Virus-encryptor: how to cure and decrypt files? Decrypt files after the cryptographic virus

By themselves, viruses as a computer threat do not surprise anyone today. But if earlier they affected the system as a whole, causing malfunctions in its operability, today, with the advent of such a version as a virus-encryptor, the actions of penetrating threats concern more user data. It is, perhaps, even a greater threat than the destructive for Windows executable applications or spyware applets.

What is a cryptographic virus?

The code itself, written in a self-copying virus, involves encrypting almost all user data with special cryptographic algorithms that do not affect the system files of the operating system.

At first, the logic of the virus's exposure to many was not entirely clear. All cleared up only when the hackers who created such applets began to demand money for restoring the initial structure of the files. In this case, the penetrated virus-encryptor decrypt files due to its features does not allow. To do this, you need a special decoder, if you want, the code, password or algorithm required to restore the content you are looking for.

The principle of penetration into the system and the work of the virus code

As a rule, it is quite difficult to "pick up" such muck on the Internet. The main source of distribution of "contagion" is e-mail at the level of programs installed on a specific computer terminal such as Outlook, Thunderbird, The Bat, etc. Note at once: Internet mail servers do not concern this, because they have a sufficiently high degree of protection, and access To user data is possible only at the level of cloud storage.

Another thing is the application on the computer terminal. Here, then, for the action of viruses, the field is so wide that it is impossible to imagine. True, here, too, it is worth making a reservation: in most cases, viruses are aimed at large companies, from which it is possible to "rip off" money for providing a decryption code. This is understandable, because not only local computer terminals, but also servers of such companies can store not only that completely confidential information, but also files, so to speak, in a single copy, not subject to destruction in any case. And then the decryption of files after the cryptographic virus becomes quite problematic.

Of course, an average user can undergo such an attack, but in most cases this is unlikely if one observes the simplest recommendations for opening attachments with extensions of unknown type. Even if the mail client defines an attachment with the extension .jpg as a standard graphic file, it must first be checked with a regular anti - virus scanner installed in the system.

If you do not do this, when you open it with a double click (standard method), the code will be activated, and the encryption process will begin, and then the same Breaking_Bad will not only be uninstallable, but you will not be able to recover the files after the threat has been eliminated.

The overall consequences of the penetration of all viruses of this type

As already mentioned, most viruses of this type penetrate the system via e-mail. Well, let's say a letter with content like "We changed the contract, scan in the attachment" or "You sent a waybill for the shipment of the goods (a copy there)" to a large registered organization. Naturally, an unsuspecting employee opens the file and ...

All user files at the level of office documents, multimedia, specialized AutoCAD projects or any other archived data are instantly encrypted, and if the computer terminal is on the local network, the virus can be transmitted further, encrypting the data on other machines (this becomes visible immediately "Braking" the system and hang programs or running applications at the moment).

At the end of the encryption process, the virus itself apparently sends a kind of report, after which the company may receive a message that such and such a threat has penetrated the system, and that only such an organization can decrypt it. Usually this applies to paycrypt@gmail.com. Then there is a demand to pay for decryption services with the proposal to send several files to the client's e-mail, which is most often fictitious.

Harm from code impact

If anyone else does not understand: decryption of files after the cryptographic virus - the process is quite laborious. Even if you do not "cope" with the demands of intruders and try to involve official state structures in the fight against computer crimes and their prevention, there is usually nothing worthwhile.

If you delete all files, perform a system restore and even copy the original data from a removable media (of course, if there is such a copy), all the same with the activated virus everything will be encrypted again. So it's not necessary to delude yourself, especially when inserting the same flash drive into the USB port, the user will not even notice how the virus encrypts the data on it. That's when exactly you will not have problems.

First-born in the family

Now let's pay attention to the first cryptographic virus. How to cure and decrypt files after the impact of executable code, enclosed in an e-mail attachment with the offer of acquaintance, at the time of its appearance, no one else thought. Awareness of the magnitude of the disaster only came with time.

That virus had a romantic name "I Love You". The unsuspecting user opened an e-mail attachment and received completely non-reproducible multimedia files (graphics, video and audio). Then, however, such actions looked more destructive (harming the user's media libraries), and no one required money for it.

Newest Modifications

As we can see, the evolution of technology has become quite profitable, especially considering that many leaders of large organizations immediately run to pay for decryption actions, completely not thinking that it is possible to lose both money and information.

By the way, do not look at all these "left" posts on the Internet, they say, "I paid / paid the required amount, I was sent a code, everything was restored." Nonsense! All this is written by the developers of the virus in order to attract potential, sorry, "suckers." And after all, by the standards of the ordinary user, the amounts for payment are quite serious: from hundreds to several thousand or tens of thousands of euros or dollars.

