Viruses themselves, as a computer threat, do not surprise anyone today. But if earlier they acted on the system as a whole, causing malfunctions in its performance, today, with the advent of such a variety as an encryptor virus, the actions of an penetrating threat concern more user data. It poses, perhaps, even a greater threat than destructive Windows executable applications or spyware applets.
What is an encryption virus?
The code itself, written in a self-copying virus, involves encrypting almost all user data with special cryptographic algorithms that do not affect the system files of the operating system.
At first, the logic of the effect of the virus was not entirely clear to many. Everything became clear only when the hackers who created such applets began to demand money for restoring the initial file structure. At the same time, the penetrated cryptographic virus itself does not allow decrypting files due to its features. To do this, you need a special decoder, if you want, a code, password or algorithm required to restore the desired content.
The principle of penetration into the system and the operation of the virus code
As a rule, “picking up” such nasty things on the Internet is quite difficult. The main source of the spread of “infection” is email at the level of programs installed on a specific computer terminal such as Outlook, Thunderbird, The Bat, etc. Note immediately: this does not apply to Internet mail servers, since they have a fairly high degree of protection, and access to user data is possible only at the level of cloud storage.
Another thing is an application on a computer terminal. Here, for the action of viruses, the field is so wide that it is impossible to imagine. True, here it is also worth making a reservation: in most cases, viruses are aimed at large companies from which you can "rip off" money for providing a decryption code. This is understandable, because not only local computer terminals, but also the servers of such companies can store not only completely confidential information, but also files, so to speak, in a single copy, which cannot be destroyed in any case. And then decryption of the files after the ransomware virus becomes quite problematic.
Of course, an ordinary user may be subjected to such an attack, but in most cases this is unlikely if you follow the simplest recommendations for opening attachments with extensions of an unknown type. Even if the mail client defines the attachment with the extension .jpg as a standard image file, it must first be checked with a standard anti - virus scanner installed in the system.
If this is not done, when you double-click to open (the standard method), code activation will start and the encryption process will begin, after which the same Breaking_Bad (encryption virus) will not only be impossible to delete, but it will not be possible to recover files after eliminating the threat.
General consequences of the penetration of all viruses of this type
As already mentioned, most viruses of this type penetrate the system through e-mail. Well, let’s say, to a large organization, a letter with a content like “We changed the contract, the scan in the attachment” or “An invoice for shipment of goods has been sent to you (a copy there) is sent to a specific registered mail”. Naturally, an unsuspecting employee opens the file and ...
All user files at the level of office documents, multimedia, specialized AutoCAD projects or some other archive data are instantly encrypted, and if the computer terminal is located on the local network, the virus can be transmitted further, encrypting data on other machines (this becomes immediately noticeable by “Braking” the system and freezing programs or applications currently running).
At the end of the encryption process, the virus itself, apparently, sends a kind of report, after which the company may receive a message that such and such a threat has entered the system, and that only such and such an organization can decrypt it. This usually refers to the paycrypt@gmail.com virus. Next comes the requirement to pay for decryption services with the proposal to send several files to the client’s email, which is often fictitious.
Code Harm
If someone still does not understand: decrypting files after an encryptor virus - the process is quite time-consuming. Even if you don’t “get carried away” to the demands of attackers and try to use official government agencies to combat computer crimes and prevent them, usually nothing good happens.
If you delete all files, restore the system, and even copy the original data from removable media (of course, if there is such a copy), all the same, when the virus is activated, everything will be encrypted again. So it’s not worth it to flatter yourself, especially since when you insert the same flash drive into the USB port, the user will not even notice how the virus will encrypt the data on it as well. Well then, you won’t get any problems.
Firstborn in the family
Now let's pay attention to the first ransomware virus. How to cure and decrypt files after exposure to the executable code, enclosed in an email attachment with a dating offer, at the time of its appearance no one had thought. Awareness of the scale of the disaster came only with time.
That virus had the romantic name "I Love You." An unsuspecting user opened an attachment in the eletronica message and received completely irreproducible multimedia files (graphics, video and audio). Then, however, such actions looked more destructive (harming user media libraries), and no one demanded money for this.
The latest modifications
As you can see, the evolution of technology has become quite profitable, especially when you consider that many heads of large organizations immediately run to pay for decryption actions, completely not thinking that it can lose both money and information.
By the way, do not look at all these "left" posts on the Internet, saying, "I paid / paid the required amount, they sent me a code, everything was restored." Nonsense! All this is written by the virus developers themselves in order to attract potential, sorry, “suckers”. But, by the standards of an ordinary user, the amounts for payment are quite serious: from hundreds to several thousand or tens of thousands of euros or dollars.
