Typically, the work of malicious programs is aimed at gaining control over a computer, incorporating it into a zombie network, or stealing personal data. An inattentive user may not notice for a long time that the system is infected. But ransomware viruses, in particular xtbl, work in a completely different way. They make user files unusable by encrypting them with the most complex algorithm and demanding a large sum from the owner for the ability to recover information.

Cause of the problem: xtbl virus

The xtbl ransomware virus got its name from the fact that user documents encrypted by it get the .xtbl extension. Usually, encoders leave a key in the file body so that a universal decoder program can restore the information in its original form. However, the virus is intended for other purposes, so instead of a key, an offer appears on the screen to pay a certain amount using anonymous account details.

How the xtbl virus works

The virus enters the computer via e-mail messages with infected attachments, which are files of office applications. After the user has opened the contents of the message, the malware starts searching for photos, keys, videos, documents, and so on, and then, using an original complex algorithm (hybrid encryption), turns them into xtbl storages.

The virus uses system folders to store its files.

The virus adds itself to the startup list. To do this, he adds entries to the Windows registry in the following sections:

• HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce;
• HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run;
• HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.

The infected computer works stably, the system does not “crash”, but there is always a small application (or two) with an incomprehensible name in the RAM. And the folders with the user's working files take on a strange look.

Instead of a splash screen, a message appears on the desktop:

Your files have been encrypted. To decrypt them, you need to send the code to the email address: [email protected](the code follows). You will then receive further instructions. Independent attempts to decrypt files will lead to their complete destruction.

The same text is contained in the generated How to decrypt your files.txt file. Email address, code, requested amount may vary.

Quite often, some scammers make money on others - the number of the e-wallet of ransomware is inserted into the body of the virus, having no way to decrypt the files. So a gullible user, having sent money, gets nothing in return.

Why you shouldn't pay ransomware

It is impossible to agree to cooperate with extortionists not only because of moral principles. This is unreasonable from a practical point of view.

How to protect your system from a virus

Universal rules for protecting against malware and minimizing damage will help in this case too.

Is it possible to recover encrypted information

Good news: data recovery is possible. Bad: you cannot do this on your own. The reason for this is the peculiarity of the encryption algorithm, the selection of the key to which requires much more resources and accumulated knowledge than an ordinary user has. Fortunately, antivirus developers consider it a matter of honor to deal with every malicious program, so even if they are currently unable to deal with your ransomware, they will surely find a solution in a month or two. We'll have to be patient.

Due to the need to contact specialists, the algorithm for working with an infected computer is changing. As a general rule of thumb, the fewer changes the better. Antiviruses determine the method of treatment based on the generic characteristics of a malicious program; therefore, infected files are a source of important information for them. They should be removed only after solving the main problem.

The second rule is to interrupt the work of the virus at any cost. Perhaps he has not spoiled all the information yet, and traces of the ransomware remain in the RAM, with the help of which he can be identified. Therefore, you need to immediately turn off the computer from the network, and turn off the laptop by long pressing the network button. This time, the standard "careful" shutdown procedure, which makes it possible to complete all processes correctly, will not work, since one of them is the encoding of your information.

Recovering encrypted files

If you managed to turn off your computer

If you managed to turn off your computer before the end of the encryption process, then you do not need to turn it on yourself. Take the "patient" directly to the specialists, interrupted encoding significantly increases the chances of saving personal files. Here you can also check your storage media in safe mode and create backups. With a high probability, the virus itself will be known, so the treatment for it will be successful.

If encryption is complete

Unfortunately, the likelihood of successfully interrupting the encryption process is very small. Usually, the virus has time to encode files and remove unnecessary traces from the computer. And now you have two problems: Windows is still infected, and personal files have become a character set. To solve the second problem, it is necessary to use the help of antivirus software manufacturers.

