NO_MORE_RANSOM - how to decrypt encrypted files? Better_call_saul decryptor: how to decrypt virus-infected files RSA 3072 decryption without a key

A family of ransomware Trojans that encrypt files and add the extensions “.xtbl” and “.ytbl” to them, appeared at the end of 2014 – beginning of 2015 and quite quickly took a stable position among the three most common encryptors in Russia (along with and). According to the Kaspersky Lab classification, this threat received the verdict Trojan-Ransom.Win32.Shade. The “author’s” name of this ransomware is unknown; other antivirus companies detect it under the names Trojan.Encoder.858, Ransom:Win32/Troldesh.

There is virtually no evolution of the Trojan: only the format of the encrypted file name, C&C addresses, and the set of RSA keys.

We know of two main ways to deliver this malware to a victim’s computer: spam mailings and exploit kits (in particular, Nuclear EK).

In the first case, the victim receives a letter containing an executable malicious file. The system becomes infected after an attempt to open the attachment. When Trojan-Ransom.Win32.Shade was distributed, the following file names were used:

• doc_dlea podpisi.com
• doc_dlea podpisi.rar
• documenti_589965465_documenti.com
• documenti_589965465_documenti.rar
• documenti_589965465_doc.scr
• doc_dlea podpisi.rar
• not verified 308853.scr
• documenti dlea podpisi 08/05/2015.scr.exe
• akt sverki za 17082015.scr

Note that the file name changes with each distribution wave, and possible options are not limited to those listed above.

The second method of distribution (exploit kit) is more dangerous because infection occurs without user interaction when the victim visits a compromised website. This could be either an attacker’s website or a completely legal, but hacked resource. Most often, the user does not know that the site poses any danger. Malicious code on a website exploits a vulnerability in the browser or its plugins, after which the target Trojan is installed into the system in stealth mode. In this case, unlike a spam email, the victim is not even required to run the executable file.

Once Trojan-Ransom.Win32.Shade has entered the system, it connects to the C&C located in Tor networks, reports an infection and requests an RSA-3072 public key, which it subsequently uses to encrypt files (we’ll look at how exactly below). If suddenly the connection could not be established, the malware selects one of the 100 public keys contained in its body just for such a case.

The Trojan then proceeds to encrypt the files. When searching for encryption objects, it uses the static list of extensions shown in the screenshot.

When encryption is complete, a frightening picture is installed on the desktop:

The malware leaves ransom demands in the files README1.txt, ..., README10.txt. Their contents always have the same form:

However, unlike most other ransomware, Trojan-Ransom.Win32.Shade does not stop there. It does not terminate its process, but starts an endless loop in which it requests a list of malware addresses from C&C, and then downloads and installs this software on the system - this functionality is typical for downloader bots. We have identified cases of downloading representatives of the following families:

• Trojan.Win32.CMSBrute (we will talk about it in more detail below).
• Trojan.Win32.Muref
• Trojan.Win32.Kovter
• Trojan-Downloader.Win32.Zemot

Download and wait cycle code:

In this regard, it is very important to conduct a full anti-virus scan of your computer if the Shade ransomware (or the results of its work - files with the extensions .xtbl, .ytbl) is detected. If treatment is not carried out, there is a high probability that the system will remain infected with several different malware downloaded by this ransomware.

Common features of the Shade family of Trojans

• Each sample contains the address of one C&C server; in total, the addresses of 10 C&C servers were found in different samples, 8 of which are currently active. All servers are located on the Tor network.
• Before installing your wallpaper, it saves the old wallpaper in the registry.
• Typically packaged with UPX and an additional packer, it is 1817 KB in size when unpacked.
• On the infected computer, it creates 10 identical files README1.txt, ... README10.txt with ransom demands in Russian and English.
• To encrypt the contents of each file and the name of each file, a unique 256-bit AES key is generated, encryption is carried out in CBC mode with a zero seed vector.
• Contains 100 RSA-3072 public keys with a public exponent of 65537 (in total, 300 different public keys were discovered in different samples).
• It has the functionality of downloading and running malware.

Cryptographic scheme

Generating the id of an infected computer

1. The Trojan obtains the computer name (comp_name) using the GetComputerName API function and the number of processors (num_cpu) using the GetSystemInfo API function;
2. based serial number system volume calculates a 32-bit constant and converts to a hex string (vol_const);
3. receives information about the OS version (os_version), separated by the “;” character (for example, “5;1;2600;1;Service Pack 3”);
4. generates the string comp_name num_cpu vol_const os_version;
5. calculates MD5 from this string;
6. converts an MD5 hash to a hex string and takes the first 20 characters from it. The resulting result is used as the computer id.

