Here is full info

The virus encrypted the files and renamed them. How to decrypt files encrypted with a virus

Recently, there has been a surge in the activity of a new generation of malicious computer programs. They appeared quite a long time ago (6-8 years ago), but the pace of their implementation has reached its maximum right now. Increasingly, you may encounter the fact that the virus has encrypted files.

It is already known that these are not just primitive malware, for example, blocking the computer (causing the appearance of a blue screen), but serious programs aimed at damaging, as a rule, accounting data. They encrypt all available files that are within reach, including 1C accounting data, docx, xlsx, jpg, doc, xls, pdf, zip.

The particular danger of the viruses in question

It consists in the fact that an RSA key is used, which is tied to a specific computer of the user, as a result of which there is no universal decoder ( decryptor ). Viruses activated in one of the computers may not work in the other.

The danger is also in the fact that for more than a year already, ready-made builder programs (builders) have been posted on the Internet, allowing even kulhackers (individuals who consider themselves to be hackers, but who do not study programming) to develop this kind of virus.

Currently, more powerful modifications have appeared.

virus encrypted files

Method for introducing malware data

The distribution of the virus is carried out purposefully, as a rule, in the accounting department of the company. First, the collection of e-mails of human resources, accounting from such databases as, for example, hh.ru is carried out. Next is the distribution of letters. They most often contain a request regarding acceptance for a certain position. A file with a resume is attached to such a letter, inside of which is a real document with an implanted OLE object (pdf file with a virus).

In situations where accounting staff immediately ran this document, after a reboot, the following happened: the virus renamed and encrypted the files, and then self-destructed.

Such a letter, as a rule, is adequately written and sent from a non-spam box (the name corresponds to the signature). A vacancy is always requested based on the core business of the company, as a result of which there are no suspicions.

Neither licensed Kaspersky (antivirus program) nor Virus Total (online service for checking attachments for viruses) can secure a computer in this case. Occasionally, some antivirus programs scan that show that the attachment contains Gen: Variant.Zusy.71505.

virus encrypted files what to do

How to avoid infection with this virus?

Each file received should be checked. Particular attention is paid to Word documents that have embedded pdfs.

Options for infected messages

There are a lot of them. The most common options for how the virus encrypted files are presented below. In all cases, the following documents are sent to e-mail:

  1. A notice regarding the start of the process of reviewing a lawsuit filed for a particular company (the letter suggests verifying the data by clicking on the specified link).
  2. Letter from the Supreme Arbitration Court of the Russian Federation on debt collection.
  3. A message from Sberbank regarding an increase in existing debt.
  4. Notification of fixing traffic violations.
  5. A letter from the collection agency indicating the maximum possible deferred payment.

File Encryption Notification

After infection, it will appear in the root folder of drive C. Sometimes files like WHAT TO DO.txt, CONTACT.txt are placed in all directories with damaged text. There, the user is informed about the encryption of his files, which is carried out by means of reliable cryptographic algorithms. And he is also warned about the inappropriateness of using third-party utilities, as this can lead to permanent damage to the files, which, in turn, will lead to the impossibility of their subsequent decryption.

The notification recommends that you leave the computer unchanged. It indicates the storage time of the provided key (as a rule, this is 2 days). The exact date is specified after which any kind of appeal will be ignored.

An e-mail is provided at the end. It also states that the user must indicate his ID and that any of the following actions can lead to the elimination of the key, namely:

  • insults;
  • request details without further payment;
  • threats.
    how to decrypt virus encrypted files

How to decrypt files encrypted with a virus?

This kind of encryption is very powerful: the file is assigned an extension such as perfect, nochance, etc. It is simply impossible to crack, but you can try connecting a cryptanalyst and finding a loophole (in some situations, Dr. WEB will help).

There is another way to recover files encrypted with a virus, but it doesn’t work with all viruses, and you will need to remove the source exe along with this malicious program, which is not easy to do after self-liquidation.

The request of the virus regarding the introduction of a special code is an insignificant check, since the file already has a decoder at this point (code from, so to speak, attackers will not be required). The essence of this method is to enter empty commands into the penetrated virus (into the very place of comparison of the input code). The result - the malicious program itself starts decrypting the files and thereby completely restores them.

Each individual virus has its own special encryption function, which is why it cannot be decrypted with a third-party executable (exe file), or you can try to select the above function, for which all actions must be performed on WinAPI.

virus encrypted cbf files

Virus encrypted files: what to do?