Dr.Web

Dr.Web Laboratory provides its decryption services free of charge only to owners of commercial licenses. In other words, if you are not their client yet, but want to restore your files, you will have to buy the program. Given the current situation, this is the right investment.

The next step is to go to the manufacturer's website and fill out the entry form.

If among the encrypted files there are copies of which have been saved on external media, their transfer will greatly facilitate the work of decoders.

Kaspersky

Kaspersky Lab has developed its own decryption utility called RectorDecryptor, which can be downloaded to a computer from the company's official website.

Each version of the operating system, including Windows 7, has its own utility. After loading it, press the button "Start check".

The services may take a while if the virus is relatively new. In this case, the company usually sends a notification. Sometimes decryption can take several months.

Other services

There are more and more services with similar functions, which indicates the demand for decryption services. The algorithm of actions is the same: go to the site (for example, https://decryptcryptolocker.com/), register and send the encrypted file.

Decoder programs

There are a lot of “universal decoders” (of course, paid ones) on the network, but their usefulness is questionable. Of course, if the virus producers themselves write a decoder, it will work successfully, but the same program will be useless for another malicious application. In addition, specialists who regularly encounter viruses usually have a complete package of necessary utilities, so they have all working programs with a high probability. Buying such a decoder is likely to be a waste of money.

How to decrypt files using Kaspersky Lab - video

Self-service information recovery

If for some reason it is impossible to contact third-party specialists, you can try to recover the information on your own. Let's make a reservation that in case of failure, the files may be permanently lost.

Recovering deleted files

After encryption, the virus deletes the original files. However, Windows 7 stores all deleted information in the form of a so-called shadow copy for some time.

ShadowExplorer

ShadowExplorer is a utility designed to recover files from their shadow copies.

PhotoRec

The free PhotoRec utility works the same way, but in batch mode.

Virus removal

Since the virus entered the computer, the installed security programs did not cope with their task. You can try third-party help.

Important! Removing the virus cures the computer, but does not restore encrypted files. In addition, installing new software can damage or erase some shadow copies of files that are required to restore them. Therefore, it is better to install applications on other drives.

Kaspersky Virus Removal Tool

Free program of a well-known developer of anti-virus software, which can be downloaded from the Kaspersky Lab website. After launching Kaspersky Virus Removal Tool, it immediately prompts you to start scanning.

After pressing the large on-screen button "Start Scan", the program starts scanning your computer.

It remains to wait until the end of the scan and delete the found uninvited guests.

Malwarebytes Anti-malware

Another antivirus software developer providing a free version of the scanner. The algorithm of actions is the same:

What not to do

The XTBL virus, like other ransomware viruses, damages both the system and user information. Therefore, to reduce the potential damage, some precautions should be taken:

1. Do not wait for the end of encryption. If file encryption has begun before your very eyes, do not wait until it all ends, or try to interrupt the process with software. Unplug the computer immediately and call a service technician.
2. Do not try to remove the virus yourself if you can trust professionals.
3. Do not reinstall the system until the end of treatment. The virus will safely infect the new system as well.
4. Do not rename encrypted files. This will only complicate the work of the decoder.
5. Do not try to read infected files on another computer until the virus is removed. This can spread the infection.
6. Don't pay extortionists. It is useless and encourages virus creators and scammers.
7. Don't forget about prevention. Installing antivirus, regular backups, and creating restore points will significantly reduce the potential damage from malware.

Curing a computer infected with a ransomware virus is a long and not always successful procedure. Therefore, it is so important to observe precautions when obtaining information from the network and working with unverified external media.

Good day to all, my dear friends and readers of my blog. Today the topic will be rather sad, because it will touch on viruses. I'll tell you about a case that happened not so long ago at my work. An employee with an agitated voice called me in the department: “Dima, the virus has encrypted files on the computer: what to do now?”. Then I realized that the case smelled fried, but in the end I went to see her.

