Since 2014, several new varieties of the latest cryptographic viruses have appeared on the Web, similar to their ancestor - a virus called I Love You. Unfortunately, the CBF virus ransomware cannot be decrypted even using available methods offered by leading anti-virus developers. However, there are still some recommendations for recovering encrypted information.
CBF virus: single field berries
To date, at least three ransomware viruses are known. This is the CBF virus , as well as the XTBL and VAULT viruses. They behave almost the same way, after encrypting important files and documents, offering to pay for receiving a code that would be able to decrypt the data (as a rule, after a message appears on the monitor, a letter comes up asking for payment for decryption services).
Alas, naive users are in a hurry to pay the nth amount or even send examples of infected files to attackers. But if you look, this information is confidential for many companies, and when sent it becomes public.
What is the risk of a virus entering a computer system or network?
The virus itself in most cases penetrates the system through letters received via e-mail, less often - when visiting dubious pages on the Web.
Not everyone, even the most powerful anti-virus package, can detect the appearance of a threat. Moreover, at an early stage it is not detected even by portable utilities like Dr. Web Cure It !. Since the virus is self-copying, over time it captures the entire system with its tentacles.
At the first symptoms, an excessive load on the central processor can immediately appear, as well as unauthorized use of RAM. In this case, for example, when entering the same “Task Manager”, you can see a process called Build.exe. By the way, in the main administrative directory or folder of the current user, a section of x86 program files is created, in which there is a RarLab folder containing the desired file Build.exe, checkdata.dif and winrar.tmp. In addition, the Build file appears on the "Desktop". Then in the browser used for surfing the World Wide Web, pictures may appear containing porn or links to sites of erotic content.
This is followed by infection. Typically, office application files like Microsoft Excel, Access, and Word are renamed. Also, problems can arise with databases of .db and .dbf formats (most often “1C: Accounting.” .Cbf is added to the main extension, but it is not possible to read (open) such files, since the CBF virus ransomware itself decrypts infected objects cannot (she simply can’t), what should I do in this case?
CBF ransomware virus: how to remove and is it worth it?
Firstly, you need to clearly understand that here you need to act as correctly as possible. If the virus is detected by any software, it cannot be deleted !!! You need to quarantine the threat, which is present in almost all applications of this type.
Removing or clearing will only cause the main executable elements to disappear, but the encrypted information will still be unreadable. But from quarantine it will be possible to send the file for verification to the online laboratory of the manufacturer of the installed antivirus in the system. But this does not always work.
What to do in the simplest case?
So, the .cbf extension has already assigned files to the files. Depending on the validity period, several situations may occur: either the files are simply encrypted or Windows login is blocked (even the “Desktop” is unavailable).
We will make a reservation right away: there can be no talk of any money transfers. To begin with, it is better to search databases on the Internet from another computer that contain most of the known codes for unlocking access (you can use at least the Unlocker section on the Dr. Web official website). True, it is not a fact that such codes are suitable. You have to treat the system yourself.
System Restore
To decrypt a CBF virus (or rather, the consequences of its effect on files), it will not work in any standard way, because it uses a 1024-bit encryption algorithm. If anyone does not know, today the 256-bit AES system is relevant. You can try to restore the original data by accessing Windows Restore.
If logging in is possible, you can find this section in the “Control Panel” and roll back from the control point preceding the infection. If the Windows login is blocked by a message requesting money transfer, you can try forcibly rebooting the computer terminal or laptop several times. You will have to do this until the system "ripens" for recovery in automatic mode. Naturally, you can try to use a recovery disk, try to perform actions on the command line and completely overwrite the boot sectors, although there is little chance of success. This only works in the early stages when the CBF ransomware virus just got into the system or network.
Restore previous file versions
If the rollback of the system does not help, you should use the special features of restoring previous versions of files that are embedded in the Windows OS itself.
To do this, through the "Explorer" go to the properties of the selected disk or partition and use the tab of previous versions of files. After such actions, again, you will need to select a control point, then open and copy the necessary files to another location. This method in many cases is more effective.
Use of decoders
If we consider the methods proposed by the developers of anti-virus software, you can try to remove the extension of the CBF virus using special decoder applications (but only official ones, and not custom ones like decoders of unknown origin).
However, it is immediately worth noting that they only work if the official version of the anti-virus scanner is installed with the corresponding license key. Otherwise, you can only do harm. The virus will simply be deleted, after which there will not even be the opportunity to contact the attackers. Here you will have to re-install the entire system.
What should not be done in any case?
As already understood, the CBF virus ransomware cannot decrypt files infected with it. Separately, it is worth paying attention to actions that are not recommended to be performed categorically. Note the most important points:
- the use of decoders when the “cracked” version of the antivirus is installed;
- renaming infected files to change the extension;
- clearing the cache and browser history before sending suspicious files for analysis to the antivirus software developer;
- reinstalling OSes without formatting disks or logical partitions;
- sending money and files for decryption to unknown or suspicious sources, for example, to mailing addresses like iizomer@aol.com with some other postscript.
In general, you need to clearly understand that decrypting a CBF virus ransomware on its own simply will not work. It’s better to turn to the official sites of anti-virus laboratories like Kaspersky, where you can leave problem files for analysis in a special section, or send a quarantine file directly from the program.
However (this is approved by all developers) it is better to attach the original to the infected file, if there is one, say, as a copy on some removable media. In this case, decryption will become much simpler, although it is far from the fact that the files the user needs will be restored.
As a rule, and this is confirmed by most user reviews, the support service usually remains silent for a very long time, and if it decrypts the data, this applies to single files. And what to do with arrays of tens or hundreds of gigabytes? It is simply unrealistic to send such a volume even with the help of special "cloud" services. But let's hope that the developers will still find a cure for infected files and a way to counter the penetration of threats of this type into computer systems and networks.