Hello everyone, today I’ll tell you how to decrypt files after a virus in Windows. One of the most problematic malware today is a Trojan, or virus, that encrypts files on a user's drive. Some of these files can be decrypted, but others cannot yet be decrypted. In the article I will describe possible algorithms of action in both situations.

There are several modifications of this virus, but the general essence of the work is that after installation on your computer, your document files, images and other potentially important files are encrypted with a change in extension, after which you receive a message that all your files have been encrypted , and to decrypt them you need to send a certain amount to the attacker.

Files on the computer are encrypted in xtbl

One of the latest variants of the ransomware virus encrypts files, replacing them with files with the extension .xtbl and a name consisting of a random set of characters.

At the same time, a text file readme.txt is placed on the computer with approximately the following content: “Your files have been encrypted. To decrypt them, you need to send the code to the email address [email protected], [email protected] or [email protected]. Next you will receive all the necessary instructions. Attempts to decrypt files yourself will lead to irretrievable loss of information” (mail address and text may differ).

Unfortunately, there is no way to decrypt .xtbl at the moment (as soon as it becomes available, the instructions will be updated). Some users who had really important information on their computer report on antivirus forums that they sent the authors of the virus 5,000 rubles or other required amount and received a decryptor, but this is very risky: you may not receive anything.

What to do if the files were encrypted in .xtbl? My recommendations are as follows (but they differ from those on many other thematic sites, where, for example, they recommend immediately turning off the computer from the power supply or not removing the virus. In my opinion, this is unnecessary, and under some circumstances it may even be harmful, but it's up to you to decide.):

1. If you know how, interrupt the encryption process by clearing the corresponding tasks in the task manager, disconnecting the computer from the Internet (this may be a necessary condition for encryption)
2. Remember or write down the code that the attackers require to be sent to an email address (just not to a text file on the computer, just in case, so that it is not encrypted either).
3. Using Malwarebytes Antimalware, a trial version of Kaspersky Internet Security or Dr.Web Cure It, remove the file encrypting virus (all of these tools do a good job of this). I advise you to use the first and second products from the list in turn (however, if you have an antivirus installed, installing the second one “from above” is undesirable, as it can lead to problems with the computer.)
4. Wait for a decryptor to appear from some antivirus company. Kaspersky Lab is at the forefront here.
5. You can also send an example of an encrypted file and the required code to [email protected], if you have an unencrypted copy of the same file, please send that too. In theory, this could speed up the appearance of the decryptor.

What not to do:

• Rename encrypted files, change the extension and delete them if they are important to you.

This is probably all I can say about encrypted files with the .xtbl extension at the moment.

Trojan-Ransom.Win32.Aura and Trojan-Ransom.Win32.Rakhni

The following Trojan encrypts files and installs extensions from this list:

• .locked
• .crypto
• .kraken
• .AES256 (not necessarily this Trojan, there are others that install the same extension).
• .codercsu@gmail_com
• .oshit
• And others.

To decrypt files after the operation of these viruses, the Kaspersky website has a free utility called RakhniDecryptor, available on the official page http://support.kaspersky.ru/viruses/disinfection/10556.

There are also detailed instructions for using this utility, showing how to restore encrypted files, from which, just in case, I would remove the item “Delete encrypted files after successful decryption” (although I think everything will be fine with the option installed).

If you have a Dr.Web antivirus license, you can use free decryption from this company on the page http://support.drweb.com/new/free_unlocker/

Other ransomware virus options

Less common, but also encountered, are the following Trojans that encrypt files and demand money for decryption. The links provided not only contain utilities for returning your files, but also a description of the signs that will help determine that you have this particular virus. Although in general, the optimal way is to scan the system using Kaspersky anti-virus, find out the name of the Trojan according to the classification of this company, and then look for a utility by this name.

