Who caught the virus encrypter. Virus-encrypter. How to remove the virus and restore encrypted files. General consequences of penetrating all viruses of this type

For decades, cybercriminals successfully used shortcomings and vulnerabilities in the World Wide Web. However, in recent years, an explicit increase in the number of attacks, as well as the growth of their level - attackers become more dangerous, and malicious programs are distributed by such a pace that were never seen before.

Introduction

It will be about the extortionist programs that committed an unthinkable leap in 2017, making damage to thousands of organizations around the world. For example, in Australia, attacks such extortionists like Wannacry and NotPetya even caused concern at the government level.

Summing up the "success" of maliciousness-extortioners this year, we will consider the 10 most dangerous, which caused the greatest damage to organizations. Let's hope that next year we have learned lessons and not allow the penetration into our networks such a problem.

Notpetya.

The attack of this extinct began with the Ukrainian accounting reporting program M.E.DOC, replacing 1C prohibited in Ukraine. In just a few days, NotPety has infected hundreds of thousands of computers in more than 100 countries. This maliciousness is the option of an older PETYA extortioner, they are distinguished by the fact that in the attacks notpetya, the same exploit was used as in Wannacry attacks.

As you spread, NotPety has affected several organizations in Australia, for example, Cadbury chocolate factory in Tasmania, who had to temporarily close the entire IT system. Also, it was also possible to penetrate the world's largest container ship belonging to Maersk, which was reportedly lost to 300 million dollars of income.

Wannacry.

This terrible extortionist practically captured the whole world. In his attacks used the infamous EternalBlue exploit, which operates the vulnerability in the Microsoft Server Message Block (SMB) protocol.

Wannacry infected victims in 150 countries and more than 200,000 cars only on the first day. We have published this sensational malicious.

Locky

Locky was the most popular extortionist in 2016, but did not stop valid and in 2017. New options for Locky, who received the names of Diablo and Lukitus, arose this year, using the same attack vector (phishing) to use exploits.

It was Locky who stood behind the scandal associated with Email fraud in the mail of Australia. According to the Australian Commission on Competition and Consumer Protection, citizens have lost more than 80,000 dollars due to this scam.

Crysis

This instance distinguished itself to the workshop using the Remote Desktop Protocol, RDP. RDP is one of the most popular methods for the spread of extortioners, since thus cybercriminals can compromise machines controlling entire organizations.

Crysis's victims were forced to pay from $ 455 to $ 1022 for restoring their files.

Nemucod.

Nemucod applies with a phishing letter, which looks like an invoice for transport services. This extortion is loading malicious files stored on hacked websites.

On the use of phishing letters, Nemucod is inferior only to Locky.

Jaff

JAFF is similar to Locky and uses similar methods. This extortionist is not notable for original methods of distribution or encryption files, and vice versa - combines the most successful practices.

Behind him, attackers demanded up to $ 3,700 for access to encrypted files.

SPORA.

To distribute this type of extortionable program, cybercriminals crack legitimate sites, adding JavaScript code to them. Users who fell to such a site will display a pop-up warning that offers to update the Chrome browser to continue viewing the site. After downloading the so-called Chrome font pack, users have infected Spora.

Cerber

One of the numerous attack vectors that Cerber uses is called RAAS (Ransomware-AS-A-Service). According to this scheme, attackers are offered to pay for the distribution of the Trojan, promising for the percentage of the money received. Thanks to this "service", cybercriminals send an extortionist, and then provide other attackers to distribute tools.

Cryptomix.

This is one of the few extortionists who do not have a certain type of payment portal available within Darcweb. The affected users must wait when cybercriminals will send them an email instructions.

The victims of Cryptomix were users of 29 countries, they were forced to pay up to $ 3,000.

Jigsaw

Another malicious thing from the list, which began its activities in 2016. Jigsaw inserts a clown image from a series of films "Saw" into electronic spam letters. As soon as the user presses the image, the extortionist not only encrypts, but also deletes the files if the user is too tightened with the payment of the ransom, the size of which is $ 150.

conclusions

As we see, modern threats use increasingly sophisticated exploits against well-protected networks. Despite the fact that elevated awareness among employees helps to cope with the consequences of infections, enterprises need to go beyond the basic standards of cybersecurity to protect themselves. To protect against modern threats, proactive approaches are needed using real-time analysis capabilities based on the learning mechanism, which includes an understanding of behavior and context of threats.

Continuing its depressing procession over the network, infecting computers and encrypting important data. How to protect yourself from the encrypter, protect Windows from the extortioner - are patches, patches are released to decipher and cure files?