Getting Key Data

After generating the id, an attempt is made to connect to the C&C server located in the Tor network, send it the computer id and receive a public RSA key in response. If unsuccessful, one of the 100 public RSA keys hardwired into the Trojan is selected.

File encryption

The AES-256 algorithm in CBC mode is used to encrypt files. For each file encrypted, two random 256-bit AES keys are generated: one is used to encrypt the file content, the second is used to encrypt the file name. These keys are placed in the key_data service structure, which itself is encrypted with the selected RSA key (occupies 384 bytes after encryption) and is placed at the end of the encrypted file:

In C language syntax this structure can be written as follows:

The Trojan tries to rename the encoded file, choosing the result of the calculation as the new name Base64(AES_encrypt(original filename)).xtbl(For example, ArSxrr+acw970LFQw.xtbl), and if unsuccessful, simply appends the .ytbl extension to the original file name. In later versions, the id of the infected computer was added before the .xtbl extension, for example: ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl.

The body of the Trojan contains the address of one C&C server. The servers themselves are located on the Tor network, and communication with them is carried out using a Tor client statically linked to the Trojan.

Requesting a new RSA public key:
GET http:// .onion/reg.php?i= ID&b= build&v= version&ss= stage
ID– identifier of the infected computer;
build– identifier of a specific malware sample;
version– version of the malware, versions 1 and 2 were encountered;
stage indicates the encryption stage - a request for a new RSA public key or a message about the completion of file encryption.

Error message:
GET http:// .onion/err.php?i= ID&b= build&v= version&err= error
error– base64-encoded message about an error that occurred during encryption.

Summary of the current stage of the ransomware's work:
GET http:// .onion/prog.php?i= ID&b= build&v= version&ss= stage&c= count&f= finish
count– current number of encrypted files;
finish– encryption end flag.

System information:
POST http:// .onion/sys.php?i= ID&b= build&v= version&ss= stage&c= count&k= key_number&si= info
key_number– number of the selected RSA key (in case the key was not received from the server, but was selected from those contained in the body of the malware);
info– information received from the infected computer:

• Computer name
• Username
• IP address
• Computer domain
• List of logical drives
• Windows OS version
• List of installed software

1. Request a list of URLs from which you want to download and run additional malware:
   GET http:// .onion/cmd.php?i= ID&b= build&v= version

Ransomware distribution

affiliate program

The code that users are asked to email to attackers may look like ID|0 in case the public key was obtained from the C&C server, or ID|key_number|build|version if one of the RSA public keys with the number key_number. ID denotes the identifier of the infected computer, and two numbers build And version denote the ID of a specific sample and the ransomware version, respectively.

When analyzing malware samples, we discovered various combinations of build values, email addresses for connecting users with attackers, and C&C addresses. Different meanings build correspond to different mailing addresses, while the same C&C can serve several different samples:

We recorded the distribution of different samples of two versions of the ransomware. Moreover, each specific sample of the same version of the malware corresponded to a unique build-email combination (ID of a specific sample and address for contacting attackers).

Although no partnership announcements were found, based on this data we can assume that the Trojan is distributed and the ransom accepted through affiliate network. It is likely that the sample IDs (build value) and different email addresses correspond to different distribution partners of this malware.

Geography

The most common cases of infection with this Trojan are in Russia, Ukraine and Germany. According to KSN, the distribution geography of Trojan-Ransom.Win32.Shade is as follows.

Downloadable malware: website password brute force Trojan

Among the malicious programs that Trojan-Ransom.Win32.Shade downloads is a Trojan that brute-forces passwords for websites. In terms of its internal organization, the brute forcer is very similar to the ransomware itself - most likely, it is a project of the same authors. The downloaded malware received the verdict Trojan.Win32.CMSBrute.