Yes. Everything turned out to be sad. Most of the files on the computer were infected, or rather encrypted: Office documents, PDF files, 1C databases and many others. In general, the ass is complete. Probably only archives, applications and text documents were not affected (well, and a lot more). All these data have changed their extension, and also changed their names to something like sjd7gy2HjdlVnsjds.
Also, several identical documents README.txt appeared on the desktop and in folders. They honestly say that your computer is infected and so that you do not take any action, do not delete anything, do not check antivirus software, otherwise the files will not be returned.
The file also says that these nice people will be able to restore everything as it was. To do this, they need to send the key from the document to their mail, after which you will receive the necessary instructions. They do not write the price, but in fact it turns out that the cost of the return return is something like 20,000 rubles.

Is your data worth the money? Are you ready to pay to eliminate the ransomware? I doubt. What then is to be done? Let's talk about that later. In the meantime, let's start everything in order.

Where does it come from

Where does this ugly ransomware virus come from? Everything is very simple here. People pick it up via email. As a rule, this virus penetrates organizations, corporate mailboxes, although not only. On the surface, you do not take it for kaku, since it does not come in the form of spam, but from a really existing serious organization, for example, we received a letter from the Rostelecom provider from their official mail.

The letter was completely ordinary, like "New tariff plans for legal entities." Inside is a PDF file. And when you open that file, you open Pandora's box. All important files are encrypted and turn into "bricks" in simple words. And antiviruses don't catch this crap right away.

What I did and what didn't work

Naturally, with us, no one wanted to pay 20 thousand for this, since the information did not cost so much, and besides, contacting scammers was not at all an option. And besides, it is not a fact that for this amount you will be unblocked everything.

I went through the drweb cureit utility and it found a virus, but there was little sense from it, since even after the virus the files remained encrypted. Removing the virus turned out to be easy, but coping with the consequences is much more difficult. I went to the forums of Doctor Web and Kaspersky, and there I found the topic I needed, and also learned that neither there nor there they can help with decryption. Everything was very strongly encrypted.

On the other hand, search engines began to appear with results that some companies decrypt files on a paid basis. Well, it interested me, especially since the company turned out to be real, really existing. On their website, they offered to decipher five pieces for free in order to show their abilities. Well, I took and sent them the 5 most important files in my opinion.
After some time, I received an answer that they managed to decipher everything and that they would take 22 thousand from me for a complete decoding. And they did not want to give the files to me. So I immediately assumed that they are most likely working in tandem with scammers. Well, of course they were sent to hell.

• using the programs "Recuva" and "RStudio"
• Run by various utilities
• Well, to calm down, I could not help but try (although I knew perfectly well that this would not help) it is simply trite to the right. Brad of course)

None of this worked for me. But I still found a way out. \ R \ n \ r \ nOf course, if you suddenly have such a situation, then look at what extension the files are encrypted with. After that go to http://support.kaspersky.com/viruses/disinfection/10556 and see which extensions are listed. If your extension is on the list, then use this utility.
But in all 3 cases that I saw with these ransomware, none of these utilities helped. Specifically, I met with a virus "Da vinci code" and "VAULT"... In the first case, both the name and the extension changed, and in the second only the extension. In general, there are a whole bunch of such ransomware. I hear such bastards as xtbl, no more ransom, better call saul and many others.

What helped

Have you ever heard of shadow copies? So, when a restore point is created, shadow copies of your files are automatically created. And if something happened to your files, then you can always return them to the moment when the restore point was created. One great program for recovering files from shadow copies will help us with this.

To start download and install the "Shadow Explorer" program. If the latest version bugs you (it happens), then install the previous one.