Now let's look at the latest types of viruses of this type, which were recorded relatively recently. All of them are almost similar and belong not only to the category of ransomware, but also to the group of so-called ransomware. In some cases, they act more correctly (like paycrypt), seemingly sending official business offers or messages that someone cares about the security of the user or organization. Such a cryptographic virus with its message simply misleads the user. If he takes even the smallest action on payment, all - the "divorce" will be complete.
XTBL virus
Relatively recently appeared XTBL virus can be attributed to the classic version of the ransomware. As a rule, it penetrates the system through e-mail messages containing attachments in the form of files with the extension .scr, which is standard for the Windows screensaver. The system and the user think that everything is in order and activate viewing or saving the attachment.
Alas, this leads to sad consequences: file names are converted to a character set, and .xtbl is added to the main extension, after which a message is sent to the desired email address about the possibility of decryption after paying the specified amount (usually 5 thousand rubles).
CBF virus
This type of virus also belongs to the classics of the genre. It appears on the system after opening email attachments, and then renames user files, adding at the end an extension like .nochance or .perfect.
Unfortunately, decryption of this type of ransomware virus to analyze the contents of the code even at the stage of its appearance in the system is not possible, because after completing its actions it performs self-liquidation. Even such, as many believe, a universal tool like RectorDecryptor does not help. Again, the user receives a letter requesting payment, which takes two days.
Breaking_Bad virus
This type of threat works in the same way, but renames files as standard, adding .breaking_bad to the extension.
The situation is not limited to this. Unlike previous viruses, this one can create another extension - .Heisenberg, so it is not always possible to find all infected files. So Breaking_Bad (ransomware virus) is a rather serious threat. By the way, there are cases when even a licensed package of Kaspersky Endpoint Security 10 misses this type of threat.
Virus paycrypt@gmail.com
Here is another, perhaps the most serious threat, which is directed mainly at large commercial organizations. As a rule, a letter arrives in some department containing, it would seem, changes to the supply agreement, or even just an invoice. An attachment can contain a regular .jpg file (such as an image), but more often it contains an executable .js script (Java applet).
How to decrypt an encryption virus of this type? Judging by the fact that some unknown RSA-1024 algorithm is used there, nothing. Based on the name, we can assume that this is a 1024-bit encryption system. But, if anyone remembers, today the 256-bit AES is considered the most perfect.
Cryptographic virus: how to cure and decrypt files using antivirus software
To date, no solutions have been found to decrypt threats of this type. Even such masters in the field of anti-virus protection as Kaspersky, Dr. Web and Eset cannot find the key to solving the problem when a cryptographic virus has inherited the system. How to cure files? In most cases, it is proposed to send a request to the official site of the antivirus developer (by the way, only if the system has licensed software from this developer).
In this case, you need to attach several encrypted files, as well as their "healthy" originals, if any. On the whole, by and large, few people keep copies of the data, so the problem of their absence only exacerbates the already unpleasant situation.
Possible ways to identify and eliminate a threat manually
Yes, scanning with conventional antivirus threats identifies and even removes them from the system. But what to do with the information?
Some try to use decoders like the already mentioned utility RectorDecryptor (RakhniDecryptor). We note right away: this will not help. And in the case of the Breaking_Bad virus, it can only do much harm. And that's why.
The fact is that people who create such viruses are trying to protect themselves and give instruction to others. When using utilities for decryption, the virus can react in such a way that the entire system will crash, and with complete destruction of all data stored on hard drives or in logical partitions. This, so to speak, is an indicative lesson for edification to all those who do not want to pay. One can only hope for official anti-virus laboratories.
Cardinal methods
However, if things are really bad, you will have to sacrifice information. To completely get rid of the threat, you need to format the entire hard drive, including virtual partitions, and then install the "OS" again.
Unfortunately, there is no other way. Even rolling back the system to a specific saved restore point will not help. The virus may disappear, but the files will remain encrypted.
Instead of an afterword
In conclusion, it is worth noting that the situation is as follows: a cryptographic virus penetrates the system, does its dirty work and is not treated by any known means. Antivirus protection was not ready for this type of threat. It goes without saying that you can detect or remove a virus after exposure. But the encrypted information will remain in an unsightly form. So I want to hope that the best minds of antivirus software companies will still find a solution, although judging by the encryption algorithms, it will be very difficult to do. Just recall the Enigma cryptographic machine that the German fleet had during World War II. The best cryptographers could not solve the problem of the algorithm for decrypting messages until they got the device in their hands. This is the case here.