Common features of the CMSBrute family

• Written in C++ using STL and its own classes.
• Statically linked to the Tor client.
• Uses boost (threads), curl, OpenSSL libraries.
• Each sample contains the address of one C&C server; in total, the addresses of three C&C servers were found in different samples. All C&Cs are located on the Tor network, they are different from the addresses found in the Trojan-Ransom.Win32.Shade samples.
• All strings (along with the names of imported functions) are encrypted with the AES algorithm, decrypted when the program starts, after which the import table is dynamically filled.
• Typically packaged UPX, unpacked size is 2080-2083 KB.
• Copies itself to one of the directories on drive C with the name csrss.exe.
• Downloads additional dll plugins. Plugins contain code to define installed system content management (CMS) on the attacked website, searching for the admin panel and selecting passwords. Plugins were found that support sites based on Joomla, WordPress and DataLife Engine.

Communication with the command server

Each Trojan.Win32.CMSBrute sample contains the address of one C&C server. The servers are located on the Tor network, and communication with them is carried out using a Tor client statically linked to the Trojan.

The sample sends the following requests to the C&C server:

Registering a new bot:
GET http:// .onion/reg.php?n= ID&b= build&v= version&sf= stage
ID– identifier of the infected computer; calculated using an algorithm slightly different from that in the Shade encryptor;
build– identifier of a specific malware sample; was only met build 1;
version– malware version; only version 1 was encountered;
stage– stage of the Trojan’s work.

Request to obtain URLs for downloading or updating plugin dlls
GET http:// .onion/upd.php?n= ID&b= build&v= version&p= plugins

Request for a task to determine the CMS on the site and check logins and passwords:
GET http:// .onion/task.php?n= ID&b= build&v= version&p= plugins
plugins– versions of installed dll plugins.
The response from the server comes in json format and contains the addresses of the attacked sites and a dictionary for guessing passwords.

Sending a brute force report:
POST http:// .onion/rep.php?n= ID&b= build&v= version&rep= report
report– a json string containing a report on CMS found on the website and selected logins and passwords from the admin panel.

In the case of Trojan-Ransom.Win32.Shade, all the now traditional advice on countering ransomware is relevant. Detailed instructions can be found at:
https://support.kaspersky.ru/12015#block2
https://support.kaspersky.ru/viruses/common/10952

If your computer has already been affected by this Trojan, it is extremely important to conduct a full scan and treatment with an antivirus product, because Trojan-Ransom.Win32.Shade downloads and installs malware from several different families listed at the beginning of the article into the compromised system.

Application

When preparing this article, the following samples were examined:

Last week I caught such a nasty thing. A Trojan that encrypted all files with extensions psd, xlsx, docx, png, jpg, rar, zip and many others. I’ll tell you in more detail what happened and what to do to reduce the likelihood of contracting such a virus.

For convenience, here is a table of contents for the article.

Trojan encryptor. How it was.

As usual

Typically, Trojans that encrypt your files work according to the following principle. You receive or download a file from someone. It looks like a normal file, perhaps even a normal manufacturer is registered and there is digital signature. When you launch it, at first glance nothing happens. The installer window does not open, nothing... but in the background this Trojan downloader opens a so-called backdoor. And the ransomware Trojan begins to jump through the created hole in the protection of your PC.

Then the ransomware comes into play. It encrypts certain types of data with a special algorithm. Most often this Word documents, Excel, 1C Database and so on. Most often it remains on the desktop Text Document with a description of what this virus did and how to recover files. Most likely you will be asked to write to email to the attacker and send a certain amount for data recovery. It is unlikely that you will be able to recover the data yourself. For this you need a decoder. But even here it’s not so simple. There is not much information on data recovery on the Internet, and Trojans of this type are developing much faster than a cure for them is being created.

How was it for me

For me, everything happened much more interesting. I sat and worked at my laptop. The Internet was connected, but I did not use it. Worked in third party program. I didn’t receive any letters, and I didn’t install or launch any files. I literally left for about 20 minutes. I come back and see this picture:

Well, of course, anti-virus scanning was not launched) But in general, this is the case. I have changed my desktop screensaver and have a text document open. The document contains the following content:

Your computer has been attacked by a dangerous virus.

All your information (documents, databases, archives, backups, etc. files) were merged with hard drives and encrypted using the most secure algorithm in the world, RSA-4096.

Recovering files is only possible using...

(read the full text, if interested, on the screenshot.)

It was suggested to write by mail [email protected] to get the decoder. Of course, it was assumed that for a certain amount.

To be honest, I was simply defeated. Such a shock. All the work, all the projects and files that were important to me were there. Website layouts. In a panic, I launched an antivirus scan. Honestly, I don't know why. Purely out of panic.