Go to Shadow Explorer. As we can see, the main part of the program is similar to the explorer, i.e. files and folders. Now pay attention to the top left corner. There we see the local drive letter and date. This date means that all the files presented on the C drive are up-to-date at that time. I have it on November 30th. This means that the last restore point was created on November 30th.
If we click on the drop-down list of dates, we will see which numbers we still have shadow copies for. And if you click on the drop-down list of local drives and select, for example, drive D, then we will see the date at which we have actual files. But for the drive D points are not created automatically, so this item must be registered in the settings. it very easy to do.
As you can see, if for the disk C I have a fairly recent date, then for the disk D the last point was created almost a year ago. Well, then we do it point by point:

Everything. Now all that remains is to wait for the export to complete. And then we go to the same folder that you have chosen and check all files for openability and performance. Everything is awesome).
I know that the Internet offers some other different methods, utilities, etc., but I will not write about them, because I have already encountered this problem for the third time, and never once, nothing but shadow copies helped me out. Although maybe I'm just not so lucky).

But unfortunately, the last time we managed to recover only those files that were on the C drive, since by default the points were created only for the C drive. Accordingly, there were no shadow copies for the D drive. Of course, you also need to remember what restore points that can lead to, so keep an eye on that too.

And in order for shadow copies to be created for other hard drives, you need for them too.

Prophylaxis

In order to prevent problems with recovery, you need to do prophylaxis. To do this, you need to adhere to the following rules.

By the way, once this virus encrypted files on a USB flash drive, where our key certificates for digital signature were stored. So be very careful with flash drives as well.

Best regards, Dmitry Kostin.

There is a wide variety of malicious programs. Among them, there are extremely nasty ransomware viruses that, once on a computer, begin to encrypt user files. In some cases, there is a good chance of decrypting your files, but sometimes it doesn't work. We will consider all the necessary actions, both for the first and for the second case, in cases where.

These viruses may differ slightly, but in general, their actions are always the same:

• install on a computer;
• encrypt all files that may be of any value (documents, photographs);
• when trying to open these files, require the user to deposit a certain amount to the attacker's wallet or account, otherwise access to the content will never be opened.

Virus encrypted files in xtbl

Currently, a virus has become widespread enough that it can encrypt files and change their extension to .xtbl, as well as replace their name with completely random characters.

In addition, a special file with instructions is created in a conspicuous place. readme.txt... In it, the attacker confronts the user with the fact that all his important data has been encrypted and now it is not so easy to open them, supplementing this with the fact that in order to return everything to its previous state, it is necessary to perform certain actions related to the transfer of money to the fraudster (usually, before that, you need to send a certain code to one of the suggested email addresses). Often such messages are supplemented with a postscript that when you try to decrypt all your files yourself, you risk losing them forever.

Unfortunately, at the moment, officially no one has been able to decrypt .xtbl, if a working way appears, we will definitely inform about it in the article. Among the users there are those who had a similar experience with this virus and they paid the fraudsters the required amount, receiving in return the decryption of their documents. But this is an extremely risky step, because among the cybercriminals there are also those who do not particularly bother with the promised decryption, in the end it will be money down the drain.

What do you do then, you ask? We offer some tips to help you get all your data back and at the same time, you will not be led by scammers and give them your money. And so what needs to be done:

1. If you know how to work in the Task Manager, then immediately interrupt file encryption, stopping the suspicious process. At the same time, disconnect your computer from the Internet - many ransomware need a network connection.
2. Take a piece of paper and write on it the code that is offered to be sent to the attackers by mail (a piece of paper because the file to which you will write may also become inaccessible for reading).
3. Use Malwarebytes Antimalware, a trial Kaspersky IS or CureIt Antivirus to remove the malware. For greater reliability, it is better to consistently use all the proposed means. Although Kaspersky Anti-Virus can not be installed if the system already has one main anti-virus, otherwise software conflicts may arise. All other utilities can be used in any situation.
4. Wait until one of the antivirus companies has developed a working decryptor for such files. The most efficient way to do this is Kaspersky Lab.
5. Additionally, you can send to [email protected] a copy of the file that was encrypted with the required code and, if any, the same file in its original form. It is possible that this can speed up the development of a method for decrypting files.