Now let's look at the newest types of viruses of this type, which were fixed relatively recently. All of them are practically similar and refer not only to the category of cryptographers, but also to a group of so-called extortionists. In some cases, they act more correctly (like paycrypt), seemingly sending out official business proposals or messages that someone cares about the security of the user or organization. Such a virus-encryptor with its message just misleads the user. If he takes even the slightest action on payment, everyone - the "divorce" will be in full.

XTBL Virus

The relatively recent XTBL virus can be attributed to the classic version of the cryptographer. As a rule, it penetrates the system through e-mail messages containing attachments in the form of files with the extension .scr, which is standard for the Windows screensaver. The system and the user think that everything is in order, and activate viewing or saving the attachment.

Alas, this leads to sad consequences: file names are converted to a character set, and .xtbl is added to the main extension, then the message about the possibility of decryption after payment of the specified amount (usually 5 thousand rubles) comes to the desired mail address.

CBF Virus

This type of virus also belongs to the classics of the genre. It appears in the system after opening e-mail attachments, and then renames the user files, adding at the end an extension such as .nochance or .perfect.

Unfortunately, deciphering a virus-encryptor of this type to analyze the contents of the code, even at the stage of its appearance in the system, is not possible, since after completing its actions, it produces a self-liquidation. Even such, as many believe, a universal tool, like RectorDecryptor, does not help. Again, the user receives a letter requesting payment, which is given for two days.

Breaking_Bad Virus

This type of threat works the same way, but renames the files in the standard version, adding to the extension .breaking_bad.

This situation is not limited. Unlike previous viruses, this one can create one more extension - .Heisenberg, so it's not always possible to find all the infected files. So Breaking_Bad (virus-encryptor) is quite a serious threat. By the way, there are cases when even a licensed package Kaspersky Endpoint Security 10 misses this type of threat.

Virus paycrypt@gmail.com

Here is one more, perhaps, most serious threat, which is directed mostly at large commercial organizations. As a rule, a letter comes to some department, which seems to contain changes to the supply agreement, or even a bill of lading. An attachment can contain a regular .jpg file (image type), but more often an executable .js script (Java applet).

How to decode a cryptographic virus of this type? Judging by the fact that there is used some unknown algorithm RSA-1024, in any way. If we start from the name, we can assume that this is a 1024-bit encryption system. But, if anyone remembers, today the 256-bit AES is considered the most perfect.

Virus-encryptor: how to cure and decrypt files using antivirus software

To date, to decipher threats this type of solution has not yet been found. Even such masters in the field of antivirus protection, like Kaspersky, Dr.Sc. Web and Eset, can not find the key to solving the problem when the virus-encryptor inherited the system. How to cure files? In most cases, it is suggested to send a request to the official site of the developer of the antivirus (by the way, only if there is a licensed software of this developer in the system).

In this case, you need to attach several encrypted files, as well as their "healthy" originals, if any. In general, by and large, few people keep copies of data, so the problem of their absence only aggravates an already unpleasant situation.

Possible ways to identify and eliminate threats manually

Yes, scanning by usual threat antiviruses determines and even removes them from the system. But what about the information?

Some try to use decryption programs like the already mentioned utility RectorDecryptor (RakhniDecryptor). Note immediately: this does not help. And in the case of the Breaking_Bad virus, it can only do much harm. And that's why.

The fact is that people who create such viruses try to protect themselves and give instruction to others. When using utilities for decryption, the virus can respond in such a way that the entire system "flies", and with complete destruction of all data stored on hard disks or in logical partitions. This is, so to speak, a demonstration lesson for edification to all those who do not want to pay. It remains to rely only on official anti-virus laboratories.

Cardinal methods

However, if things are really bad, you will have to sacrifice information. To completely get rid of the threat, you need to format the entire hard drive, including virtual partitions, and then install the operating system again.

Unfortunately, there is no other way out. Even rolling back the system to a certain saved restore point will not help. The virus may disappear, but the files will remain encrypted.

Instead of an afterword

In conclusion, it should be noted that the situation is as follows: the virus-encryptor penetrates into the system, does its black matter and is not treated by any known methods. Antivirus protection was not ready for this type of threat. It goes without saying that it is possible to detect a virus after its effect or to delete it. But the encrypted information will remain unattractive. So I would like to hope that the best minds of anti-virus software companies will find a solution, although, judging by the algorithms of encryption, it will be very difficult to do. Recall at least the Enigma encryption machine, which was in the German navy during the Second World War. The best cryptographers could not solve the problem of the algorithm for decrypting messages until they got the device into their own hands. So are things here.