• Trojan-Ransom.Win32.Rector - free RectorDecryptor decryption utility and instructions for use are available here: http://support.kaspersky.ru/viruses/disinfection/4264
• Trojan-Ransom.Win32.Xorist is a similar Trojan that displays a window asking you to send a paid SMS or contact by email to receive decryption instructions. Instructions for restoring encrypted files and the XoristDecryptor utility for this are available on the page http://support.kaspersky.ru/viruses/disinfection/2911
• Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.Fury - RannohDecryptor utilityhttp://support.kaspersky.ru/viruses/disinfection/8547
• Trojan.Encoder.858 (xtbl), Trojan.Encoder.741 and others with the same name (when searching through Dr.Web antivirus or the Cure It utility) and different numbers - try searching the Internet by the name of the Trojan. For some of them there are decryption utilities from Dr.Web, also if you were unable to find the utility, but have a Dr.Web license, you can use the official page http://support.drweb.com/new/free_unlocker/
• CryptoLocker - to decrypt files after CryptoLocker works, you can use the site http://decryptcryptolocker.com - after sending the sample file, you will receive a key and a utility to recover your files.

Well, from the latest news - Kaspersky Lab, together with law enforcement officers from the Netherlands, developed Ransomware Decryptor (http://noransom.kaspersky.com) to decrypt files after CoinVault, but this ransomware is not yet found in our latitudes.

By the way, if it suddenly turns out that you have something to add (because I may not have time to monitor what is happening with the decryption methods), let me know in the comments, this information will be useful to other users who are faced with a problem.

Let us remind you: Trojans of the Trojan.Encoder family are malicious programs that encrypt files on a computer’s hard drive and demand money for decrypting them. Files *.mp3, *.doc, *.docx, *.pdf, *.jpg, *.rar and so on may be encrypted.
It was not possible to personally meet the entire family of this virus, but, as practice shows, the method of infection, treatment and decoding is approximately the same for everyone:
1. the victim is infected through a spam email with an attachment (less often by infectious means),
2. the virus is recognized and removed (already) by almost any antivirus with fresh databases,
3. files are decrypted by selecting password keys for the types of encryption used.
For example, Trojan.Encoder.225 uses RC4 (modified) + DES encryption, and Trojan.Encoder.263 uses BlowFish in CTR mode. These viruses are currently 99% decipherable based on personal experience.

But not everything is so smooth. Some encryption viruses require months of continuous decryption (Trojan.Encoder.102), while others (Trojan.Encoder.283) cannot be correctly decrypted even by specialists from Doctor Web, which, in fact, plays a key role in this article .

Now, in order.

At the beginning of August 2013, clients contacted me with the problem of files encrypted by the Trojan.Encoder.225 virus. The virus, at that time, was new, no one knew anything, there were 2-3 thematic Google links on the Internet. After a lengthy search on the Internet, it turns out that the only (found) organization that deals with the problem of decrypting files after this virus is the Doctor Web company. Namely: gives recommendations, helps when contacting technical support, develops its own decryptors, etc.

Negative retreat.

And, taking this opportunity, I would like to point out two getting fat minus of Kaspersky Lab. Which, when contacting their technical support, they brush off “we are working on this issue, we will notify you of the results by mail.” And yet, the downside is that I never received a response to the request. After 4 months. Damn the reaction time. And here I am striving for the standard “no more than one hour from completing the application.”
Shame on you, Comrade Evgeniy Kaspersky, General Director of Kaspersky Lab. But I have a good half of all companies “sit” on it. Well, okay, licenses expire in January-March 2014. Is it worth talking about whether I will renew my license?;)

I present the faces of “specialists” from “simpler” companies, so to speak, NOT giants of the antivirus industry. They probably just “huddled in a corner” and “cryed quietly.”
Although, what’s more, absolutely everyone was completely screwed. The antivirus, in principle, should not have allowed this virus to get onto the computer. Especially considering modern technology. And “they”, the GIANTS of the anti-VIRUS industry, supposedly have everything covered, “heuristic analysis”, “preemptive system”, “proactive protection”...

WHERE WERE ALL THESE SUPER-SYSTEMS WHEN THE HR DEPARTMENT WORKER OPENED A “HALMONNESS” LETTER WITH THE SUBJECT “RESUME”???
What was the employee supposed to think?
If YOU cannot protect us, then why do we need YOU at all?