Do not under any circumstances:

• renaming of these documents;
• changing their expansion;
• deleting files.

These Trojans also encrypt users' files and then extortion them. At the same time, encrypted files can have the following extensions:

• .locked
• .crypto
• .kraken
• .AES256 (not necessarily this Trojan, there are others that install the same extension).
• [email protected] _com
• .oshit
• Other.

Fortunately, a dedicated decryption utility has already been created - RakhniDecryptor... You can download it from the official website.

On the same site, you can read the instructions that show in detail and clearly how to use the utility to decrypt all the files that the Trojan has worked on. In principle, for greater reliability, it is worth excluding the item for deleting encrypted files. But most likely, that the developers did their best to create the utility and nothing threatens data integrity.

Those who use licensed Dr.Web anti-virus have free access to decryption from the developers http://support.drweb.com/new/free_unlocker/.

Other types of ransomware viruses

Sometimes you can come across other viruses that encrypt important files and demand payment for returning everything to its original form. We offer a small list with utilities to deal with the consequences of the most common viruses. There you can also familiarize yourself with the main signs by which you can distinguish a particular Trojan program.

In addition, a good way would be to scan your PC with Kaspersky Anti-Virus, which will detect the uninvited guest and assign a name to it. By this name, you can already search for a decoder for it.

• Trojan-Ransom.Win32.Rector- a typical ransomware scrambler that requires you to send SMS or perform other actions of this kind, we take the decryptor from this link.
• Trojan-Ransom.Win32.Xorist- a variation of the previous Trojan, you can get a decoder with a manual for its use.
• Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.Fury- there is also a special utility for these guys, see the link.
• Trojan.Encoder858, Trojan.Encoder.741- these malware can be detected by the CureIt utility. They have similar names, but the numbers at the end of the name may differ. We look for the decoder by the name of the virus or, if you use licensed Dr.Web, you can use a special resource.
• CryptoLacker- to get your files back, visit this site and through it generate a special program to recover your documents.

Recently, Kaspersky Lab, in cooperation with its colleagues from the Netherlands, created a decryptor that allows you to recover files after a virus has worked on them. CoinVault.

In the comments, you can share your methods of decrypting files, because this information will be useful to other users who may encounter such malicious software.

Fight against new virus threats - ransomware

We recently wrote that new threats are spreading on the network - ransomware viruses or, more extensively, viruses encrypting files, you can read more about them on our website at this link.

In this topic, we will tell you how you can return data encrypted by a virus, for this we will use two decryptors, from the anti-virus "Kaspersky" and "Doctor Web", these are the most effective methods of returning encrypted information.

1. Download the utilities for decrypting files from the links: Kaspersky and Dr.WEB

Or decryptors for the specific type of encrypted files that are located.

2. First, we will try to decrypt files using a program from Kaspersky:

2.1. Launch the Kaspersky Decryptor program, if it asks for some action, for example, launch permissions - launch it, if it asks for an update - update it, this will increase the chances of returning the encrypted data

2.2. In the appeared window of the program for decrypting files, we see several buttons. Configure additional parameters and start checking.

2.3. If you need to select additional parameters and specify the search location for encrypted files, and if necessary - delete after decryption, I do not advise you to select this option, files are not always decrypted correctly!

2.4. We start the scan and wait for the decryption of our data encrypted by the virus.

3. If the first method didn't work. We are trying to decrypt files using a program from Dr. WEB

3.1. After you have downloaded the decryption application, put it, for example, in the root of the "C:" drive., so the file "te102decrypt.exe" should be available at "c: \ te102decrypt.exe"

3.2. Now go to the command line(Start-Search-Enter "CMD" without quotes-run by pressing Enter)

3.3. To start decrypting files we prescribe the command "c: \ te102decrypt.exe -k 86 -e (ransomware code)"... The ransomware code is an extension appended to the end of the file, for example " [email protected] _45jhj "- write without quotes and brackets, observing spaces. You should get something like c: \ te102decrypt.exe -k 86 -e [email protected] _45jhj

3.4. Click Enter and wait for the files to be decrypted that were encrypted, in some cases, several copies of the decrypted files are created, you try to run them, that copy of the decrypted file that opens normally - save, the rest can be deleted.

