Recently there has been a surge of activity of a new generation of malicious software.There are quite a long time (6 - 8 years ago), but the pace of their implementation peaked now.Increasingly, you can face the fact that the virus has encrypted files.
already know that it's not just primitive malicious software, for example, blocking the computer (causing blue screen), and serious programs designed to damage, usually accounting data.They encrypt all the files that are within reach, including data 1C, docx, xlsx, jpg, doc, xls, pdf, zip.
Special hazards considered viruses
It is that this applies RSA-key, which is tied to a particular user's computer, which is why a universal decoder ( decryptor ) absent.Viruses that are active in one of the computers may not work in another.
danger also in the fact that more than a year on the Internet are available ready-made program-builders (Builder), allowing to develop such a virus, even kulhatskeram (individuals who consider themselves hackers, but do not learn programming).
Currently, there are more powerful modification.
method of introduction of malware
Newsletter virus is made purposefully, as a rule, the accounting department of the company.First collected e-mails personnel departments, accounting departments of such databases, for example, hh.ru.Next is sending emails.They often contain a request with regards to the adoption of a certain position.Such a letter attached file resume within which the actual document with an implanted OLE-object (pdf-file with a virus).
In situations where accounting officers immediately launched the document, after rebooting the following occurs: a virus, and renamed the encrypted file, and then self-destruct.
Such a letter is usually adequate written and sent to nespamerskogo box (the name corresponds to the signature).Job is always requested on the basis of profiling the company, which is why the suspicions do not arise.
No license "Kaspersky" (antivirus software) or "Virus Total" (online service attachment scanning for viruses) can not protect your computer in this case.Occasionally, some anti-virus programs scanning issue that the attachment is Gen: Variant.Zusy.71505.
How to avoid infection with the virus?
should check each resulting file.Particular attention is paid vordovsky documents that have embedded pdf.
Options "infected" messages
them quite a lot.The most common variants of the virus encrypts files are shown below.In all cases, the e-mail comes following documents:
- notification regarding the beginning of the review process applied to a specific company lawsuit (in the letter are invited to check the data by clicking on the link).
- Letter of the Supreme Arbitration Court to recover the debt.
- Message from Sberbank for an increase in existing debt.
- Notice of fixing traffic violations.
- letter from a collection agency with the maximum possible delay of payment.
Notice of encrypting files
It will appear after infection in the root folder of drive C. Sometimes all directories with a damaged text files placed ChTO_DELAT.txt type, CONTACT.txt.There the user is informed about its encryption of files that accomplished by reliable cryptographic algorithms.And he warned about inappropriate use of third-party utilities, as this may cause damage to the final files, which, in turn, will lead to the impossibility of subsequent decryption.
The notice is recommended to leave the computer in the same state.It indicates the storage provided by a key (generally it is 2 days).Prescribe the exact date, after which any kind of treatment will be ignored.
provided at the end of the e-mail.It also states that the user must specify your ID and that any of the following actions may result in the elimination of a key, namely:
- request details without further payment;
How to decrypt files encrypted virus?
This kind of encryption is very powerful: the file is assigned to this extension as perfect, nochance and so forth. Crack is simply impossible, but you can try to connect the cryptanalyst and look for a loophole (in some situations to help Dr. WEB).
There is one way to restore encrypted files to a virus, but it is not suitable for all viruses, besides the need to remove the original exe with this malware, it is not easy enough to implement after the liquidation.Please
virus regards the introduction of a special code - a small verification, because the file at this point already has a decoder (code of, so to speak, the attacker does not need to).The essence of this method - in writing penetrated virus (in the very place of the comparison input code) of empty instruction.The result - a malicious program itself runs the decryption of files and thus they are fully restored.
In each virus has its own special function of encryption, which is why third-party executable (file format exe) to decrypt does not work, or you can try to choose the above function, which requires all actions carried out on WinAPI.
virus encrypted files: what to do?
For the procedure of deciphering need:
- Take a backup (backup of existing files).After deciphering all it removes itself.
- on the computer (the victim), you must run this malicious program will then wait for a window that contains a requirement with regards to the introduction of the code.