To carry out the decryption procedure, you will need:

  1. Make a backup (backup of existing files). At the end of the decryption, everything will be deleted by itself.
  2. On the computer (infected), you must run this malicious program, then wait until a window appears that contains a requirement regarding the code entry.
  3. Next, you will need to run Patcher.exe from the attached archive file.
  4. The next step is to enter the virus process number, after which you must press the Enter button.
  5. The message “patched” appears, which means overwriting the comparison commands.
  6. Next, enter any characters in the code entry field, and then click the OK button.
  7. The virus begins the process of decrypting files, at the end of which it eliminates itself.
    how to recover files encrypted with a virus

How to avoid data loss due to the malware in question?

It is worth knowing that in a situation where the virus has encrypted files, it will take time for the process to decrypt them. An important point is that in the aforementioned malware there is an error that allows you to save part of the files if you quickly turn off the computer (unplug the power plug, turn off the surge protector, remove the battery in the case of a laptop), as soon as a large number of files with the previously specified extension appear .

Once again, it should be emphasized that the main thing is to constantly back up, but not to another folder, not to removable media inserted into the computer, as this modification of the virus will reach these places. It is worth saving backups on another computer, to a hard drive that is not permanently connected to the computer, and to the cloud.

It should be regarded with suspicion to all documents that come to the mail from unknown persons (in the form of a resume, waybill, Decree from the Supreme Arbitration Court of the Russian Federation or tax, etc.). No need to run them on your computer (for these purposes, you can select a netbook that does not contain important data).

the virus renamed and encrypted files

Malicious program *.paycrypt@gmail.com: solutions

In a situation where the above virus encrypted the files cbf, doc, jpg, etc., there are only three options for the development of the event:

  1. The easiest way to get rid of it is to delete all infected files (this is acceptable, if only the data is not particularly important).
  2. Go to the laboratory of an anti-virus program, for example, Dr. WEB. It is imperative to send developers several infected files along with the decryption key located on the computer as KEY.PRIVATE.
  3. The most expensive way. It involves paying the amount requested by hackers for decrypting infected files. As a rule, the cost of this service is in the range of 200 - 500 US dollars. This is acceptable in a situation where the virus has encrypted the files of a large company, in which a significant information stream flows daily, and this malicious program can do tremendous damage in a matter of seconds. In this regard, payment is the fastest option for recovering infected files.

Sometimes an additional option is also effective. If the virus encrypted the files (paycrypt @ gmail_com or other malware), a rollback of the system a few days ago may help.

virus encrypted doc files

RectorDecryptor decryption program

If the virus encrypted the jpg, doc, cbf files, etc., a special program can help. To do this, you first need to go to startup and disable everything except the antivirus. Next, you need to restart the computer. View all files, highlight suspicious ones. The field called “Team” indicates the location of a specific file (attention should be paid to applications that do not have a signature: manufacturer - no data).

All suspicious files must be deleted, after which it will be necessary to clean browser caches, temporary folders (CCleaner is suitable for this).

To start decryption, you must download the above program. Then run it and click the “Start Scan” button, indicating the changed files and their extension. In modern versions of this program, you can specify only the infected file itself and click the "Open" button. After that, the files will be decrypted.

Subsequently, the utility automatically checks all computer data, including files located on an attached network drive, and decrypts them. This recovery process may take several hours (depending on the amount of work and computer speed).

As a result, all damaged files will be decrypted to the same directory where they were originally located. In conclusion, all that remains is to delete all the existing files with a suspicious extension, for which you can tick off the request “Delete encrypted files after successful decryption” by clicking the “Change scan settings” button. However, it is better not to install it, because in case of unsuccessful decryption of files, they can be deleted, and subsequently they will have to be restored first.

So, if the virus encrypted the doc, cbf, jpg files, etc., you should not rush into paying for the code. Maybe he won't be needed.

The nuances of deleting encrypted files

When you try to eliminate all damaged files using the standard search and subsequent deletion, the computer may freeze and slow down. In this regard, for this procedure, it is worth using a special command line. After starting it, you must enter the following: del "<drive>: \ *. <Extension of the infected file>" / f / s.

Be sure to delete files such as “Read me.txt”, for which you should indicate on the same command line: del “<drive>: \ *. <File name>” / f / s.

Thus, it can be noted that if the virus renamed and encrypted the files, then you should not immediately spend money on the purchase of the key from attackers, first you should try to figure out the problem yourself. It is better to invest in the purchase of a special program for decrypting damaged files.

In conclusion, it is worth recalling that this article addressed the question regarding how to decrypt files encrypted with a virus.

Source: https://habr.com/ru/post/C34701/

More articles:


All Articles