And everything would be fine with Doctor Web, but to get help, you must, of course, have a license for any of their software products. When contacting technical support (hereinafter referred to as TS), you must provide the Dr.Web serial number and do not forget to select “request for treatment” in the “Request Category:” line or simply provide them with an encrypted file to the laboratory. I’ll immediately make a reservation that the so-called “journal keys” of Dr.Web, which are posted in batches on the Internet, are not suitable, since they do not confirm the purchase of any software products, and are eliminated by TP specialists once or twice. It’s easier to buy the most “cheap” license. Because if you take on decryption, this license will pay you back a million times over. Especially if the folder with photos “Egypt 2012” was in one copy...

Attempt No. 1

So, having bought a “license for 2 PCs for a year” for an n-amount of money, contacting the TP and providing some files, I received a link to the decryption utility te225decrypt.exe version 1.3.0.0. Anticipating success, I launch the utility (you need to point it to one of the encrypted *.doc files). The utility begins the selection, mercilessly loading the old processor E5300 DualCore, 2600 MHz (overclocked to 3.46 GHz) / 8192 MB DDR2-800, HDD 160Gb Western Digital to 90-100%.
Here, in parallel with me, a colleague on a PC core i5 2500k (overclocked to 4.5ghz) / 16 ram 1600 / ssd intel joins in the work (this is for comparison of the time spent at the end of the article).
After 6 days, the utility reported that 7277 files had been decrypted. But the happiness did not last long. All files were decrypted “crookedly”. That is, for example, Microsoft Office documents open, but with various errors: “The Word application detected content in the *.docx document that could not be read” or “The *.docx file cannot be opened due to errors in its content.” *.jpg files also open either with an error, or 95% of the image turns out to be a faded black or light green background. For *.rar files - “Unexpected end of archive”.
Overall a complete failure.

Attempt No. 2

We write to TP about the results. They ask you to provide a couple of files. A day later they again provide a link to the te225decrypt.exe utility, but version 1.3.2.0. Well, let's launch, there was no alternative then anyway. About 6 days pass and the utility ends with the error “Unable to select encryption parameters.” Total 13 days “down the drain.”
But we don’t give up, we have important documents from our *stupid* client without basic backups.

Attempt No. 3

We write to TP about the results. They ask you to provide a couple of files. And, as you may have guessed, a day later they provide a link to the same te225decrypt.exe utility, but version 1.4.2.0. Well, let's launch, there was no alternative, and it has not appeared either from Kaspersky Lab, or from ESET NOD32, or from other manufacturers of anti-virus solutions. And now, after 5 days 3 hours 14 minutes (123.5 hours), the utility reports that the files have been decrypted (for a colleague on a core i5, decryption took only 21 hours 10 minutes).
Well, I think it was or wasn’t. And lo and behold: complete success! All files are decrypted correctly. Everything opens, closes, looks, edits and saves properly.

Everyone is happy, THE END.

“Where is the story about the Trojan.Encoder.263 virus?”, you ask. And on the next PC, under the table... there was. Everything was simpler there: We write to the Doctor Web TP, get the te263decrypt.exe utility, launch it, wait 6.5 days, voila! and everything is ready. To summarize, I can give some advice from the Doctor Web forum in my edition:

What to do if you are infected with a ransomware virus:
- send to the virus laboratory Dr. Web or in the “Submit suspicious file” form an encrypted doc file.
- Wait for a response from a Dr.Web employee and then follow his instructions.

What NOT to do:
- change the extension of encrypted files; Otherwise, with a successfully selected key, the utility simply will not “see” the files that need to be decrypted.
- use independently, without consultation with specialists, any programs for decrypting/recovering data.