Download the rest of the file decoders:

Attention: be sure to save a copy of the encrypted files to external media or another PC. The decryptors presented below may not decrypt files, but only spoil them!

It is best to run the decryptor on a virtual machine or on a specially prepared computer, having previously downloaded several files to them.

The decoders presented below work as follows: For example, your files are encrypted with the amba encryption tool and the files have looked like "Contract.doc.amba" or "Account.xls.amba", then we download the decryptor for amba files and just run it, it will find all files with this extension and decrypt it. but again, protect yourself and preliminarily back up encrypted files otherwise, you may lose your incorrectly decrypted data forever!

If you do not want to risk, then send a few files to us, having previously contacted us using the feedback form, we will launch the decoder on a specially prepared computer isolated from the Internet.

The files presented were checked by the latest version of Kaspersky Anti-Virus and with the latest database updates.

The fact that the Internet is full of viruses does not surprise anyone today. Many users perceive situations related to their impact on systems or personal data, to put it mildly, turning a blind eye, but only until a ransomware virus specifically settles in the system. Most ordinary users do not know how to cure and decrypt data stored on a hard drive. Therefore, this contingent is "led" to the demands put forward by the attackers. But let's see what you can do if such a threat is detected or to prevent it from entering the system.

What is a ransomware virus?

This type of threat uses standard and non-standard file encryption algorithms that completely alter their content and block access. For example, it will be absolutely impossible to open an encrypted text file for reading or editing, as well as to play multimedia content (graphics, video or audio) after exposure to a virus. Even the standard operations for copying or moving objects are not available.

The very software stuffing of the virus is the means that encrypts data in such a way that it is not always possible to restore their original state even after removing the threat from the system. Usually, such malicious programs create their own copies and settle very deeply in the system, so the file encryption virus can sometimes be completely impossible to remove. By uninstalling the main program or deleting the main body of the virus, the user does not get rid of the impact of the threat, let alone restore encrypted information.

How does the threat get into the system?

As a rule, threats of this type are mostly targeted at large commercial structures and can penetrate computers through mail programs when an employee opens an allegedly attached document in an e-mail, which is, say, an addition to some kind of cooperation agreement or the plan for the supply of goods (commercial offers with investments from dubious sources are the first path for the virus).

The trouble is that a ransomware virus on a machine that has access to a local network is able to adapt in it too, creating its own copies not only in a networked environment, but also on the administrator's terminal, if it lacks the necessary protection in the form of antivirus software. firewall or firewall.

Sometimes such threats can also penetrate the computer systems of ordinary users, which, by and large, are not of interest to cybercriminals. This happens at the time of installation of some programs downloaded from dubious Internet resources. Many users, when starting the download, ignore the warnings of the anti-virus protection system, and during the installation process they do not pay attention to the suggestions to install additional software, panels or plug-ins for browsers, and then, as they say, bite their elbows.

Varieties of viruses and a little history

Basically, threats of this type, in particular the most dangerous ransomware virus No_more_ransom, are classified not only as tools for encrypting data or blocking access to it. In fact, all such malicious applications are classified as ransomware. In other words, cybercriminals demand a certain amount of money for decrypting information, believing that this process will be impossible to carry out without an initial program. This is partly the case.

But if you dig into history, you will notice that one of the very first viruses of this type, although it did not impose money requirements, was the infamous I Love You applet, which completely encrypted multimedia files (mainly music tracks) in user systems. Decryption of files after the ransomware virus turned out to be impossible at that time. Now it is this threat that can be dealt with in an elementary way.

