Menu
Is free
check in
the main  /  Installation and Setup / Crypted000007 virus - how to decrypt files and remove the extinct. About Windows Update From Wannacry Encryber Virus How to decrypt and restore files after Crypted000007 virus

Crypted000007 virus - how to decrypt files and remove the extortionist. About Windows Update From Wannacry Encryber Virus How to decrypt and restore files after Crypted000007 virus

This instruction is not intended for technical specialists, so:

  1. definitions of some terms are simplified;
  2. technical details are not considered;
  3. the system protection methods are not considered (installing updates, configuring security systems, etc.).
The instruction is written by me to help the sysadminams who wish to conduct training of employees of the company far from the sphere of IT (accounting, frames, sales, etc.), the basics of cybergigiennes.

Glossary

Software (hereinafter - by) - a program or many programs used to control the computer.

Encryption- This data conversion in the view is not available to read without encryption key.

Encryption key - This is the secret information used in encryption / decoding files.

Decoder- A program implementing the decryption algorithm.

Algorithm- A set of instructions describing the procedure for the actions of the Contractor to achieve some result.

Post attachment - File attached to an email.

Expansion(Expansion of the file name) is a sequence of characters added to the file name and intended to identify a file type (for example, * .doc, * .jpg). In accordance with the file type, a specific program will be used to open them. For example, if the file has an extension * .doc, then you will start MS Word to open it if * .jpg, then start the viewer of images, etc.

Link(or, more precisely, hyperlink) - part of the document web page that refers to another element (command, text, header, note, image) in the document itself or another object (file, directory, application) located on the local disk or in Computer network.

Text file - Computer file containing text data.

Archiving- This is compression, that is, a decrease in the size of the file.

Backup copy - File or group of files created as a result of backup information.

Backup - the process of creating a copy of data on a carrier (hard disk, diskette, etc.), designed to recover data in the original or new place of storage in case of damage or destruction.

Domain(Domain Name) - a name that makes it possible to access Internet nodes and network resources located on them (web sites, email servers, other services) in a convenient person form. For example, instead of 172.217.18.131, Google.com.ua is introduced, where UA, COM, Google are domains of different levels.


What is it - virus-encrypter?

Virus-encrypter (Next - encrypter) - Malicious software, encrypting user files and requiring redemption for decoding. Most often encrypted popular types of file types - Documents and tables MS Office ( docx, xLSX), Images ( jPEG., pNG., tIF.), video files ( avi., mPEG, mkv.et al.), Documents in format pDF.et al., as well as database files - 1C ( 1cd., dBF.), Accent ( mDF.). System files and programs are usually not encrypted to save Windows and provide the user with the ability to contact the extortioner. In rare cases, the entire disk is encrypted, Windows loading is not possible in this case.

What is the danger of such viruses?

In the overwhelming majority of cases, the decryption is impossible on its own, because Extremely complex encryption algorithms are used. In very rare cases, the files can be decrypted if an already known type of virus occurred, for which antivirus manufacturers have been released a decoder, but even in this case, the recovery of information is 100% not guaranteed. Sometimes the virus has a flaw in its code, and the decryption becomes impossible in principle, even the author of a malicious program.

In the overwhelming majority after encoding, the encrypter removes the source files using special algorithms, which eliminates the possibility of recovery.

Another dangerous feature of viruses of this kind is quite often "invisible" for antiviruses, because The algorithms used for encryption are also applied in many legal programs (for example, client-bank), which is why many encrypters are not perceived by antiviruses as malicious software.

Ways of infection.

Most often infection occurs through postal investments. The user comes an email from an email from the recipient known to him or disguised as an organization (tax, bank). The letter may require accounting reconciliation, confirm the payment of the account, the offer to get acquainted with credit debt in the bank or something like this. That is, the information will be as follows that it will certainly be interested in or running the user and will encourage to open the postal investment with the virus. Most often it will look like an archive, inside which the file with the extension * .js, * .scr, * .exe, * .hta, * .vbs, * .cmd, * .bat. After starting such a file, immediately or after a while, the encryption process of files on the PC begins. Also, the infected file can be sent to the user in one of the instant messaging programs (Skype, Viber, etc.).

Right often infection occurs after installing hacked by or after the transition to the infected link on the site or in the body of the letter.

It is worth keeping in mind that very often, by infecting one PC on the network, the virus can spread to other machines using vulnerabilities in Windows or / and in the installed programs.