A few words about my system and its condition. This is Windows 8.1 with all the latest updates. Eset Antivirus Antivirus 8. All clients remote access were disabled at the time of Trojan penetration. However, AmmyAdmin and TeamViewer are installed. RDP (Remote Desktop) is disabled. Firewall - standard Windows Firewall. Except the Firewall was disabled 🙁 (epic fail)

I went online to study the problem. And here is the most interesting thing.

How to recover encrypted files

This question worried me very much. I started scouring the internet. Lots of forums. Everywhere a Trojan is described that operates according to a different, older algorithm. And it is not always possible to eliminate the consequences of its action. It is not always possible to decrypt files. There is an option to write to DrWeb support. But if you do not have a license for their antivirus, then they will not help you.

Kaspersky also has utilities for decrypting encrypted files. Here is a link to the download page for these utilities: support.kaspersky.ru/viruses/sms

After a hopeless check with these utilities, I wrote to the Kaspersky Virus Analysis Center. They responded and took the files for analysis. But one thing became clear.

How not to catch a ransomware Trojan.

If you have already received a virus from an email hacker [email protected] , then you can safely throw a farewell party for your files. It will not be possible to revive them. So make a backup copy of the killed files (maybe in the future they will make a cure and you can restore the lost data), reinstall Windows and learn how to minimize the likelihood of such a Trojan getting to you. After scouring the Internet, reading a bunch of smart advice and from my own experience, I come up with the following safety points:

1. Update your system. Before installing the latest Windows updates, read what they are about and why. How these updates affected the system. Updates from Microsoft are not always super useful. But don't run it. Keep the system updated.
2. Firewall. Do not disable the firewall or better yet install a normal firewall. Although the standard FW from MicroSoft is not a fountain, it is better than nothing. It’s even better if you install a normal firewall. I have already set ESET Smart Security.
3. Remote access. Don't hold open programs remote access, such as Team Viewer, Ammy Admin, Radmin and others. Who knows, maybe they have already found a hole in them! Moreover, I never advise allowing everyone access to the remote desktop. How to disable Remote Decktop is not difficult to find on the Internet.
4. Password. Set a password for your user. It may not be a complicated password, but it is. And make Windows always ask for your permission when starting programs. This is somewhat less convenient, but much safer. This setting is done in Windows Security Center.
5. Backups. This is something that will not save you from Trojan penetration, but will be very helpful if you lose files. Merge copies of important files to the cloud, to flash drives, removable hard disks, DVD...anywhere. Provide storage important information not just locally on your computer.

By observing these simple rules You can reduce the likelihood of a malicious virus entering your computer and make your life much easier if you lose valuable files.

About a week or two ago, another hack from modern virus makers appeared on the Internet, which encrypts all the user’s files. Once again I will consider the question of how to cure a computer after a ransomware virus encrypted000007 and recover encrypted files. In this case, nothing new or unique has appeared, just a modification of the previous version.

Guaranteed decryption files after the ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Description of the CRYPTED000007 ransomware virus

The CRYPTED000007 encryptor is no fundamentally different from its predecessors. It works almost exactly the same way. But still there are several nuances that distinguish it. I'll tell you about everything in order.

It arrives, like its analogues, by mail. Social engineering techniques are used to ensure that the user becomes interested in the letter and opens it. In my case, the letter talked about some kind of court and important information about the case in the attachment. After launching the attachment, the user opens a Word document with an extract from arbitration court Moscow.

In parallel with opening the document, file encryption starts. An information message from the Windows User Account Control system begins to constantly pop up.

If you agree with the proposal, then back up files in shadow copies of Windows will be deleted and recovery of information will be very difficult. It is obvious that you cannot agree with the proposal under any circumstances. In this encryptor, these requests pop up constantly, one after another and do not stop, forcing the user to agree and delete the backup copies. This is the main difference from previous modifications of encryptors. I have never encountered requests to delete shadow copies without stopping. Usually, after 5-10 offers they stopped.

I will immediately give a recommendation for the future. It is very common for people to disable User Account Control warnings. There is no need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is to not constantly work under account computer administrator, unless there is an objective need for it. In this case, the virus will not have the opportunity to do much harm. You will have a better chance of resisting him.

But even if you have always answered negatively to the ransomware’s requests, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files with the same content on your desktop.