But the development of the viruses themselves or the encryption algorithms used does not stand still. What is missing among viruses - here you have XTBL, and CBF, and Breaking_Bad, and [email protected], and a bunch of other nasty things.

Technique for influencing user files

And if until recently most attacks were carried out using RSA-1024 algorithms based on AES encryption with the same bitness, the same No_more_ransom ransomware virus is today presented in several interpretations, using encryption keys based on RSA-2048 and even RSA-3072 technologies.

Decryption problems for the algorithms used

The trouble is that modern decryption systems are powerless in the face of such a danger. Decryption of files after the AES256-based ransomware virus is still somewhat supported, and with a higher key bit rate, almost all developers just shrug their shoulders. This, by the way, has been officially confirmed by specialists from Kaspersky Lab and Eset.

In the most primitive version, the user who contacted the support service is asked to send an encrypted file and its original for comparison and further operations to determine the encryption algorithm and recovery methods. But, as a rule, in most cases this does not work. But the ransomware virus can decrypt files on its own, as it is believed, provided that the victim agrees to the terms of the attackers and pays a certain amount in monetary terms. However, such a formulation of the question raises legitimate doubts. And that's why.

Encryption virus: how to cure and decrypt files and can it be done?

After the payment is made, the hackers are said to activate decryption via remote access to their virus that sits on the system, or via an additional applet if the virus body has been removed. It looks more than doubtful.

I would also like to note the fact that the Internet is full of fake posts stating that, they say, the required amount was paid, and the data was successfully restored. This is all a lie! And really - where is the guarantee that after payment the encryption virus in the system will not be activated again? It is not difficult to understand the psychology of burglars: if you pay once, you pay again. And if we are talking about particularly important information such as specific commercial, scientific or military developments, the owners of such information are ready to pay as much as necessary, so that the files remain intact and safe.

The first remedy to eliminate the threat

This is the nature of a ransomware virus. How to disinfect and decrypt files after being exposed to a threat? Yes, no way, if there are no tools at hand, which also do not always help. But you can try.

Let's assume that a ransomware virus has appeared on the system. How do I disinfect infected files? First, you should perform an in-depth system scan without the use of S.M.A.R.T. technology, which detects threats only when the boot sectors and system files are damaged.

It is advisable not to use the existing standard scanner, which has already missed the threat, but to use portable utilities. The best option would be to boot from the Kaspersky Rescue Disk, which can start even before the operating system starts working.

But this is only half the battle, since this way you can only get rid of the virus itself. But with the decoder it will be more difficult. But more on that later.

There is another category that ransomware viruses fall into. How to decrypt the information will be said separately, but for now let's dwell on the fact that they can completely openly exist in the system in the form of officially installed programs and applications (the impudence of the attackers knows no bounds, since the threat does not even try to disguise itself).

In this case, you should use the section of programs and components where standard uninstallation is performed. However, you should also pay attention to the fact that the standard Windows uninstaller does not completely delete all program files. In particular, the ransom ransomware virus is able to create its own folders in the system root directories (usually, these are Csrss directories, where the csrss.exe executable file of the same name is present). Windows, System32 or user directories (Users on the system drive) are selected as the main location.

In addition, the No_more_ransom ransomware virus writes its own keys in the registry in the form of a link seemingly to the official system service Client Server Runtime Subsystem, which is misleading for many, since this service should be responsible for interaction between client and server software. The key itself is located in the Run folder, which can be reached through the HKLM branch. It is clear that you will need to manually delete such keys.

To make it easier, you can use utilities like iObit Uninstaller, which search for leftover files and registry keys automatically (but only if the virus is visible on the system as an installed application). But this is the simplest thing to do.

Solutions offered by anti-virus software developers

It is believed that decryption of the ransomware virus can be done using special utilities, although if you have technologies with a 2048 or 3072 bit key, you shouldn't rely on them (besides, many of them delete files after decryption, and then the restored files disappear due to the fault the presence of a virus body that has not been removed before).

