collection of a debt.
3. A message from Sberbank regarding the increase in existing debt.
4. Notification of a violation of traffic rules.
5. A letter from the Collection Agency indicating the maximum possible deferral of payment.

Notification of file encryption

It will appear after the infection in the root folder of drive C. Sometimes files with the type of WHAT_DEL. .txt, CONTACT.txt are placed in all directories with corrupted text. There, the user is informed about the encryption of his files, which is implemented through reliable crypto-resistant algorithms. And also warn him of the inexpediency of using third-party utilities, since this can lead to the final damage to the files, which in turn will lead to the impossibility of their subsequent decoding.

In the notification it is recommended to leave the computer in an unchanged state. It indicates the time of storage of the provided key (usually 2 days). An exact date is prescribed, after which any kind of treatment will be ignored.

At the end, an e-mail is provided. It also states that the user must specify his ID and that any of the following actions may lead to the elimination of the key, namely:

• Insults;
• Request details without further payment;
• Threats.

How to decrypt files encrypted with a virus?

This kind of encryption is very powerful: the file is assigned an extension such as perfect, nochance, etc. It is simply impossible to hack, but you can try to connect the cryptanalyst and find a loophole (in some situations Dr. WEB will help).

There is one more way to recover virus-encrypted files, but it does not fit all viruses, and you will also need to pull the original exe along with this malicious program, which is not easy to do after self-destruct.

The request of the virus regarding the introduction of a special code is a minor check, since the file already has a decoder at that time (the code will not be required from the criminals, so to speak). The essence of this method is inscribing empty commands into the penetrated virus (in the place of comparison of the input code). The result is that the malicious program itself starts the decryption of files and thereby completely restores them.

Each separate virus has its own special encryption function, which means that it can not be decrypted by an external file (exe format file), or you can try to select the above function, for which you need to perform all actions on WinAPI.

The virus encrypted the files: what to do?

To perform the decryption procedure you will need:

1. Backup (backup existing files). At the end of the decryption, everything will go away by itself.
2. On the computer (infected), it is necessary to start this malicious program, then wait for the window containing a request for the introduction of the code.
3. Next, you need to start from the attached archive file Patcher.exe.
4. The next step is to enter the process number of the virus, after which it is necessary to press the Enter button.
5. The message "patched" appears, which means mashing the comparison commands.
6. Next, enter any characters in the code entry field, and then click the "OK" button.
7. The virus starts the process of decrypting files, at the end of which it liquidates itself.

How to avoid data loss due to the malware in question?

It is worth knowing that in a situation where the virus has encrypted the files, it will take time for the decryption process. An important point is that in the above malicious software there is an error that allows you to save part of the files if you quickly turn off the computer (pull the plug from the outlet, turn off the power filter, remove the battery in the case of the laptop) as soon as a large number of files with the previously specified extension appear .

Once again, it should be emphasized that the main thing is to constantly create a backup, but not to another folder, not to a removable media inserted into the computer, as this modification of the virus will reach these places. It is worth saving backups to another computer, to a hard drive that is not permanently connected to the computer, and to the cloud.

It is necessary to treat with suspicion all the documents that come to the mail from unknown persons (in the form of a resume, a bill of lading, Decisions from the RF Supreme Arbitration Court or taxation, etc.). Do not run them on your computer (for this purpose, you can select a netbook that does not contain important data).

Malicious program * .paycrypt@gmail.com: how to fix

In a situation where the above virus encrypts the files cbf, doc, jpg, etc., there are only three options for the development of the event:

1. The easiest way to get rid of it is to delete all infected files (this is acceptable, unless the data is particularly important).
2. Go to the antivirus program lab, for example, Dr. WEB. Send the developers several infected files, along with the decryption key, which is on the computer as KEY.PRIVATE.
3. The most expensive way. It involves paying the amount requested by the hackers for decrypting infected files. Typically, the cost of this service is between 200 - 500 US dollars. This is acceptable in a situation where the virus has encrypted the files of a large company, in which a significant amount of information flows daily, and this malicious program can do tremendous harm in a matter of seconds. In this regard, payment is the fastest option for recovering infected files.

Sometimes an additional option is also effective. In the event that the virus encrypted the files (paycrypt @ gmail_com or other malicious software), the system could be rolled back a few days ago.

Program for decoding RectorDecryptor

If the virus encrypts jpg, doc, cbf, and so on files, then a special program can help. To do this, you first need to go into the startup and turn off everything except antivirus. Next, you must restart the computer. View all files, highlight suspicious. The field under the name "Command" indicates the location of a particular file (attention should be paid to applications that do not have a signature: producer - no data).

All suspicious files must be deleted, after which you will need to clean the browser caches, temporary folders (CCleaner is suitable for this).

To start decryption, you need to download the above program. Then start it and click the "Start Scan" button, indicating the changed files and their extension. In modern versions of this program, you can specify only the infected file and click the "Open" button. After that, the files will be decrypted.

Subsequently, the utility automatically checks all computer data, including the files on the attached network drive, and decrypts them. This recovery process can take several hours (depending on the amount of work and the speed of the computer).

As a result, all damaged files will be decrypted into the same directory where they were originally located. In the end, it will only be necessary to delete all the files with a suspicious extension, for which you can check the "Delete encrypted files after successful decryption" request by clicking the "Change scan parameters" button. However, it is better not to put it, because in the case of unsuccessful decryption of files, they can be deleted, and subsequently they must first be restored.

So, if the virus encrypted the files doc, cbf, jpg, etc., you should not rush to pay the code. Maybe he will not need it.

Nuances of removing encrypted files

If you try to eliminate all corrupted files by standard search and then delete, the computer may hang and slow down. In this regard, for this procedure, you should use a special command line. After running it, you need to enter the following: del ": \ *. " / f / s.

You must delete such files as "Read-me.txt", for which you should specify in the same command line: del ": \ *. " / f / s.

Thus, it can be noted that if the virus renamed and encrypted the files, then it's not worth immediately spending money on buying the key from the attackers, first you should try to figure out the problem yourself. It is better to invest in the purchase of a special program for decrypting corrupted files.

Finally it is worth recalling that in this article the question was considered as to how to decrypt the files encrypted by the virus.