Attention, having a server free from other tasks, I offer my free services for decrypting YOUR data. Server core i7-3770K with overclocking to *certain frequencies*, 16GB of RAM and SSD Vertex 4.
For all active users of Habr, the use of my resources will be FREE!!!
Write to me in a personal message or through other contacts. I’ve already “eaten the dog” on this. Therefore, I’m not too lazy to put the server on decryption overnight.
This virus is the “scourge” of our time and taking “loot” from fellow soldiers is not humane. Although, if someone “throws” a couple of bucks into my Yandex.money account 410011278501419, I won’t mind. But this is not at all necessary. Contact us. I process applications in my free time.

New information!

Starting from December 8, 2013, a new virus from the same Trojan.Encoder series began to spread under the Doctor Web classification - Trojan.Encoder.263, but with RSA encryption. This view is for today (12/20/2013) cannot be deciphered, as it uses a very strong encryption method.

I recommend to everyone who has suffered from this virus:
1. Using the built-in Windows search, find all files containing the .perfect extension and copy them to external media.
2. Copy the CONTACT.txt file as well
3. Place this external media “on the shelf”.
4. Wait for the decryptor utility to appear.

What NOT to do:
There is no need to mess with criminals. This is silly. In more than 50% of cases, after “payment” of approximately 5000 rubles, you will receive NOTHING. No money, no decryptor.
To be fair, it is worth noting that there are those “lucky” people on the Internet who received their files back by decryption for “loot.” But you shouldn't trust these people. If I were a virus writer, the first thing I would do would be to spread information like “I paid and they sent me a decoder!!!”
Behind these “lucky ones” there may be the same attackers.

Well... let's wish good luck to other antivirus companies in creating a utility for decrypting files after the Trojan.Encoder group of viruses.

Special thanks to comrade v.martyanov from the Doctor Web forum for the work done on creating decryption utilities.

Fighting new virus threats - ransomware

We recently wrote about the fact that new threats are spreading on the Internet - ransomware viruses or, more extensively, file-encrypting viruses; you can read about them in more detail on our website, at this link.

In this topic we will tell you how you can return data encrypted by a virus; for this we will use two decryptors, from Kaspersky and Doctor Web antiviruses, these are the most effective methods for returning encrypted information.

1. Download utilities for decrypting files from the links: Kaspersky and Dr.WEB

Or decryptors for a specific type of encrypted files that are .

2. First, we will try to decrypt the files using a program from Kaspersky:

2.1. Launch the Kaspersky decryptor program, if it asks for some actions, for example, permission to launch, we launch it, if it asks to update, we update, this will increase the chances of returning encrypted data

2.2. In the file decryption program window that appears, we see several buttons. Configure advanced settings and start scanning.

2.3. If necessary, select additional options and indicate where to search for encrypted files and, if necessary, delete after decryption. I do not recommend choosing this option, files are not always decrypted correctly!

2.4. We launch the scan and wait for our virus-encrypted data to be decrypted.

3. If the first method did not work. Let's try to decrypt files using a program from Dr. WEB

3.1. After you have downloaded the decryption application, put it, for example, in the root of the "C:" drive., so the file "te102decrypt.exe" should be available at "c:\te102decrypt.exe"

3.2. Now go to the command line(Start-Search-Type “CMD” without quotes-run by pressing Enter)

3.3. To start decrypting files write the command "c:\te102decrypt.exe -k 86 -e (encryptor code)". The ransomware code is an extension added to the end of the file, for example " [email protected] _45jhj" - write without quotes and parentheses, observing spaces. You should get something like c:\te102decrypt.exe -k 86 -e [email protected] _45jhj

3.4. Press Enter and wait for the files to be decrypted that have been encrypted, in some cases several copies of the decrypted files are created, you try to run them, save the copy of the decrypted file that opens normally, the rest can be deleted.

Download other file decryptors:

Attention: Be sure to save a copy of the encrypted files on an external drive or another PC. The decryptors presented below may not decrypt files, but only corrupt them!

It is best to run the decryptor on a virtual machine or on a specially prepared computer, having first downloaded several files onto them.