Signs of infection.

  1. Very often after starting the file attached to the letter, there is a high activity of the hard disk, the processor is loaded up to 100%, i.e. The computer begins to "slow down".
  2. Some time after the launch of the Virus, the PC is suddenly rebooted (in most cases).
  3. After rebooting, a text file opens, which reports that the user files are encrypted and the contacts are specified for communication (email). Sometimes, instead of opening a file, the desktop wallpaper is replaced with the requirement of redemption.
  4. Most user files (documents, photos, databases) turn out to be another extension (for example - * .breaking_bad, * .better_call_soul, * .Vault, * .neutrino, * .xtbl, etc.) or generally renamed, and no open program, even if you change the expansion. Sometimes the hard disk is encrypted. In this case, Windows is not loaded at all, and the message request is shown almost immediately after the PC is turned on.
  5. Sometimes all user files are placed in a password-protected archive. This happens if the attacker penetrates the PC and archiving and delete files manually. Those., When launching a malicious file from the mail attachment, the user files are not encrypted automatically, and the software is installed, which allows an attacker to secretly connect to the PC via the Internet.

Sample text with redemption

What if the infection has already happened?

  1. If the encryption process has begun in your presence (PC strongly "slows down"; a text file with an encryption message was opened; files began to disappear, and instead they began to appear their encrypted copies), follows IMMEDIATELYdevelop a computer by pulling the power cord or climbing for 5 seconds. Power button. Perhaps it will save part of the information. Do not reboot PC! Just shutdown!
  2. If encryption has already taken place, in no case should you try to delete infection yourself, as well as delete or rename encrypted files or files created by an encrypter.

In both cases, you need to immediately report an incident to the system administrator.

IMPORTANT!!!

Do not try to independently negotiate with an attacker through the contacts provided to him! At best, it is useless, at worst - can increase the amount of redemption for deciphering.

How to prevent infection or reduce its consequences to a minimum?

  1. Do not open suspicious letters, especially with investments (how to recognize such letters - see below).
  2. Do not go on suspicious links on sites and sent letters.
  3. Do not download and not install programs from incredulous sources (sites with hacked software, torrent trackers).
  4. Always make backup copies of important files. The best option will store backup copies on another media, not connected to the PC (flash drive, external disk, DVD disc), or in the cloud (for example, Yandex.Disk). Often the virus encrypts and archive files (ZIP, RAR, 7Z), so storing backups on the same PC where the source files are stored - meaningless.

How to recognize a malicious letter?

1. The topic and content of the letters are not related to your professional activities. For example, an office manager came about a tax audit, account or summary.

2. The letter contains information that is not related to our country, the region or the sphere of activity of our company. For example, the requirement to pay off debt in the bank registered in the Russian Federation.

3. Often a malicious letter is issued as an alleged response to some kind of your letter. At the beginning of this letter there is a combination "Re:". For example, "Re: Account for payment", although you know for sure that I did not send letters to this address.

4. The letter came allegedly from a well-known company, but in the address of the sender of the letter there are meaningless sequences of letters, words, numbers, foreign domains, which have nothing to do with the official addresses mentioned in the text of the company's letter.

5. In the "To" field specified an unknown name (not your mailbox), a set of incoherent characters or duplicates the name of the sender's mailbox.

6. In the text of the letter under different pretexts of the recipient, ask to provide or confirm any personal or service information, download the file or follow the link, while talking about urgency or any sanctions in case of non-fulfillment of the instructions specified in the letter.

7. The archive attached to the letter contains files with the extension * .js, * .scr, * .exe, * .hta, * .vbs, * .cmd, * .bat, * .iso. Masking malicious expansion is also very often used. For example, in the file name "Accounts receivable.doc.js", * .doc is a false extension that does not carry any functional, and * .js is the actual expansion of the viral file.

8. If the letter came from the famous sender, but the style of writing and literacy is very different - this is also a reason to alert. Also, as well as uncharacteristic content - for example, the requirement received from the client to pay the account. In this case, it is better to contact the sender on another communication channel (phone, Skype), as it is likely that his PC hacked or infected with a virus.


Example of malicious letters

Facebook.

Twitter.

Vk.

Odnoklassniki.

Telegram

Natural science

Wannacry virus-encryption: What to do?