Nevertheless, you can try. Of all the programs, RectorDecryptor and ShadowExplorer are worth highlighting. It is believed that nothing better has been created so far. But the problem may also be that when you try to use the decryptor, there is no guarantee that the files being disinfected will not be deleted. That is, if you do not get rid of the virus initially, any attempt at decryption will be doomed to failure.

In addition to deleting encrypted information, it can also be fatal - the entire system will be inoperative. In addition, a modern ransomware virus is capable of affecting not only data stored on a computer's hard drive, but also files in cloud storage. And here there are no solutions to restore information. In addition, as it turned out, many services are taking insufficiently effective protection measures (the same built-in OneDrive in Windows 10, which is exposed directly from the operating system).

A radical solution to the problem

As it is already clear, most modern methods do not give a positive result when infected with such viruses. Of course, if there is an original of the damaged file, it can be sent for examination to an anti-virus laboratory. True, there are also very serious doubts that an ordinary user will create backup copies of data that, when stored on a hard disk, can also be exposed to malicious code. And the fact that in order to avoid trouble, users copy information to removable media, we are not talking at all.

Thus, for a radical solution to the problem, the conclusion suggests itself: complete formatting of the hard drive and all logical partitions with the deletion of information. So what to do? You will have to donate if you do not want the virus or its self-saved copy to be activated in the system again.

To do this, you should not use the tools of the Windows systems themselves (I mean formatting virtual partitions, since a ban will be issued when trying to access the system disk). Better to use booting from optical media such as LiveCDs or installation distributions, such as those created using the Media Creation Tool for Windows 10.

Before starting formatting, provided that the virus is removed from the system, you can try to restore the integrity of the system components via the command line (sfc / scannow), but this will have no effect in terms of decrypting and unlocking data. Therefore, format c: is the only correct possible solution, whether you like it or not. This is the only way to completely get rid of this type of threat. Alas, there is no other way! Even treatment with the standard tools offered by most antivirus packages is powerless.

Instead of an afterword

In terms of suggesting conclusions, we can only say that there is no single and universal solution to eliminate the consequences of the impact of such threats today (sadly, but a fact - this is confirmed by the majority of anti-virus software developers and specialists in the field of cryptography).

It remains unclear why the emergence of algorithms based on 1024-, 2048- and 3072-bit encryption passed by those who are directly involved in the development and implementation of such technologies? Indeed, today the AES256 algorithm is considered the most promising and most secure. Notice! 256! This system, as it turns out, is not suitable for modern viruses. What can we say then about attempts to decrypt their keys?

Be that as it may, it is quite easy to avoid introducing a threat into the system. In the simplest version, you should scan all incoming messages with attachments in Outlook, Thunderbird and other mail clients with antivirus immediately after receiving and in no case open attachments until the scan is complete. You should also carefully read the suggestions for installing additional software when installing some programs (usually they are written in very small print or disguised as standard add-ons like updating Flash Player or something else). It is better to update the media components through the official sites. This is the only way to at least somehow prevent the penetration of such threats into your own system. The consequences can be completely unpredictable, considering that viruses of this type instantly spread on the local network. And for the company, such a turn of events can turn into a real collapse of all undertakings.

Finally, the system administrator should not sit idle. It is better to exclude software protection means in such a situation. The same firewall (firewall) should not be software, but "hardware" (of course, with accompanying software on board). And, it goes without saying that it is not worth saving on the purchase of anti-virus packages either. It is better to buy a licensed package, and not install primitive programs that supposedly provide real-time protection only from the words of the developer.

And if a threat has already entered the system, the sequence of actions should include the removal of the virus body itself, and only then attempts to decrypt the damaged data. Ideally - full formatting (mind you, not quick with clearing the table of contents, but full formatting, preferably with restoring or replacing the existing file system, boot sectors and records).