Your files have been encrypted. To decrypt ux, you need to send the code: 329D54752553ED978F94|0 to the email address [email protected]. Next you will receive all the necessary instructions. Attempts to decipher on your own will not lead to anything other than an irrevocable number of information. If you still want to try, then make backup copies of the files first, otherwise, in the event of a change, decryption will become impossible under any circumstances. If you have not received notification at the above address within 48 hours (only in this case!), use the contact form. This can be done in two ways: 1) Download and install Tor Browser using the link: https://www.torproject.org/download/download-easy.html.en In the address space Tor Browser enter the address: http://cryptsen7fo43rr6.onion/ and press Enter. The page with the contact form will load. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Mailing address may change. I also came across the following addresses:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you discover that your files are encrypted, immediately turn off your computer. This must be done to interrupt the encryption process as in local computer, and on network drives. An encryption virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information there, then it will take him considerable time. Sometimes, even in a couple of hours, the ransomware did not have time to encrypt everything on a network drive with a capacity of approximately 100 gigabytes.

Next you need to think carefully about how to act. If you need information on your computer at any cost and you do not have backup copies, then it is better at this moment to turn to specialists. Not necessarily for money to some companies. You just need someone who is good at information systems. It is necessary to assess the scale of the disaster, remove the virus, and collect all available information on the situation in order to understand how to proceed.

Incorrect actions at this stage can significantly complicate the process of decrypting or restoring files. In the worst case, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and has finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. Moreover, not only the file extension will be replaced, but also the file name, so you won’t know exactly what kind of files you had if you don’t remember. It will look something like this.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done specifically to confuse people and encourage them to pay for file decryption.

What if your network folders were encrypted or not? full backups, then this can completely stop the work of the entire organization. It will take you a while to figure out what was ultimately lost in order to begin restoration.

How to treat your computer and remove CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most important question is how to disinfect a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I would like to immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files at any cost, do not touch your computer, but immediately contact professionals. Below I will talk about them and provide a link to the site and describe how they work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from a computer, since the virus does not have the task of remaining on the computer at any cost. After completely encrypting the files, it is even more profitable for him to delete himself and disappear, so that it is more difficult to investigate the incident and decrypt the files.

Describe manual removal virus is difficult, although I tried to do this before, but I see that most often it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Typically, viruses are sent via goes to the mail in waves and each time there is a new modification that is not yet detected by antiviruses. Universal tools that check autostart and detect suspicious activity in system folders.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool - a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit.
3. If the first two utilities do not help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com.

Most likely, one of these products will clear your computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave an example of the removal method and you can see it there. Briefly, step by step, you need to act like this:

1. We look at the list of processes, after adding several additional columns to the task manager.
2. We find the virus process, open the folder in which it sits and delete it.
3. We clear the mention of the virus process by file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor comes up first when it comes to a ransomware virus. The first thing I recommend is to use the service https://www.nomoreransom.org. What if you are lucky and they have a decryptor for your version of the CRYPTED000007 encryptor. I’ll say right away that you don’t have many chances, but trying is not torture. On home page click Yes:

Then download a couple of encrypted files and click Go! Find out:

At the time of writing, there was no decryptor on the site.

Perhaps you will have better luck. You can also see the list of decryptors for downloading on separate page- https://www.nomoreransom.org/decryption-tools.html. Maybe there's something useful there. When the virus is completely fresh, there is little chance of this happening, but over time, something may appear. There are examples when decryptors for some modifications of encryptors appeared on the Internet. And these examples are on the specified page.

I don’t know where else you can find a decoder. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encryptors. Only the authors of the virus can have a full-fledged decryptor.

How to decrypt and recover files after the CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

First, let's check if we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I spoke in more detail about this request at the beginning of the story, when I talked about the work of the virus.

To easily restore files from shadow copies, I suggest using free program for this purpose - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the upper left corner, you can select a backup copy if you have several of them. Check different copies for availability necessary files. Compare by dates, where more latest version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, clicked right click mouse, selected Export and indicated the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be more old version, than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using recovery tools deleted files. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launch graphic version program executes file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard disk for this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, in this list you can find some useful files. There are no guarantees here, what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to restore maximum amount files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Filecoder.ED encryptor

Popular antiviruses detect the ransomware CRYPTED000007 as Filecoder.ED and then there may be some other designation. I looked through the major antivirus forums and didn't see anything useful there. Unfortunately, as usual, antivirus software turned out to be unprepared for the invasion of a new wave of ransomware. Here is a post from the Kaspersky forum.