New virus-encrypter 2017 Wanna Cry Continues to infect corporate and private PC. W. scherb from viral attack has 1 billion dollars. For 2 weeks, the virus encrypter infected at least 300 thousand computersDespite the warnings and security measures.

Virus encryption year 2017 that is - As a rule, you can "pick up", it would seem, on the most harmless sites, such as banking servers with user access. Once at the hard drive of the victim, the encrypter "settles" in the system folder System32. From there the program immediately turns off the antivirus and falls into "autorun" After each reboot, the encryption program runs in the registry, Starting your black business. Encrypter starts to download similar copies of programs like Ransom and Trojan. Also often happens self-evaporation encrypter. This process may be shortened, and may occur weeks - until the victim removes nonlade.

Encrypter is often masked under ordinary pictures, text files, but the essence is always alone - these are executable file with extension.exe, .drv, .xvd; sometimes - libraries.dll.. Most often the file is quite harmless, for example " document. DOC", or " picture.jpg.", Where the extension is written manually, and the true type of file is hidden.

After completing encryption, the user sees instead of familiar files a set of "random" characters in the title and inside, and the expansion changes at the most unknown - .No_more_ransom, .xdata. other.

Virus-encrypter 2017 WANNA CRY - how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term of all viruses of encrypters and extortioners, since lately infected computers most often. So, it will be about s ask from Ransom Ware encrypters, which are a great set: breaking.dad, no_more_ransom, xData, Xtbl, Wanna Cry.

How to protect Windows from encrypter.EternalBlue via port SMB protocol.

Windows protection from encrypter 2017 - Basic Rules:

  • windows Update, timely transition to licensed OS (Note: XP version is not updated)
  • updating anti-virus databases and firewalls on demand
  • limit care when downloading any files (cute "cats" can turn into loss of all data)
  • backing up important information on replaceable carrier.

Virus-encrypter 2017: How to cure and decrypt files.

Hoping for anti-virus software, you can forget about the decoder for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses while no solution for the treatment of infected files. At the moment, it is possible to remove the virus with the help of antivirus, but the algorithms return everything "into circles" yet.

Some are trying to apply the RECTORDECRYPTOR utilitybut it will not help: algorithm for decryption new viruses has not yet been compiled. It is also absolutely unknown how the virus behaves if it is not deleted, after applying such programs. Often it can turn into erasure of all files - in the edification of those who do not want to pay for attackers, the authors of the virus.

At the moment, the most efficient way to return lost data is an appeal to those. Support for the supplier of the antivirus program you are using. To do this, send a letter, or use the Form for Feedback on the manufacturer's website. In the attachment, be sure to add an encrypted file and, if there is a copy of the original. This will help programmers in the compilation of the algorithm. Unfortunately, for many, the viral attack becomes a complete surprise, and the copies are not that at times it complicates the situation.

Cardial methods of Windows treatment from encrypter. Unfortunately, sometimes you have to resort to the full formatting of the hard drive, which entails the complete change of the OS. Many people will restore the system, but this is not an output - even there is a "rollback" will make rid of the virus, then the files will still remain cross.

Wannacry's wave rolled around the WANNACRY (Other names of Wana Decrypt0R, Wana Decryptor, Wanacrypt0R), which encrypts documents on the computer and extorts 300-600 USD for decoding them. How to find out if the computer is infected? What needs to be done not to become a victim? And what to do to cure?

After installing updates, the computer will need to overload.

How to cure from Wana Decrypt0R encrypter virus?

When the antivirus utility detects the virus, she will either delete it immediately, or will you ask you to treat or not? The answer is to treat.

How to restore encrypted Wana Decryptor files?

We can not tell anything comforting at the moment. While the file decryption tool has been created. While it remains only to wait, when the decrypter is designed.

According to Brian Krebs, computer security experts, at the moment, criminals received only 26'000 USD, that is, only about 58 people agreed to pay the redemption of extorters. Whether they restored their documents at the same time, no one knows.

How to stop the spread of the virus on the network?

In the case of WANNACRY, the solution to the problem can be to block the 445 port on the Firewall (firewall) through which it is infected.

Modern technologies allow hackers to constantly improve the methods of fraud in relation to ordinary users. As a rule, for these purposes, viral software is used, penetrating the computer. Encrypting viruses are particularly dangerous. The threat is that the virus spreads very quickly, encrypting files (the user is simply not able to open a single document). And if it is quite simple, then much more difficult to decrypt data.