The decryptors presented below work as follows: For example, your files are encrypted with the amba encryptor and the files look like “Agreement.doc.amba” or “Account.xls.amba”, then download the decryptor for amba files and just run it, it will find all files with this extension and decrypt it, but I repeat, protect yourself and first make a copy of the encrypted files, otherwise you may lose your incorrectly decrypted data forever!

If you do not want to take risks, then send several files to us, after contacting us using the feedback form, we will launch the decryptor on a specially prepared computer, isolated from the Internet.

The presented files were checked with the latest version of Kaspersky antivirus and with the latest database updates.

About a week or two ago, another hack from modern virus makers appeared on the Internet, which encrypts all the user’s files. Once again I will consider the question of how to cure a computer after a ransomware virus encrypted000007 and recover encrypted files. In this case, nothing new or unique has appeared, just a modification of the previous version.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Description of the CRYPTED000007 ransomware virus

The CRYPTED000007 encryptor is no fundamentally different from its predecessors. It works almost exactly the same way. But still there are several nuances that distinguish it. I'll tell you about everything in order.

It arrives, like its counterparts, by mail. Social engineering techniques are used to ensure that the user becomes interested in the letter and opens it. In my case, the letter talked about some kind of court and important information about the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.

In parallel with opening the document, file encryption starts. An information message from the Windows User Account Control system begins to constantly pop up.

If you agree to the proposal, then the backup copies of files in shadow copies of Windows will be deleted and restoring information will be very difficult. It is obvious that you cannot agree with the proposal under any circumstances. In this encryptor, these requests pop up constantly, one after another and do not stop, forcing the user to agree and delete the backup copies. This is the main difference from previous modifications of encryptors. I have never encountered requests to delete shadow copies without stopping. Usually, after 5-10 offers they stopped.

I will immediately give a recommendation for the future. It is very common for people to disable User Account Control warnings. There is no need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is to not constantly work under the computer administrator account unless there is an objective need for it. In this case, the virus will not have the opportunity to do much harm. You will have a better chance of resisting him.

But even if you have always answered negatively to the ransomware’s requests, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files with the same content on your desktop.

Your files have been encrypted. To decrypt ux, you need to send the code: 329D54752553ED978F94|0 to the email address [email protected]. Next you will receive all the necessary instructions. Attempts to decipher on your own will not lead to anything other than an irrevocable number of information. If you still want to try, then make backup copies of the files first, otherwise, in the event of a change, decryption will become impossible under any circumstances. If you have not received notification at the above address within 48 hours (only in this case!), use the contact form. This can be done in two ways: 1) Download and install Tor Browser using the link: https://www.torproject.org/download/download-easy.html.en In the Tor Browser address, enter the address: http://cryptsen7fo43rr6 .onion/ and press Enter. The page with the contact form will load. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Mailing address may change. I also came across the following addresses:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you discover that your files are encrypted, immediately turn off your computer. This must be done to interrupt the encryption process both on the local computer and on network drives. An encryption virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information there, then it will take him considerable time. Sometimes, even in a couple of hours, the ransomware did not have time to encrypt everything on a network drive with a capacity of approximately 100 gigabytes.

Next you need to think carefully about how to act. If you need information on your computer at any cost and you do not have backup copies, then it is better at this moment to turn to specialists. Not necessarily for money in some companies. You just need a person who is well versed in information systems. It is necessary to assess the scale of the disaster, remove the virus, and collect all available information on the situation in order to understand how to proceed.

Incorrect actions at this stage can significantly complicate the process of decrypting or restoring files. In the worst case, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and has finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. Moreover, not only the file extension will be replaced, but also the file name, so you won’t know exactly what kind of files you had if you don’t remember. It will look something like this.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done specifically to confuse people and encourage them to pay for file decryption.

And if your network folders were encrypted and there are no full backups, then this can completely stop the work of the entire organization. It will take you a while to figure out what was ultimately lost in order to begin restoration.

How to treat your computer and remove CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most important question is how to disinfect a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I would like to immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files at any cost, do not touch your computer, but immediately contact professionals. Below I will talk about them and provide a link to the site and describe how they work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from a computer, since the virus does not have the task of remaining on the computer at any cost. After completely encrypting the files, it is even more profitable for him to delete himself and disappear, so that it is more difficult to investigate the incident and decrypt the files.