Antiviruses traditionally miss new modifications of ransomware Trojans. Nevertheless, I recommend using them. If you are lucky and receive a ransomware email not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. It turns out a new version ransomware, antiviruses do not respond to it. As soon as a certain amount of material for research on a new virus accumulates, antivirus software releases an update and begins to respond to it.

I don’t understand what prevents antiviruses from responding immediately to any encryption process in the system. Perhaps there is some technical nuance on this topic, which does not allow you to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and offer to stop the process.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are opened and sign the certificate of delivery/acceptance of completed work.
4. Payment is made solely upon successful decryption results.

I'll be honest, I don't know how they do it, but you don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against the CRYPTED000007 virus

How to protect yourself from ransomware and do without material and moral damage? There are some simple and effective tips:

1. Backup! Backup of all important data. And not just a backup, but a backup to which there is no permanent access. Otherwise, the virus can infect both your documents and backup copies.
2. Licensed antivirus. Although they do not provide a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the encryptor, but after 3-4 days they begin to respond. This increases your chances of avoiding infection if you were not included in the first wave of distribution of a new modification of the ransomware.
3. Do not open suspicious attachments in mail. There is nothing to comment here. All ransomware known to me reached users via email. Moreover, every time new tricks are invented to deceive the victim.
4. Do not thoughtlessly open links sent to you from your friends via social media or messengers. This is also how viruses sometimes spread.
5. Turn on windows display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will be .exe, .vbs, .src. In your everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I have already written before in every article about the ransomware virus. In the meantime, I say goodbye. I would be glad to receive useful comments on the article and the CRYPTED000007 ransomware virus in general.

Video about file decryption and recovery

Here is an example of a previous modification of the virus, but the video is completely relevant for CRYPTED000007.

, VIDEO, MUSIC and other personal files on .NO_MORE_RANSOM, and changes the original name to a random combination of letters and numbers. However, most files of the most important formats .PDF, .DOC, .DOCX, .XLS, .XLSX, .JPG, .ZIP don't open. Accounting 1C does not work. This is what it looks like:

Technical support from Kaspersky Lab, Dr.Web and other well-known companies developing anti-virus software, in response to user requests to decrypt data, reports that it is impossible to do this in an acceptable time.

But don't rush to despair!

The fact is that, having penetrated your computer, the malicious program uses as a tool completely legal GPG encryption software and the popular encryption algorithm - RSA-1024. Since this utility is used in many places and is not a virus in itself, antivirus programs allow it to pass through and do not block its operation. A public and private key is generated to encrypt files. Private key is sent to the attackers' server and remains open on the user's computer. Both keys are required to decrypt files! The attackers carefully overwrite the private key on the affected computer. But this doesn't always happen. For more than three years of history of impeccable work, specialists Dr.SHIFRO We have studied thousands of variations in the activities of malware, and perhaps even in a seemingly hopeless situation, we will be able to offer a solution that will allow you to get your data back.

In this video you can watch the real operation of the decryptor on the computer of one of our clients:

To analyze the possibility of decryption, send 2 samples of encrypted files: one text (doc, docx, odt, txt or rtf up to 100 KB in size), the second graphic (jpg, png, bmp, tif or pdf size up to 3 MB). You also need a note file from the attackers. After examining the files, we will give you an estimate of the cost. Files can be sent by email [email protected] or use the file submission form on the website (orange button).

COMMENTS (2)

Got the NCOV virus. After searching the Internet for a decryption method, we found this site. The specialist quickly and thoroughly described what needed to be done. To guarantee, 5 test files were decrypted. They announced the cost and after payment everything was deciphered within a few hours. Although not only the computer was encrypted, but also network drive. Thank you very much for your help!

Good day! I recently had a similar situation with the NCOV virus, which did not have time to encrypt all disks, because... after some time I opened the folder with the photo and saw an empty envelope and a file name from a different set of letters and numbers and immediately downloaded and launched free utility to remove Trojans. The virus arrived in the mail and there was a convincing letter that I opened and launched the attachment. The computer has 4 very large hard drives (terabytes). I contacted various companies, which are full on the Internet and which offer their services, but even with successful decryption, all files will be in separate folder and everything is mixed up. No one gives a guarantee of 100% decryption. I contacted Kaspersky Lab and even there they didn’t help me..html# so I decided to contact. I sent three test photos and after a while received a response with a complete transcript of them. In the mail correspondence I was offered either remotely or at home. I decided to do it at home. We decided on the date and time of the specialist’s arrival. Immediately in the correspondence, the amount for the decoder was agreed upon and after successful decryption, we signed an agreement on the work and I made payment according to the agreement. Decrypting the files took a very long time, since some videos were big size. After complete decryption, I made sure that all my files returned to their original form and the correct file extension. The capacity of the hard drives became the same as before they were infected, since during infection the drives were almost completely full. Those who write about scammers, etc., I do not agree with this. This is written either by competitors out of anger, that they are not succeeding, or by people who are offended by something. In my case, everything turned out great, my fears are in the past. I again saw my old family photographs that I had taken from long ago and family videos that I had edited myself. I would like to express my gratitude to the dr.Shifro company and personally to Igor Nikolaevich, who helped me restore all my data. Thank you very much and good luck! Everything that is written is my personal opinion, and you decide who to contact.