What to do if the virus encrypted the files on the computer

Each, even users who have a powerful antivirus software are insured by attacking an encrypter. Troyans file encryptionors are represented by various code, which may not be under the antivirus. Hackers even manage to attack a large company that did not take care of the necessary protection of their information. So, "picing" in online the program encrypter, it is necessary to take a number of measures.

The main signs of infection - the slow work of the computer and changing the names of documents (you can notice on the desktop).

  1. Restart the computer to interrupt encryption. When you turn on, do not confirm the launch of unknown programs.
  2. Run the antivirus if it has not been attacked an encrypter.
  3. Copies will help restore information in some cases. To find them, open the "Properties" of the encrypted document. This method works with encrypted Vault expansion data, which is information on the portal.
  4. Download the utility of the latest version to combat viruses-encrypters. The most effective offers Kaspersky Lab.

Encrybers Viruses in 2016: Examples

When dealing with any viral attack, it is important to understand that the code is very often changing, supplemented with the new protection against antiviruses. Of course, protection programs need some time as the developer does not update the base. We have selected the most dangerous viruses-encrypters of recent times.

ISHTAR RANSOMWARE

IShtar - encryptionman extorting money from the user. The virus was seen in the fall of 2016, infected with a huge number of users of users from Russia and a number of other countries. It applies with the help of email distribution, in which nested documents are coming (installers, documents, etc.). ISHTAR infected with encrypperer is obtained in the name of the "ISHTAR" console. The process creates a test document in which it is indicated where to seek the password. The attackers require from 3,000 to 15,000 rubles for it.

The danger of the iShtar virus is that today there is no decryptor who would help users. Companies engaged in the creation of anti-virus software, it is necessary to decipher the entire code. Now you can only isolate important information (if they are of particular importance) to a separate medium, waiting for the output of the utility capable of deciphering the documents. It is recommended to reinstall the operating system.

Neitrino.

Neitrino encrypter appeared on the public spaces in 2015. On the principle of attacks similar to other viruses of this category. Changes the names of folders and files by adding "Neitrino" or "Neutrino". Decifractions The virus is with difficulty - not all representatives of antivirus companies are taken for this, referring to a very complex code. Some users can help restore the shadow copy. To do this, right-click on the encrypted document, go to Properties, the Previous Version tab, click Restore. It will not be superfluous to use the free utility from the Kaspersky Lab.

Wallet or .wallet.

Wallet virus appeared at the end of 2016. In the process of infection, changes the name of the data to the "name..wallet" or similar. Like most encrypter viruses, enters the system through attachments in emails that are sent by intruders. Since the threat appeared quite recently, the antivirus programs do not notice it. After the encryption creates a document in which the fraudster indicates the mail to communicate. Currently, anti-virus software developers are working on deciphering the encrypter virus code [Email Protected] Attack users can only wait. If the data is important, it is recommended to save them to an external drive, clearing the system.

Enigma.

Enigma virus encryption began infecting computers of Russian users at the end of April 2016. The AES-RSA encryption model is used, which is found in most extortionable viruses. The virus enters the computer with the help of a script that the user itself starts by opening the files from a suspicious email. There is still no universal tool to combat Enigma encryption. Users licensed to antivirus can ask for help on the official website of the developer. Also found a small "loophole" - Windows UAC. If the user clicks "No" in the window, which appears in the process of infection with the virus, it will be able to subsequently restore information using shadow copies.

Granit.

The new Virus-encrypter Granit appeared in the autumn of 2016. Infection occurs on the following script: the user starts a installer that infects and encrypts all the data on the PC, as well as connected drives. Fight with the virus is difficult. To delete, you can use special utilities from Kaspersky, but it has not been able to decipher the code. Perhaps it will help the restoration of previous data versions. In addition, a specialist who has a lot of experience can decipher, but the service is expensive.

Tyson.

It was recently seen. It is an extension of the already known encrypter No_more_ransom, which you can learn about our site. Enters personal computers from email. A lot of corporate PC has been attacked. The virus creates a text document with instructions for unlocking, offering to pay "ransom". Tyson encrypter appeared recently, so there is no key to unlock yet. The only way to restore information is to return the previous versions if they are not deleted by the virus. You can, of course, take a chance, transferring money to the score specified by attackers, but there is no guarantee that you will receive a password.

SPORA.

In early 2017, a number of users became a victim of the new SPORA encrypter. According to the principle of operation, it is not very different from his fellow, but it boasts more professional performance: the instruction on getting a password is better compiled, the website looks more beautiful. A virus encryption screen SPORA in C, uses a combination of RSA and AES to encrypt the victim data. The attack was usually computers on which the 1C accounting program is actively used. The virus, hiding under the guise of a simple account in format.pdf, forces employees of companies to run it. Treatment has not yet been found.