Wannacry's wave rolled around the WANNACRY (Other names of Wana Decrypt0R, Wana Decryptor, Wanacrypt0R), which encrypts documents on the computer and extorts 300-600 USD for decoding them. How to find out if the computer is infected? What needs to be done not to become a victim? And what to do to cure?

Is the computer infected with a virus-encrypter Wana Decryptor?


After installing updates, the computer will need to overload - now the encryption manager does not penetrate to you.

How to cure from Wana Decrypt0R encrypter virus?

When the antivirus utility detects the virus, it will either delete it immediately, or ask you: to be treated or not? The answer is to treat.

How to restore encrypted Wana Decryptor files?

We can't tell anything comforting at the moment. While the file decryption tool has been created. It remains only to wait when the decrypter will be designed.

According to Brian Krebs, computer security experts, at the moment, criminals received only 26'000 USD, that is, only about 58 people agreed to pay the redemption of extorters. Whether they restored their documents at the same time, no one knows.

computer virus

Add "e news" to your favorite sources

Navigating on records

Latest news section


    Rachel Bronsen - Head of the Bulletin "Academic-Atomic Accommodation World" reported that the Judgment Day clock was transferred for 20 seconds. In her opinion, it remains only a conditional 100 ...


About a week or two ago, the next handy of modern viruswood appeared on the network, which encrypts all user files. Once again I will consider how to cure a computer after the encrypter virus crypted000007.and restore encrypted files. In this case, nothing new and unique appeared, just modifying the previous version.

Guaranteed file decoding after encrypter virus - DR-SHIFRO.RU. The details of the work and the scheme of interaction with the customer below I have in the article or on the site in the section "Operations".

Crypted000007 Enciprovier Virus Description

Crypted000007 encrypter does not differ in principle from its predecessors. It acts almost one to one as. But still there are several nuances that are distinguished. I will tell about everything in order.

It comes, like his analogues, by mail. Social engineering techniques are used, so that the user will certainly be interested in the letter and opened it. In my case, a letter was discussed about some kind of court and about important information in the case in the investment. After launching the attachment, the user opens a Vordrial document with an extract from the Moscow Arbitration Court.

In parallel with the opening of the document, file encryption is launched. Begins to constantly pop up the information message from the Windows Account Control System.

If you agree with the proposal, then backup copies of files in the shadow copies of Windows will be deleted and the recovery of information will be very difficult. Obviously, agree with the proposal in no case. In this encrypter, these requests push constantly, one after one and do not stop, forcing the user to agree and delete backup copies. This is the main difference from previous modifications of encrypters. I have never come across any time that the requests for the removal of shadow copies go without stopping. Usually, after 5-10 suggestions, they stopped.

I will immediately recommend a recommendation for the future. Very often, people disable warnings from the account control system. Do not do this. This mechanism can actually help in confronting viruses. The second obvious advice is not working constantly under the computer administrator account, if there is no objective need. In this case, the virus will not have the opportunity to harm much. You will have more chances to resist him.

But even if you all responded negatively to the encrypter requests, all your data is already encrypted. After the encryption process is over, you will see a picture on the desktop.

At the same time, there will be many text files with the same content on the desktop.

You have been encrypted files. Camera PACSUFT UX, BAM Needlessly Omnrush Code: 329D54752553ED978F94 | 0 on electronic adpex [Email Protected] . Daltea you need to make all the unCMRYCSU. It will begin to racksuphorrow the Camsome ite. NE TRUE NU to Chemy, KPOME is an unpretentious NOMERU INRORMA. ECL You are all a weight XoMume Curry, then NReurially desemble the first kaps file, inques in the case of the UX Usmena, the CMAnets cannot be able to use any conditions. EXL You do not have an OMVEME NO BEGO ADRAY IN THE TECHNY 48 HOW (U MOLKO IN EMOM SHAYCHA!), Take advantage of the form of the oblaim. This can one of the two sufficients: 1) Skail U Y YCMAnuate Tor Browser Po link: https://www.torproject.org/download/download-easy.html.en b Adecite CMPEC Tor Browser-A Using ADPEC: http: // Cryptsen7FO43RR6 .ONion / and Nazimite Enter. 3Agpyzmya Cumor with formoism of the occamal connection. 2) B Any Byziepe NEWIFIM Any UI ADPES: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ all the Important Files on Your Computer Were Encrypted. To Decrypt The Files You Should Send The Following Code: 329D54752553ED978F94 | 0 To e-mail address [Email Protected] . Then You Will Receive All Necessary Instructions. All The Attempts of Decryption by Yourself Will Result Only in Irrevocable Loss of Your Data. If You Still Want To Try to Decrypt Them By Yourself Please Make A Backup At First Because The Decryption Will Become Impossible in Case of Any Changes Inside the Files. If You Did Not Receive The Answer from the Aforecited Email for More Than 48 Hours (and Only in this Case!), Use the Feedback Form. You Can Do It by Two Ways: 1) Download Tor Browser from Here: https://www.torproject.org/download/download-easy.html.en install it and type the favoring ADDRESS INTO THE ADDRESS BAR: HTTP: / /cryptsen7fo43rr6.onion/ Press Enter and Then the Page with Feedback Form Will Be Loaded. 2) Go to the One of the Following Addresses in Any Browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Mailing address may vary. I met more addresses:

Addresses are constantly updated, so that can be completely different.

Once you have found that the files are encrypted, turn off the computer immediately. This needs to be done to interrupt the encryption process both on the local computer and on the network drives. The encryption virus can encrypt all the information to which it can reach, including on network drives. But if there is a large amount of information, then it will require considerable time for this. Sometimes, in a couple of hours, the encrypter did not have time to encrypt about 100 gigabytes in a net disc.

Next you need to think carefully how to act. If you, for anything, you need information on the computer and you have no backups, then it is better to refer to the specialists at this point. Not necessarily for money in some firms. Just need a person who is well versed in information systems. It is necessary to evaluate the disaster scale, remove the virus, collect all the available information on the situation to understand how to act further.

Incorrect actions at this stage can significantly complicate the process of decrypting or recovering files. In the worst case, they can make it impossible. So do not rush, be careful and consistent.

As a virus extortion Crypted000007 encrypts files

After the virus has been launched and finished its activities, all useful files will be encrypted, renamed with expansion.Crypted000007.. And not only the file extension will be replaced, but also the name of the file, so you do not recognize exactly what files you had, if you do not remember. It will be about such a picture.

In such a situation, it will be difficult to assess the scale of the tragedy, since you cannot fully remember what you had in different folders. This is done specifically to knock down a person and encourage to pay file decryption.

And if you have been encrypted and network folders and there are no complete backups, it may generally stop the work of the whole organization. We will not immediately understand what is ultimately lost to start recovery.

How to treat a computer and remove the extortioner Crypted000007

The Crypted000007 virus is already on your computer. The first and most important question is how to cure a computer and how to remove the virus from it to prevent further encryption if it has not yet been completed. Immediately draw your attention to the fact that after you themselves begin to produce any actions with your computer, the chances of decrypting data are reduced. If you, for anything, you need to restore files, do not touch the computer, but immediately contact professionals. Below I will tell you about them and give a link to the site and describe the scheme of their work.

In the meantime, continue to treat your computer yourself and delete the virus. Traditionally, encrypters are easily removed from the computer, since the virus has no task for anything to stay on the computer. After full file encryption, it is even more profitable to self-relieve and disappear so that it is harder to investigate the initiative and decrypt files.

Describe manual removal of the virus is difficult, although I tried to do it before, but I see that it is most often meaningless. The names of the files and the path of placement of the virus are constantly changing. What I saw is no longer relevant in a week or two. Usually mailing the viruses by mail is waves and each time there is a new modification that is not yet detected by antivirus. Help the universal means that check the autorun and detect suspicious activity in system folders.

To remove the CryPTED000007 virus, you can use the following programs:

  1. Kaspersky Virus Removal Tool - Utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
  2. Dr.Web Cureit! - A similar product from Dr.Veb http://free.drweb.ru/cureit.
  3. If the first two utilities do not help, try MalwareBytes 3.0 - https://ru.malwarebytes.com.

Most likely, something from these products will clean the computer from Crypted000007 encryption. If suddenly it happens that they will not help, try removing the virus manually. I led to removal techniques on the example and, you can see there. If you briefly follow the steps, then you need to act like this:

  1. We look at the list of processes by adding a few additional columns to the task manager.
  2. We find the virus process, open the folder in which it sits and remove it.
  3. Clean the mention of the virus process by file name in the registry.
  4. We reboot and make sure that the CryPTed000007 virus is not in the list of running processes.