- further need to run from the attached archive file Patcher.exe.
- The next step is to introduce a number of virus, then you have to press "Enter-".
- The message «patched», which means rubbing compare instructions.
- is followed in the administration of the code to dial any of the characters, and then click "OK".
- virus begins the process of deciphering the file, after which he eliminates himself.
How to avoid data loss due consideration of malware?
worth knowing that in a situation where the virus has encrypted files for their decryption process will take time.An important point in favor is that the above-mentioned malware there is a bug that lets you save some files, if quickly disconnect the computer (pull the plug out of the socket, turn off the power strip, remove the battery in case of a laptop), as soon as a large number of files with the previously mentioned extension.
Once again it should be emphasized that the main thing - is to constantly create a backup, but not in another folder, not on removable media is inserted into the computer, since the modification of the virus and will reach these places.It is necessary to keep the backups to another computer, a hard drive, which is not permanently attached to your computer and the cloud.
include suspicious to all documents that come in the mail from unknown people (in summary form, invoice, the Resolution of the SAC or tax etc.).Do not run them on your computer (for this purpose you can select a netbook that does not contain sensitive data).
malware *[email protected]: Remedies
In a situation where the above virus encrypts files cbf, doc, jpg, and so on. E., There are only three case scenario:
- The easiest way to get rid ofhim - delete all infected files (it is acceptable, if the data is not very important).
- user`s Lab antivirus program, for example, Dr.WEB.Send developers certainly some infected files with the decryption key, located on the computer as KEY.PRIVATE.
- most expensive way.It involves the payment of the requested amount for hackers decrypt infected files.Typically, the cost of this service within the 200 - 500 dollars. USA.This is acceptable in a situation where the virus encrypts files larger company, in which every day takes a significant flow of information, and this malicious program in seconds can cause enormous harm.In connection with this charge - the fastest version of the recovery of infected files.
Sometimes effective and is an additional option.In the case where the virus encrypts files (paycrypt @ gmail_com or other malicious software) can help roll back a few days ago.
program to decrypt RectorDecryptor
If the virus encrypts files jpg, doc, cbf, and so on. N., Can help a special program.For this we first need to go to startup and disable all but the antivirus.Next, you need to restart your computer.See all files, highlight suspicious.In the field under the name "Team" stated the location of a specific file (attention should be given to applications that do not have a signature: the manufacturer - no data).
all suspicious files to be removed, after which the need to clean the caches browser temporary folder (for this fit program CCleaner).
To start the decryption, you must download the above program.Then, run it and click "Start Scan", specifying the modified files and their extension.In modern versions of the program itself, you can specify only the infected file and click "Open."After that, the files are decrypted.
Subsequently, the utility automatically scans all computer data, including files on mapped network drives, and decrypts them.This recovery process can take several hours (depending on the workload and the speed of your computer).
As a result, all the corrupted files will be decoded in the same directory where they were originally.At the end it will only have to remove all the files from suspicious extension, which can be put down tick in the query "Delete encrypted files after successful decoding of" pre-pressing the "Change scan settings".However, it is better not to put, as in the case of a failed decryption of files they can retire, and then have to restore them first.
So, if the virus encrypts files doc, cbf, jpg t. E., Should not rush with the payment code.Maybe he did not need.
Nuances delete encrypted files
When you try to eliminate all the damaged files using a standard search and subsequent removal can begin hovering and slow down your computer.In this connection, the procedure is to use a special command line.After its launch it is necessary to write the following: del «& lt; drive & gt;: \ *. & Lt; extension of the infected file & gt;» / f / s.
sure you want to delete files such as "Read-menya.txt", which in the same command line must specify: del «& lt; drive & gt;: \ *. & Lt; filename & gt;» / f / s.
Thus, it can be noted that if the virus changed the name and the encrypted file, you do not just spend money on the purchase of key attackers first is to try to understand the problem on their own.It is better to invest in the purchase of a special program to decrypt the corrupted files.
Finally it is worth recalling that in this article the question regarding how to decrypt files encrypted virus.