1c.Drop.1.

This virus encryption is for 1C appeared in the summer of 2016, violating the work of many accounting. Designed was designed specifically for computers using 1C software. Finding through the file in an email to the PC, offers the owner to update the program. Whatever the user clicked the virus, the virus will start encryption. Experts "Dr.Web" work on the decryption tools, but have not yet been found. Similar to that complex code that can be in several modifications. Protecting from 1C.DROP.1 is only the vigilance of users and regular archiving of important documents.

dA_VINCI_CODE.

New encrypter with an unusual name. A virus appeared in the spring of 2016. The predecessors are characterized by improved code and resistant encryption mode. DA_VINCI_Code infects a computer thanks to the executive application (attached, as a rule, to an email), which the user starts independently. Da Vinci Code encrypter (DA VINCI Code) copies the body to the system directory and the registry, providing automatic start when Windows is turned on. A unique ID is assigned to the computer of each victim (helps to get a password). It is almost impossible to decipher the data. You can pay money to intruders, but no one guarantees the password.

[Email Protected] / [Email Protected]

Two email addresses, which were often accompanied by encrypting viruses in 2016. It is they who serve to communicate the victim with an attacker. Addresses to the most different types of viruses are attached: da_vinci_code, no_more_ransom and so on. It is extremely recommended to communicate, as well as transfer money to fraudsters. Users in most cases remain without passwords. Thus, showing that the encrypters of intruders work, bringing income.

Breaking Bad.

It appeared in early 2015, but actively spread only in a year. The principle of infection is identical to other encrypters: installation of a file from an email, data encryption. Ordinary antiviruses, as a rule, do not notice the Breaking Bad virus. Some code cannot bypass Windows UAC, so the user has the opportunity to restore previous versions of documents. The decryptor has not yet introduced a single company developing antivirus software.

Xtbl

Very common encryptionman, which delivered trouble to many users. Finding on the PC, the virus in a matter of minutes changes the extension of the files by NTBL. A document is created in which the attacker extorts money. Some varieties of the XTBL virus cannot destroy the files to restore the system, which allows you to return important documents. The virus itself can be removed by many programs, but it is very difficult to decipher the documents. If it is the owner of a licensed antivirus, use technical support by attaching samples of infected data.

Kukaracha.

Cacaracha encrypter was seen in December 2016. The virus with an interesting name hides user files with the RSA-2048 algorithm, which is characterized by high resistance. Kaspersky anti-virus designated it as Trojan-ransom.win32.scatter.lb. Kukaracha can be removed from the computer so that the infection is not subject to other documents. However, infected today is almost impossible to decipher (a very powerful algorithm).

How does a virus encrypter work

There is a huge number of encrypters, but they all work according to a similar principle.

  1. Entering a personal computer. As a rule, thanks to the attached file to an email. Installation Includes the user itself by opening the document.
  2. File infection. Envically all types of file types are subjected to encryption (depending on the virus). A text document is created in which contacts are indicated to communicate with intruders.
  3. Everything. The user cannot get access to any document.

Fighting means of popular laboratories

The widespread encryption holders who are recognized as the most dangerous threats for user data has become an impetus for many antivirus laboratories. Each popular company provides its users with programs to help fight encrypters. In addition, many of them help decipher document protection documents.

Kaspersky and encrybers viruses

One of the most famous anti-virus laboratories of Russia and the world offers today the most effective means to combat extortionable viruses. The first barrier for the encryption virus will be Kaspersky Endpoint Security 10 with the latest updates. Antivirus simply will not miss a threat to the computer (though, new versions may not stop). To decrypt information, the developer directly presents several free utilities:, XoristDecryptor, RakhniDecryptor and Ransomware Decryptor. They help to find a virus and pick up the password.

Dr. Web and encrypters

This laboratory recommends using their anti-virus program, the main feature of which has been reserved files. Storage with copies of documents, in addition, protected from unauthorized access of attackers. Owners of the Licensed Product Dr. The Web is available for assistance in technical support. True, experienced professionals can not always withstand this type of threats.

ESET NOD 32 and encrypters

At the same time, this company did not remain, providing its users with good protection against penetration of viruses to a computer. In addition, the laboratory recently released a free utility with relevant databases - ESET Crysis Decryptor. Developers declare that it will help in the struggle, even with the newest encrypters.