Where to download Crypted000007 decoder

The question of a simple and reliable decryptor gets up first of all when it comes to the encrypter virus. The first thing I will advise is to use the service https://www.nomoreransom.org. And suddenly you will have a decrypt for your version of Crypted000007 encrypter. I will say right away that you don't have a lot of chances, but an attempt is not torture. On the main page click Yes:

Then load a couple of encrypted files and click GO! Find Out:

At the time of writing, the decoded decoder on the site was not.

Perhaps you will be lucky. You can still get acquainted with the list of decoders for download on a separate page - https://www.nomoreransom.org/decryption-Tools.html. There may be something useful there. When a virus is a completely fresh chance of this, but over time it is possible to appear. There are examples when decryptors appeared on the network to some modifications of encrypters. And these examples are on the specified page.

Where else can I find the decoder I do not know. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encrypters. A full-fledged decoder can be only from the authors of the virus.

How to decrypt and restore files after the Crypted000007 virus

What to do when the Crypted000007 virus encrypted your files? Technical implementation of encryption does not allow you to decrypt files without a key or decryptor, which is only from the author of the encrypter. Maybe there is some kind of way to get it, but I do not have such information. We just have to try to restore the files with appropriate ways. This refers to:

  • Tool shadow copies Windows.
  • Remote Data Restore Programs

To begin with, check whether our shadow copies are included. This default tool works in Windows 7 and higher if you are not turned off manually. To check, open the properties of the computer and go to the System Protection section.

If you have not confirmed the UAC request during infection to delete files in shadow copies, then some data should remain there. I told more about this request at the beginning of the story, when I talked about the work of the virus.

For convenient recovery of files from shadow copies, I propose to use the free program for this - ShadowExplorer. Download the archive, unpack the program and run.

The last copy of the files and the root of the C disk will open. In the upper left corner, you can select a backup if you have several of them. Check different copies for the presence of the necessary files. Compare by dates where the more recent version. In my example below, I found 2 files on the desktop of three months ago, when the last time was edited.

I managed to restore these files. To do this, I chose them, pressed them with the right mouse button, I chose Export and pointed the folder where to restore them.

You can restore the folder immediately on the same principle. If you have worked with shadow copies and you did not delete them, you have a lot of chances to restore everything, or almost all files encrypted with the virus. Perhaps some of them will be an older version than I would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of the files, there remains the only chance to get at least something from the encrypted files - restore them using the remote file recovery tools. To do this, I propose to use the free Photorec program.

Run the program and select the disk on which you will restore files. Running graphic version of the program executes the file qphotorec_win.exe.. You must select the folder where the files found will be placed. It is better if this folder is not located on the same disk where we search. Connect the USB flash drive or an external hard drive for this.

The search process will last long. At the end you will see statistics. Now you can go to the previously specified folder and watch what is found there. Files will most likely be a lot and most of them will be either damaged or it will be some system and useless files. But nevertheless, you can find part of the useful files in this list. There is no guarantee here that you will find, you will find. Best, usually, images are restored.

If the result does not satisfy you, that is, there are still programs to restore remote files. Below is a list of programs that I usually use when you need to restore the maximum number of files:

  • R.Saver.
  • Starus File Recovery.
  • JPEG Recovery Pr.
  • Active File Recovery Professional

These are not free, so I will not give links. With a big desire, you can find them on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, ESET NOD32 and others in the fight against the encrypter filecoder.ed

Popular antiviruses define Crypted000007 encryption as Filecoder.ed. And then there can be some other designation. I ran through the forums of the main antiviruses and did not see anything useful there. Unfortunately, as usual, antiviruses were not ready for the invasion of the new wave of encrypters. Here is a message from the Kaspersky Forum.

Antiviruses traditionally misses new modifications of Trojan-encrypters. Nevertheless, I recommend using them. If you are lucky, and you will receive an encryber in the mail not in the first wave of infection, but a little later, there is a chance that the antivirus will help you. They all runs on a step behind the intruders. There is a new version of the extortionist, antiviruses do not react to it. As soon as a certain mass of the material is accumulated to study on a new virus, antiviruses produce an update and start response to it.

What prevents antiviruses to react immediately to any encryption process in the system, it is not clear to me. Perhaps there is some kind of technical nuance on this topic, which does not allow adequately to react and prevent encryption of user files. It seems to me that it would be at least a warning to display the fact that someone encrypts your files and suggest stop the process.