Ransomware viruses are computer programs, which first encrypt your files and then demand money for the opportunity to decrypt them. Ransomware viruses have become a real epidemic. The Internet is filled with requests for help decrypting files. Most ransomware viruses are very similar to each other. They sneak into your computer and then encrypt your files. The main differences between them are believed to be the encryption algorithm and the amount of the required ransom.

Keep in mind that by paying the ransom, you have no guarantee that your files will be successfully decrypted. You are simply supporting the criminal business of cybercriminals. You can never be sure that they will send you the secret key used to decrypt them. For this reason, never try to contact the criminals or pay a ransom. In addition, ransomware viruses can spread through P2P torrent networks, where users download hacked versions software. For these reasons, you should be careful when downloading files from unverified sources, as well as when opening files sent from an unknown email recipient.

Desktop wallpaper on a PC infected with ransomware.better_call_saul

Most of these viruses appeared quite recently; .better_call_saul appeared around February. Currently, the.better_call_saul virus is quite aggressively distributed in Russia and other post-Soviet countries. Most users get infected with the .better_call_saul virus when they click on links in emails. Criminals will also spread this virus through spam mailings with infected files attached to emails. Hacked websites are the third most common method of infection with ransomware.better_call_saul. After successfully penetrating the system, this ransomware encrypts various files, stored on your hard drives. For encryption, the virus uses the RSA-3072 algorithm.

Please note that this virus adds the .better_call_saul extension to the end of the name of each encrypted file. In addition, it changes the appearance of the desktop (changes the wallpaper) and creates a README.txt file in each folder containing encrypted files. README.txt text file and also the desktop wallpaper contains a message that the files are encrypted and that in order to restore them, the victim must pay a ransom. In the instructions, the victim is advised to contact the cybercriminals by writing to the specified email address, and send special code. After this, the victim should supposedly receive further instructions.

Cybercriminals then demand to pay 14-15 thousand rubles to a special QIWI wallet. If the ransom is not paid within 48 hours, then the key used to decrypt the files and stored on servers controlled by the criminals will be deleted. Keep in mind that without this key it is impossible to decrypt your files. Unfortunately, on this moment There are no tools capable of decrypting files encoded by the .better_call_saul virus. One way to solve this problem is to restore the system or files from backup copy. Some other options to combat this virus are outlined below.

Remove ransomware.better_call_saul with automatic cleaner

Exclusively effective method working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components, their complete removal with one click. Note, we're talking about about two different processes: uninstalling the infection and restoring files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.

1. . After starting the software, click the button Start Computer Scan(Start scanning).
2. The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.

Restore access to encrypted files

As noted, the .better_call_saul ransomware locks files using a strong encryption algorithm, so that encrypted data cannot be restored with a wave of a magic wand - short of paying an unheard-of ransom amount. But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Program automatic recovery files

A very unusual circumstance is known. This infection erases the original files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This provides an opportunity for such software how to restore erased objects, even if the reliability of their removal is guaranteed. It is highly recommended to resort to the file recovery procedure; its effectiveness is beyond doubt.

Shadow copies of volumes

The approach is based on the Windows procedure Reserve copy files, which is repeated at each recovery point. Important working conditions this method: The “System Restore” function must be activated before infection. However, any changes to the file made after the restore point will not appear in the restored version of the file.

Backup

This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select necessary files and start the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.

Check for possible presence of residual ransomware components.better_call_saul

Cleaning in manual mode fraught with omission individual fragments ransomware that can escape removal in the form of hidden objects operating system or registry items. To eliminate the risk of partial retention of individual malicious elements, scan your computer using a reliable security software. software package, specializing in malware.