Crusis (Dharma) virus - how to decrypt files and remove ransomware. The virus encrypted the files and renamed them. How to decrypt files encrypted by a virus How to remove a file encrypting virus
And every year more and more new ones appear... more and more interesting. The most popular virus recently (Trojan-Ransom.Win32.Rector), which encrypts all your files (*.mp3, *.doc, *.docx, *.iso, *.pdf, *.jpg, *.rar, etc. .d.). The problem is that decrypting such files is extremely difficult and time-consuming; depending on the type of encryption, decryption can take weeks, months, or even years. In my opinion, this virus is this moment, the apogee of danger among other viruses. It is especially dangerous for home computers/laptops, since most users do not back up their data and when encrypting files, they lose all data. For organizations, this virus is less dangerous because they make backup copies of important data and, in case of infection, simply restore them, naturally after removing the virus. I encountered this virus several times, I will describe how it happened and what it led to.
The first time I encountered a virus that encrypts files was in early 2014. An administrator from another city contacted me and told me the most unpleasant news - All files on the file server are encrypted! The infection occurred in an elementary way - the accounting department received a letter with the attachment “Act of something there.pdf.exe”, as you understand, they opened this EXE file and the process began... he encrypted all personal files on the computer and switched to file server(it was connected by a network drive). The administrator and I started digging for information on the Internet... at that time there was no solution... everyone wrote that there was such a virus, it was not known how to treat it, the files could not be decrypted, perhaps sending the files to Kaspersky, Dr Web or Nod32 would help. You can only send them if you use their anti-virus programs (licensed). We sent the files to Dr Web and Nod32, the results were 0, I don’t remember what they said to Dr Web, and Nod 32 was completely silent and I didn’t get any response from them. In general, everything was sad and we never found a solution; we restored some of the files from backup.
The second story - just the other day (mid-October 2014) I received a call from an organization asking me to solve a problem with a virus; as you understand, all the files on the computer were encrypted. Here's an example of what it looked like.
As you can see, the extension *.AES256 was added to each file. In each folder there was a file “Attention_open-me.txt” which contained contacts for communication.
When trying to open these files, a program with contacts opened to contact the authors of the virus to pay for decryption. Of course, I do not recommend contacting them, or paying for the code either, since you will only support them financially and it is not a fact that you will receive the decryption key.
The infection occurred during the installation of a program downloaded from the Internet. The most surprising thing was that when they noticed that the files had changed (icons and file extensions had changed), they did nothing and continued to work, while the ransomware continued to encrypt all files.
Attention!!! If you notice encryption of files on your computer (change in icons, change in extension), immediately turn off your computer/laptop and look for a solution from another device (from another computer/laptop, phone, tablet) or contact IT specialists. The longer your computer/laptop is turned on, the more files it will encrypt.
In general, I already wanted to refuse to help them, but I decided to surf the Internet, maybe a solution to this problem had already appeared. As a result of searching, I read a lot of information that it cannot be decrypted, that you need to send files to antivirus companies (Kaspersky, Dr Web or Nod32) - thanks for the experience.
I came across a utility from Kaspersky - RectorDecryptor. And lo and behold, the files were decrypted. Well, first things first...
The first step is to stop the ransomware. You won’t find any antiviruses, because the installed Dr Web didn’t find anything. First of all, I went to startup and disabled all startups (except antivirus). Rebooted the computer. Then I started looking at what kind of files were in startup.
As you can see in the "Command" field it is indicated where the file is located, Special attention Applications without a signature need to be removed (Manufacturer - No data). In general, I found and deleted the malware and files that were not yet clear to me. After that, I cleared temporary folders and browser caches; it is best to use the program for these purposes CCleaner .
Then I started decrypting the files, for this I downloaded decryption program RectorDecryptor . I launched it and saw a rather ascetic interface of the utility.
I clicked “Start scanning” and indicated the extension that all changed files had.
And indicated the encrypted file. In newer versions of RectorDecryptor you can simply specify the encrypted file. Click the "Open" button.
Tada-a-a-am!!! A miracle happened and the file was decrypted.
After this, the utility automatically checks all computer files + files on the connected network drive and decrypts them. The decryption process may take several hours (depending on the number of encrypted files and the speed of your computer).
As a result, all encrypted files were successfully decrypted into the same directory where they were originally located.