Where to seek guaranteed decoding

I happened to get acquainted with one company that really decrypts the data after the work of various encryption viruses, including Crypted000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your check. Here is an approximate work scheme:

  1. The company's specialist approaches you to the office or to the house, and signs with you a contract in which the cost of work fixes.
  2. Runs the decoder and decrypts all files.
  3. You are convinced that all files open, and sign an act of passing / acceptance of work performed.
  4. Payment exclusively on the fact of the successful result of the decryption.

Frankly, I do not know how they do it, but you are not risking anything. Payment only after demonstrating the work of the decoder. Please write a review about the experience of interaction with this company.

Crypted000007 virus protection methods

How to protect yourself from the work of the encrypper and do without material and moral damage? There are several simple and efficient advice:

  1. Bacup! Backup of all important data. And not just a backup, but a backup to which there is no permanent access. Otherwise, the virus can infect both your documents and backup copies.
  2. Licensed antivirus. Although they do not give 100% warranty, but the chances of avoiding encryption increase. They are most often not ready for new version of the encrypper, but after 3-4 days they begin to react. This increases your chances of avoiding infection if you did not get into the first wave of sending a new modification of the encrypter.
  3. Do not open suspicious attachments in the mail. There is nothing to comment on. All encrypters known to me got to users via mail. Moreover, each time new tricks are invented to fool the victim.
  4. Do not open thoughtless links sent to you from your acquaintances through social networks or messengers. So, also sometimes spread viruses.
  5. Turn on Windows display file extensions. How to do it easy to find on the Internet. This will allow you to notice the expansion of the file on the virus. Most often it will be .exe, .vbs., .src.. In the documented work with documents, you hardly come across such expansion of files.

He tried to add what had already written earlier in every article about the encryption virus. For now I say goodbye. I will be glad useful comments on the article and the encryptionist Crypted000007 in general.

Video c decoding and recovery files

Here is an example of the previous modification of the virus, but the video is fully relevant for Crypted000007.

Modern technologies allow hackers to constantly improve the methods of fraud in relation to ordinary users. As a rule, for these purposes, viral software is used, penetrating the computer. Encrypting viruses are particularly dangerous. The threat is that the virus spreads very quickly, encrypting files (the user is simply not able to open a single document). And if it is quite simple, then much more difficult to decrypt data.

What to do if the virus encrypted the files on the computer

Each, even users who have a powerful antivirus software are insured by attacking an encrypter. Troyans file encryptionors are represented by various code, which may not be under the antivirus. Hackers even manage to attack a large company that did not take care of the necessary protection of their information. So, "picing" in online the program encrypter, it is necessary to take a number of measures.

The main signs of infection - the slow work of the computer and changing the names of documents (you can notice on the desktop).

  1. Restart the computer to interrupt encryption. When you turn on, do not confirm the launch of unknown programs.
  2. Run the antivirus if it has not been attacked an encrypter.
  3. Copies will help restore information in some cases. To find them, open the "Properties" of the encrypted document. This method works with encrypted Vault expansion data, which is information on the portal.
  4. Download the utility of the latest version to combat viruses-encrypters. The most effective offers Kaspersky Lab.

Encrybers Viruses in 2016: Examples

When dealing with any viral attack, it is important to understand that the code is very often changing, supplemented with the new protection against antiviruses. Of course, protection programs need some time as the developer does not update the base. We have selected the most dangerous viruses-encrypters of recent times.

ISHTAR RANSOMWARE.

IShtar - encryptionman extorting money from the user. The virus was seen in the fall of 2016, infected with a huge number of users of users from Russia and a number of other countries. It applies with the help of email distribution, in which nested documents are coming (installers, documents, etc.). ISHTAR infected with encrypperer is obtained in the name of the "ISHTAR" console. The process creates a test document in which it is indicated where to seek the password. The attackers require from 3,000 to 15,000 rubles for it.

The danger of the iShtar virus is that today there is no decryptor who would help users. Companies engaged in the creation of anti-virus software, it is necessary to decipher the entire code. Now you can only isolate important information (if they are of particular importance) to a separate medium, waiting for the output of the utility capable of deciphering the documents. It is recommended to reinstall the operating system.

Neitrino.

