At the end of 2016, the world was attacked by a very non-trivial Trojan virus encrypting user documents and multimedia content, called NO_MORE_RANSOM. How to decrypt files after exposure to this threat will be discussed later. However, you should immediately warn all users who have been attacked that there is no single methodology. This is due to the use of one of the most advanced encryption algorithms, and to the degree of penetration of the virus into a computer system or even into a local network (although it was not originally designed for network exposure).
What is the NO_MORE_RANSOM virus and how does it work?
In general, the virus itself is usually classified as a class of Trojans like I Love You, which penetrate the computer system and encrypt user files (usually this is multimedia). True, if the ancestor differed only in encryption, then this virus borrowed a lot from the once sensational threat called DA_VINCI_COD, combining also the functions of the ransomware.
After infection, most files of audio, video, graphics or office documents are assigned a long name with the extension NO_MORE_RANSOM, containing a complex password.
When you try to open them, a message appears on the screen stating that the files are encrypted, and you need to pay a certain amount to decrypt.
How does a threat penetrate the system?
Let us leave alone the question of how, after exposure to NO_MORE_RANSOM, to decrypt files of any of the above types, and let us turn to the technology of virus penetration into a computer system. Unfortunately, no matter how trivial it may sound, an old proven method is used for this: an email with an attachment arrives at the email address, opening which the user receives a malicious code.
Originality, as we see, this technique is no different. However, the message may be disguised as meaningless text. Or, on the contrary, for example, if we are talking about large companies, under the change in the terms of a contract. It is clear that the ordinary clerk opens the attachment, and then receives a deplorable result. One of the brightest flashes was the encryption of the databases of the popular 1C package. And this is a serious matter.
NO_MORE_RANSOM: how to decrypt documents?
But still it is worth addressing the main issue. Surely everyone is interested in how to decrypt files. The NO_MORE_RANSOM virus has its own sequence of actions. If the user tries to decrypt immediately after infection, it can still be done in some way. If the threat is firmly established in the system, alas, one cannot do without the help of specialists. But they often turn out to be powerless.
If the threat was detected in a timely manner, only one way is to contact the antivirus companies' support services (not all documents have been encrypted yet), send a couple of files inaccessible for opening, and based on the analysis of the originals stored on removable media, try to recover already infected documents, previously copying to the same flash drive everything that is still available for opening (although there is no full guarantee that the virus did not penetrate such documents either). After that, for fidelity, the medium must be checked at least with an anti-virus scanner (you never know).
Algorithm
Separately, it is worth mentioning that the virus uses the RSA-3072 algorithm for encryption, which, unlike the previously used RSA-2048 technology, is so complicated that the selection of the right password, even if the entire contingent of anti-virus laboratories will deal with it may take months and years. Thus, the question of how to decrypt NO_MORE_RANSOM will require quite a lot of time. But what if you need to recover information immediately? First of all, remove the virus itself.
Can I remove the virus and how to do it?
Actually, this is not difficult to do. Judging by the impudence of the creators of the virus, the threat in the computer system is not masked. On the contrary, it is even beneficial for her to “self-withdraw” after the end of the actions taken.
Nevertheless, at first, following the cause of the virus, it should nevertheless be neutralized. The first step is to use portable security utilities like KVRT, Malwarebytes, Dr. Web CureIt! and the like. Please note: the programs used for verification must be portable type without fail (without installing on the hard drive and running in the best case from removable media). If a threat is detected, it should be removed immediately.
If such actions are not provided, you must first go to the "Task Manager" and end all the processes associated with the virus in it, sorting the services by name (as a rule, this is the Runtime Broker process).
After removing the task, you need to call the registry editor (regedit in the "Run" menu) and search for the name "Client Server Runtime System" (without quotes), then use the navigation menu for the results "Find More ..." to delete all the elements found. Next, you need to restart the computer and believe in the "Task Manager" if there is a desired process.
In principle, the question of how to decrypt the NO_MORE_RANSOM virus even at the stage of infection can be solved by this method. The probability of its neutralization, of course, is small, but there is a chance.
How to decrypt files encrypted NO_MORE_RANSOM: backups
But there is another technique that few people know about or even guess. The fact is that the operating system itself constantly creates its own shadow backups (for example, in case of recovery), or the user intentionally creates such images. As practice shows, it is precisely such copies that the virus does not affect (in its structure, this is simply not provided, although it is not excluded).
Thus, the problem of how to decrypt NO_MORE_RANSOM comes down to using them. However, it is not recommended to use regular Windows tools for this (and many users will not have access to hidden copies at all). Therefore, you need to use the ShadowExplorer utility (it is portable).
To restore, you just need to run the executable file of the program, sort the information by dates or sections, select the desired copy (file, folder or the whole system) and use the export line through the PCM menu. Next, simply select the directory in which the current copy will be saved, and then use the standard recovery process.
Third Party Utilities
Of course, to the problem of how to decrypt NO_MORE_RANSOM, many laboratories offer their own solutions. For example, Kaspersky Lab recommends using its own software product Kaspersky Decryptor, presented in two versions - Rakhini and Rector.
No less interesting are similar developments like the NO_MORE_RANSOM decoder from Dr. Web But here it is worth considering immediately that the use of such programs is justified only in case of a quick detection of a threat, while all the files have not yet been infected. If the virus is firmly established in the system (when encrypted files it is simply impossible to compare with their unencrypted originals), such applications may be useless.
As a result
Actually, there is only one conclusion: it is necessary to deal with this virus only at the infection stage, when only the first files are encrypted. In general, it is best not to open attachments in e-mail messages received from questionable sources (this applies exclusively to clients installed directly on the computer - Outlook, Oulook Express, etc.). In addition, if an employee of the company has at his disposal a list of addresses of customers and partners, opening “left” messages becomes completely inexpedient, since most of them sign agreements on non-disclosure of trade secrets and cybersecurity when hiring.