It is difficult to describe manual removal of a virus, although I have tried to do this before, but I see that most often it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Typically, viruses are sent by mail in waves, and each time there is a new modification that is not yet detected by antiviruses. Universal tools that check startup and detect suspicious activity in system folders help.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool - a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit.
3. If the first two utilities do not help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com.

Most likely, one of these products will clear your computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave an example of the removal method and you can see it there. Briefly, step by step, you need to act like this:

1. We look at the list of processes, after adding several additional columns to the task manager.
2. We find the virus process, open the folder in which it sits and delete it.
3. We clear the mention of the virus process by file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor comes up first when it comes to a ransomware virus. The first thing I recommend is to use the service https://www.nomoreransom.org. What if you are lucky and they have a decryptor for your version of the CRYPTED000007 encryptor. I’ll say right away that you don’t have many chances, but trying is not torture. On the main page click Yes:

Then download a couple of encrypted files and click Go! Find out:

At the time of writing, there was no decryptor on the site.

Perhaps you will have better luck. You can also see the list of decryptors for download on a separate page - https://www.nomoreransom.org/decryption-tools.html. Maybe there's something useful there. When the virus is completely fresh, there is little chance of this happening, but over time, something may appear. There are examples when decryptors for some modifications of encryptors appeared on the network. And these examples are on the specified page.

I don’t know where else you can find a decoder. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encryptors. Only the authors of the virus can have a full-fledged decryptor.

How to decrypt and recover files after the CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

First, let's check if we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I talked about this request in more detail at the beginning of the story, when I talked about how the virus works.

To easily restore files from shadow copies, I suggest using a free program for this - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the upper left corner, you can select a backup copy if you have several of them. Check different copies for the required files. Compare by date for the most recent version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and specified the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be an older version than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using deleted file recovery tools. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard drive to do this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here, what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Filecoder.ED encryptor

Popular antiviruses detect the ransomware CRYPTED000007 as Filecoder.ED and then there may be some other designation. I looked through the major antivirus forums and didn't see anything useful there. Unfortunately, as usual, antivirus software turned out to be unprepared for the invasion of a new wave of ransomware. Here is a post from the Kaspersky forum.

Antiviruses traditionally miss new modifications of ransomware Trojans. Nevertheless, I recommend using them. If you are lucky and receive a ransomware email not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. A new version of ransomware is released, but antiviruses do not respond to it. As soon as a certain amount of material for research on a new virus accumulates, antivirus software releases an update and begins to respond to it.

I don’t understand what prevents antiviruses from responding immediately to any encryption process in the system. Perhaps there is some technical nuance on this topic that does not allow us to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and suggest stopping the process.

Where to go for guaranteed decryption

I had the opportunity to meet one company that actually decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are opened and sign the certificate of delivery/acceptance of completed work.
4. Payment is made solely upon successful decryption results.

I'll be honest, I don't know how they do it, but you don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against the CRYPTED000007 virus

How to protect yourself from ransomware and avoid material and moral damage? There are some simple and effective tips:

1. Backup! Backup of all important data. And not just a backup, but a backup to which there is no constant access. Otherwise, the virus can infect both your documents and backup copies.
2. Licensed antivirus. Although they do not provide a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the encryptor, but after 3-4 days they begin to respond. This increases your chances of avoiding infection if you were not included in the first wave of distribution of a new modification of the ransomware.
3. Do not open suspicious attachments in mail. There is nothing to comment here. All ransomware known to me reached users via email. Moreover, every time new tricks are invented to deceive the victim.
4. Do not thoughtlessly open links sent to you from your friends via social networks or instant messengers. This is also how viruses sometimes spread.
5. Enable windows to display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will be .exe, .vbs, .src. In your everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I have already written before in every article about the ransomware virus. In the meantime, I say goodbye. I would be glad to receive useful comments on the article and the CRYPTED000007 ransomware virus in general.