Neitrino encrypter appeared on the public spaces in 2015. On the principle of attacks similar to other viruses of this category. Changes the names of folders and files by adding "Neitrino" or "Neutrino". Decifractions The virus is with difficulty - not all representatives of antivirus companies are taken for this, referring to a very complex code. Some users can help restore the shadow copy. To do this, right-click on the encrypted document, go to Properties, the Previous Version tab, click Restore. It will not be superfluous to use the free utility from the Kaspersky Lab.

Wallet or .wallet.

Wallet virus appeared at the end of 2016. In the process of infection, changes the name of the data to the "name..wallet" or similar. Like most encrypter viruses, enters the system through attachments in emails that are sent by intruders. Since the threat appeared quite recently, the antivirus programs do not notice it. After the encryption creates a document in which the fraudster indicates the mail to communicate. Currently, anti-virus software developers are working on deciphering the encrypter virus code [Email Protected] Attack users can only wait. If the data is important, it is recommended to save them to an external drive, clearing the system.

Enigma.

Enigma virus encryption began infecting computers of Russian users at the end of April 2016. The AES-RSA encryption model is used, which is found in most extortionable viruses. The virus enters the computer with the help of a script that the user itself starts by opening the files from a suspicious email. There is still no universal tool to combat Enigma encryption. Users licensed to antivirus can ask for help on the official website of the developer. Also found a small "loophole" - Windows UAC. If the user clicks "No" in the window, which appears in the process of infection with the virus, it will be able to subsequently restore information using shadow copies.

Granit.

The new Virus-encrypter Granit appeared in the autumn of 2016. Infection occurs on the following script: the user starts a installer that infects and encrypts all the data on the PC, as well as connected drives. Fight with the virus is difficult. To delete, you can use special utilities from Kaspersky, but it has not been able to decipher the code. Perhaps it will help the restoration of previous data versions. In addition, a specialist who has a lot of experience can decipher, but the service is expensive.

Tyson.

It was recently seen. It is an extension of the already known encrypter No_more_ransom, which you can learn about our site. Enters personal computers from email. A lot of corporate PC has been attacked. The virus creates a text document with instructions for unlocking, offering to pay "ransom". Tyson encrypter appeared recently, so there is no key to unlock yet. The only way to restore information is to return the previous versions if they are not deleted by the virus. You can, of course, take a chance, transferring money to the score specified by attackers, but there is no guarantee that you will receive a password.

SPORA.

In early 2017, a number of users became a victim of the new SPORA encrypter. According to the principle of operation, it is not very different from his fellow, but it boasts more professional performance: the instruction on getting a password is better compiled, the website looks more beautiful. A virus encryption screen SPORA in C, uses a combination of RSA and AES to encrypt the victim data. The attack was usually computers on which the 1C accounting program is actively used. The virus, hiding under the guise of a simple account in format.pdf, forces employees of companies to run it. Treatment has not yet been found.

1c.Drop.1.

This virus encryption is for 1C appeared in the summer of 2016, violating the work of many accounting. Designed was designed specifically for computers using 1C software. Finding through the file in an email to the PC, offers the owner to update the program. Whatever the user clicked the virus, the virus will start encryption. Experts "Dr.Web" work on the decryption tools, but have not yet been found. Similar to that complex code that can be in several modifications. Protecting from 1C.DROP.1 is only the vigilance of users and regular archiving of important documents.

dA_VINCI_CODE.

New encrypter with an unusual name. A virus appeared in the spring of 2016. The predecessors are characterized by improved code and resistant encryption mode. DA_VINCI_Code infects a computer thanks to the executive application (attached, as a rule, to an email), which the user starts independently. Da Vinci Code encrypter (DA VINCI Code) copies the body to the system directory and the registry, providing automatic start when Windows is turned on. A unique ID is assigned to the computer of each victim (helps to get a password). It is almost impossible to decipher the data. You can pay money to intruders, but no one guarantees the password.

[Email Protected] / [Email Protected]

Two email addresses, which were often accompanied by encrypting viruses in 2016. It is they who serve to communicate the victim with an attacker. Addresses to the most different types of viruses are attached: da_vinci_code, no_more_ransom and so on. It is extremely recommended to communicate, as well as transfer money to fraudsters. Users in most cases remain without passwords. Thus, showing that the encrypters of intruders work, bringing income.

Breaking Bad.