All that remains is to delete all files with the extension .AES256; this could be done by checking the “Delete encrypted files after successful decryption” checkbox if you click “Change scan parameters” in the RectorDecryptor window.
But remember that it is better not to check this box, because in case good luck deciphering files they are deleted and in order to try to decrypt them again you will have to first restore .
When trying to delete all encrypted files using standard search and deletion, I encountered freezes and extremely slow work computer.
Therefore, to remove it, it is best to use the command line, run it and write del"<диск>:\*.<расширение зашифрованного файла>"/f/s. In my case del "d:\*.AES256" /f /s.
Do not forget to delete the files "Attention_open-me.txt", to do this, use the command on the command line del"<диск>:\*.<имя файла>"/f/s, For example
del "d:\Attention_open-me.txt" /f /s
Thus, the virus was defeated and the files were restored. I want to warn you that this method It won’t help everyone, the whole point is that Kapersky in this utility has collected all the known decryption keys (from those files that were sent by those infected with the virus) and uses a brute force method to select the keys and decrypt them. Those. if your files are encrypted by a virus with an unknown key, then this method will not help... you will have to send the infected files to antivirus companies - Kaspersky, Dr Web or Nod32 to decrypt them.
Ransomware virus: should you pay scammers or not?
This dark day has come. An encrypting virus was actively working on one of the important work machines, after which all office, graphic and many other files accepted the permission crypted000007, which at the time of writing this article were impossible to decrypt.
Also, wallpaper appeared on the desktop with an inscription like “Your files are encrypted,” and in the root local disks text documents readme with the scammer's contact information. Naturally, he wants a ransom for decryption.
Personally, I did not contact this asshole(s) to discourage such activity, but I know that the average price tag starts at $300 and up. So think for yourself what to do. But if you have very important files encrypted, for example, 1C databases, and there is no backup copy, then this is the collapse of your career.
Let me get ahead of myself and say that if you have hopes of decryption, then under no circumstances delete the file demanding money and do nothing with the encrypted files (do not change the name, extension, etc.). But let's talk about everything in order.
Ransomware virus - what is it?
This is ransomware software, which encrypts data on a computer using a very strong algorithm. Next I will give a rough analogy. Imagine that you set a password several thousand characters long to log into Windows and forgot it. Agree, it’s impossible to remember. How many lives will it take you to manually search?
This is the case with a ransomware that uses legal cryptographic methods for illegal purposes. Such viruses, as a rule, use asynchronous encryption. This means that a key pair is used.
Files are encrypted using a public key, and you can decrypt them using private key, which only the scammer has. All keys are unique because they are generated for each computer separately.
That is why I said at the beginning of the article that you cannot delete the readme.txt file in the root of the disk with a ransom demand. It is there that it is indicated public key.
Email address ransomware in my case If you type it into a search, the true scale of the tragedy becomes clear. A lot of people got hurt.
Therefore, I say again: under no circumstances change corrupted files. Otherwise, you will lose even the slightest chance of restoring them in the future.
It is also not recommended to reinstall operating system and clean temporary and system directories. In short, until all the circumstances are clarified, we don’t touch anything, so as not to complicate our lives. Although it would seem to be much worse.
This infection most often gets onto your computer via email with a hot topic like “Urgent, to the manager. Letter from the bank” and the like. In an attachment that may look like an innocuous pdf or jpg file and the enemy lurks.
Once you launch it, nothing terrible happens at first glance. On a weak office PC, the user may notice some “slowness”. This virus, masquerading as a system process, is already doing its dirty work.
On Windows 7 and higher, when the pest is launched, the User Account Control window will constantly appear asking you to allow changes. Of course, an inexperienced user will agree with everything, thereby signing his own death sentence.
Yes, in fact, the virus is already blocking access to files and when it is finished, a warning message “Your files are encrypted” will appear on the desktop. In general, it's a butt. Then the brutality begins.
How to cure a ransomware virus
Based on the above, we can conclude that if the terrible inscription on the desktop has not yet appeared, and you have already seen the first files with incomprehensible long names from a chaotic set of various characters, immediately remove the computer from the outlet.
That's right, rude and uncompromising. In this way, you will stop the malware’s algorithm and be able to save at least something. Unfortunately, in my case, the employee did not know this and lost everything. Your mother...