Video about file decryption and recovery

Here is an example of a previous modification of the virus, but the video is completely relevant for CRYPTED000007.

Recently, there has been a surge in activity of a new generation of malicious computer programs. They appeared quite a long time ago (6 - 8 years ago), but the pace of their implementation has reached its maximum right now. Increasingly, you may encounter the fact that a virus has encrypted files.

It is already known that these are not just primitive malware, for example, (causing a blue screen), but serious programs aimed at damaging, as a rule, accounting data. They encrypt all existing files within reach, including 1C accounting data, docx, xlsx, jpg, doc, xls, pdf, zip.

The particular danger of the viruses in question

It lies in the fact that an RSA key is used, which is tied to a specific user’s computer, which is why a universal decryptor is used ( decryptor) absent. Viruses activated on one computer may not work on another.

The danger also lies in the fact that for more than a year ready-made builder programs have been posted on the Internet, allowing even hackers (persons who consider themselves hackers, but do not study programming) to develop this kind of virus.

Currently, more powerful modifications have appeared.

Method of introducing these malware

The virus is sent purposefully, usually to the company’s accounting department. First, e-mails of HR departments and accounting departments are collected from databases such as, for example, hh.ru. Next, letters are sent out. They most often contain a request regarding acceptance to a certain position. To such a letter with a resume, inside which is a real document with an implanted OLE object (pdf file with a virus).

In situations where accounting employees immediately launched this document, after a reboot the following happened: the virus renamed and encrypted the files, and then self-destructed.

This kind of letter, as a rule, is adequately written and sent from a non-spam mailbox (the name matches the signature). A vacancy is always requested based on the company’s core activities, which is why suspicions do not arise.

Neither the licensed Kaspersky (anti-virus program) nor Virus Total (an online service for checking attachments for viruses) can secure the computer in this case. Occasionally, some antivirus programs, when scanning, report that the attachment contains Gen:Variant.Zusy.71505.

How to avoid infection with this virus?

Each received file should be checked. Particular attention is paid to Word documents that have embedded pdf.

Options for “infected” emails

There are quite a lot of them. The most common options for how the virus encrypted files are presented below. In all cases, the following documents are sent by email:

1. Notification regarding the start of the process of reviewing a lawsuit filed against a specific company (the letter asks you to check the data by clicking on the specified link).
2. Letter from the Supreme Arbitration Court of the Russian Federation on debt collection.
3. Message from Sberbank regarding the increase in existing debt.
4. Notification of recording a traffic violation.
5. A letter from the Collection Agency indicating the maximum possible deferment of payment.

File encryption notice

After infection, it will appear in the root folder of drive C. Sometimes files like WHAT_DO.txt, CONTACT.txt are placed in all directories with damaged text. There the user is informed about the encryption of his files, which is carried out using reliable cryptographic algorithms. He is also warned about the inappropriateness of using third-party utilities, as this can lead to permanent damage to the files, which, in turn, will make it impossible to decrypt them later.

The notice recommends leaving your computer in the same state. It indicates the storage time for the provided key (usually 2 days). An exact date is specified after which any kind of requests will be ignored.

An email is provided at the end. It also states that the user must provide their ID and that any of the following actions can lead to the destruction of the key, namely:

How to decrypt files encrypted by a virus?

This type of encryption is very powerful: the file is assigned an extension such as perfect, nochance, etc. It is simply impossible to crack, but you can try to use cryptanalysts and find a loophole (Dr. WEB will help in some situations).

There is another way to recover files encrypted by a virus, but it does not work for all viruses, and you will also need to remove the original exe along with this malicious program, which is quite difficult to do after self-destruction.

The virus’s request regarding the introduction of a special code is a minor check, since the file already has a decryptor at this point (the code from, so to speak, the attackers will not be required). The essence of this method is to insert empty commands into the infiltrated virus (in the very place where the entered code is compared). The result is that the malicious program itself starts decrypting files and thereby completely restores them.