It appeared in early 2015, but actively spread only in a year. The principle of infection is identical to other encrypters: installation of a file from an email, data encryption. Ordinary antiviruses, as a rule, do not notice the Breaking Bad virus. Some code cannot bypass Windows UAC, so the user has the opportunity to restore previous versions of documents. The decryptor has not yet introduced a single company developing antivirus software.

Xtbl

Very common encryptionman, which delivered trouble to many users. Finding on the PC, the virus in a matter of minutes changes the extension of the files by NTBL. A document is created in which the attacker extorts money. Some varieties of the XTBL virus cannot destroy the files to restore the system, which allows you to return important documents. The virus itself can be removed by many programs, but it is very difficult to decipher the documents. If it is the owner of a licensed antivirus, use technical support by attaching samples of infected data.

Kukaracha.

Cacaracha encrypter was seen in December 2016. The virus with an interesting name hides user files with the RSA-2048 algorithm, which is characterized by high resistance. Kaspersky anti-virus designated it as Trojan-ransom.win32.scatter.lb. Kukaracha can be removed from the computer so that the infection is not subject to other documents. However, infected today is almost impossible to decipher (a very powerful algorithm).

How does a virus encrypter work

There is a huge number of encrypters, but they all work according to a similar principle.

  1. Entering a personal computer. As a rule, thanks to the attached file to an email. Installation Includes the user itself by opening the document.
  2. File infection. Envically all types of file types are subjected to encryption (depending on the virus). A text document is created in which contacts are indicated to communicate with intruders.
  3. Everything. The user cannot get access to any document.

Fighting means of popular laboratories

The widespread encryption holders who are recognized as the most dangerous threats for user data has become an impetus for many antivirus laboratories. Each popular company provides its users with programs to help fight encrypters. In addition, many of them help decipher document protection documents.

Kaspersky and encrybers viruses

One of the most famous anti-virus laboratories of Russia and the world offers today the most effective means to combat extortionable viruses. The first barrier for the encryption virus will be Kaspersky Endpoint Security 10 with the latest updates. Antivirus simply will not miss a threat to the computer (though, new versions may not stop). To decrypt information, the developer directly presents several free utilities:, XoristDecryptor, RakhniDecryptor and Ransomware Decryptor. They help to find a virus and pick up the password.

Dr. Web and encrypters

This laboratory recommends using their anti-virus program, the main feature of which has been reserved files. Storage with copies of documents, in addition, protected from unauthorized access of attackers. Owners of the Licensed Product Dr. The Web is available for assistance in technical support. True, experienced professionals can not always withstand this type of threats.

ESET NOD 32 and encrypters

At the same time, this company did not remain, providing its users with good protection against penetration of viruses to a computer. In addition, the laboratory recently released a free utility with relevant databases - ESET Crysis Decryptor. Developers declare that it will help in the struggle, even with the newest encrypters.

On April 12, 2017, information about the rapid spread around the world of the virus-encryption officer called Wannacry, which can be translated as "I want to cry." Users have questions about Windows update from Wannacry virus.

The virus on the computer screen looks like this:

Bad virus Wannacry that all encrypts

The virus encrypts all files on the computer and requires a redemption on Bitcoin's wallet in the amount of $ 300 or $ 600 for allegedly deciphering the computer. Computers in 150 countries of the world were infected with infection, the most affected - Russia.

MegaFon, Russian Railways, Ministry of Internal Affairs, Ministry of Health and other companies came closely with this virus. Among the victims there are simple Internet users.

Before the virus is almost all equal. The difference is perhaps that in companies the virus applies across the entire local network inside the organization and instantly infects the maximum possible number of computers.

Wannacry virus encrypts files on computers using Windows. In Microsoft, in March 2017, MS17-010 updates were released for various versions of Windows XP, Vista, 7, 8, 10.

It turns out that those who are configured to automatically update Windows are outside the risk zone for the virus, for the update was received in a timely manner and could avoid it. I do not assume that it really is.

Fig. 3. Message when installing the update KB4012212

Update KB4012212 After installation required the restart of the laptop, which I did not really like it, for it is unknown than it can end, but where to go to the user? However, the reboot went fine. So we live quietly until the next viral attack, and that such attacks will be doubted, alas, do not have to.


In any case, it is important to have to come from where to restore the operating system and its files.

Windows 8 update from Wannacry

For a laptop with licensed windows 8, an update was installed KB 4012598, for