Each individual virus has its own special encryption function, which is why it will not be possible to decrypt it with a third-party executable (exe format file), or you can try to select the above function, for which all actions must be carried out using WinAPI.

files: what to do?

To carry out the decryption procedure you will need:

How to avoid data loss due to the malware in question?

It is worth knowing that in a situation where a virus has encrypted files, the decryption process will take time. An important point is that in the above-mentioned malware there is a bug that allows you to save some files if you quickly turn off the computer (pull the plug out of the socket, turn off the power filter, remove the battery in the case of a laptop), as soon as a large number of files with the previously specified extension appear .

Once again, it should be emphasized that the main thing is to constantly create backups, but not to another folder, not to removable media inserted into the computer, since this modification of the virus will reach these places. It is worth saving backups on another computer, on a hard drive that is not permanently connected to the computer, and in the cloud.

You should be suspicious of all documents that arrive by mail from unknown persons (in the form of a resume, invoice, Resolution from the Supreme Arbitration Court of the Russian Federation or the tax office, etc.). There is no need to run them on your computer (for these purposes, you can select a netbook that does not contain important data).

Malicious program * [email protected]: solutions

In a situation where the above virus has encrypted files cbf, doc, jpg, etc., there are only three options for the development of the event:

1. The easiest way to get rid of it is to delete all infected files (this is acceptable unless the data is particularly important).
2. Go to the laboratory of an antivirus program, for example, Dr. WEB. Be sure to send several infected files to the developers along with the decryption key, located on the computer as KEY.PRIVATE.
3. The most expensive way. It involves paying the amount requested by hackers for decrypting infected files. As a rule, the cost of this service is between 200 and 500 US dollars. This is acceptable in a situation where a virus has encrypted the files of a large company in which there is a significant flow of information every day, and this malicious program can cause colossal harm in a matter of seconds. In this regard, payment is the fastest option for recovering infected files.

Sometimes an additional option turns out to be effective. In the case where a virus has encrypted files (paycrypt@gmail_com or other malware), it can help a few days ago.

Decryption program RectorDecryptor

If the virus has encrypted jpg, doc, cbf files, etc., then a special program can help. To do this, you will first need to go to startup and disable everything except the antivirus. Next, you need to restart your computer. View all files, highlight suspicious ones. The field called “Command” indicates the location of a specific file (pay attention to applications that do not have a signature: manufacturer - no data).

All suspicious files must be deleted, after which you will need to clear browser caches and temporary folders (CCleaner is suitable for this).

To start decrypting, you need to download the above program. Then run it and click the “Start scan” button, indicating the changed files and their extension. In modern versions of this program, you can only specify the infected file itself and click the “Open” button. After this, the files will be decrypted.

Subsequently, the utility automatically scans all computer data, including files located on the attached network drive, and decrypts them. This recovery process may take several hours (depending on the amount of work and the speed of the computer).

As a result, everything will be decrypted into the same directory where they were originally located. Finally, all that remains is to delete all existing files with a suspicious extension, for which you can check the box in the “Delete encrypted files after successful decryption” request by first clicking the “Change scan parameters” button. However, it is better not to install it, since if decryption of files is unsuccessful, they may be deleted, and subsequently you will have to restore them first.

So, if a virus has encrypted doc, cbf, jpg, etc. files, you should not rush to pay for the code. Maybe he won't be needed.

Nuances of deleting encrypted files

When you try to eliminate all damaged files through a standard search and subsequent deletion, your computer may freeze and slow down. In this regard, for this procedure it is worth using a special one. After launching it, you must enter the following: del "<диск>:\*.<расширение зараженного файла>"/f/s.

It is imperative to delete files such as “Read-me.txt”, for which in the same command line you should specify: del “<диск>:\*.<имя файла>"/f/s.

Thus, it can be noted that if the virus has renamed and encrypted files, you should not immediately spend money on purchasing a key from attackers; you should first try to figure out the problem yourself. It is better to invest money in purchasing a special program for decrypting damaged files.

Finally, it is worth recalling that this article discussed the question of how to decrypt files encrypted by a virus.