The icing on the cake for me was the fact that it turns out this virus Easily encrypts everything connected to the PC removable media and network drives with write access rights. That's where the backups were.
Now about the treatment. The first thing you need to understand is that the virus is cured, but the files will remain encrypted. Perhaps forever. The treatment process itself is not complicated.
To do this, you need to connect the hard drive to another computer and scan with utilities like or Kaspersky Virus Removal Tool. To be safe, you can use two in turn. If you don't want to take an infected screw to another computer, boot from a Live CD. 
As a rule, such antivirus solutions find and remove the encryptor without any problems. But sometimes they don’t detect anything, because the virus, having done its job, can remove itself from the system. This is such a piece of shit that covers all traces and makes it difficult to study.
I foresee the question, why didn’t the antivirus immediately prevent unwanted software from entering the computer? Then there would be no problems. In my opinion, at the moment antiviruses are losing the battle with encryptors and this is very sad.
Moreover, as I already said, such malware operates on the basis of legal cryptographic methods. That is, it turns out that their work is not illegal from a technical point of view. This is the difficulty of identifying them.
New modifications are constantly being released, which are included in anti-virus databases only after infection. So, alas, in this case there cannot be 100% protection. Only vigilant behavior when working on a PC, but more on that later.
How to decrypt files after a virus
It all depends on the specific case. It was written above that modifications of the encryption virus can be anything. Depending on this, encrypted files have different extensions.
The good news is that for many versions of the infection, antivirus companies have already come up with decryptors (decryptors). The leader in the Russian-language market is Kaspersky Lab. For these purposes, the following resource has been created:
On it in the search bar we enter information on the extension or email from the ransom note, click “Search” and see if there is a saving utility for us. 
If you're lucky, download the program from the list and run it. The description for some decryptors states that when working on a computer, you must have Internet access to be able to perform an advanced search for keys in the online database.
Otherwise, everything is simple. Select a specific file or disk in its entirety and start scanning. If you activate the "Delete crypted files" item, then after decryption all original files will be deleted. Oh, I wouldn’t be in such a hurry, I need to look at the result right away. 
For some types of virus, the program may ask for two versions of the file: the original and the encrypted one. If the first one is not there, then it’s a lost cause.
Also, users of licensed Kaspersky Lab products have the opportunity to contact the official forum for help with decryption. But after looking through it with my extension (crypted000007) I realized that there was no help there. The same can be said about Dr.Web.
There is another similar project, but this time international. According to information from the Internet, it is supported by leading antivirus manufacturers. Here is his address:
Of course, this may be true, but the site does not work correctly. On home page it is proposed to download two encrypted files, as well as a file with a ransom, after which the system will answer whether a decryptor is available or not. 
But instead, there is a transfer to the section with the choice of language and that’s all. Therefore, you can independently go to the “Decryptor-Utilities” section and try to find the program you need.
Doing this is not very convenient, because brief description The available software does not clearly indicate the supported extensions of encrypted files. To do this, you need to read the extended instructions for each type of decryptor.
In the process of writing this publication, I found a similar service that works properly on the same principle. He will help you determine the name of the threat and offer a “magic pill” if there is one. There is a translator button in the upper right corner of the site for user convenience.
What to do? To pay or not to pay
If you have read this far, it means your files are still securely encrypted. And here the question is: what to do next? Indeed, in the case of encryption, it is extremely significant files even work may be paralyzed large enterprises, not to mention small businesses.
First, you can follow the scammer’s instructions and pay the ransom. But Kaspersky Lab statistics show that every fifth enterprise never received the decryptor key after payment.
This can happen for various reasons. For example, the virus could have been used not by the creators themselves, who have the private key, but by fraudulent intermediaries.
They simply modified the malware code, indicating their data in the ransom file, but they do not have a second key. They received the money and left. And you continue to cook.
In general, they won’t lie, I myself don’t know all the technical nuances. But in any case, by paying the extortionists, you motivate them to continue such activities. After all, since it works and makes money, why not.
But on the Internet I found at least two companies that promise to help with this problem and even decrypt files with the extension crypted000007. I contacted one of them with great fear.
To be honest, the guys didn’t help me, because they immediately said that they didn’t have a decryptor, but they could try to restore about 30% of the original files that the virus deleted using low-level scanning.
I thought about it and refused. But thanks to them for not making a fool of themselves, for taking the time and soberly explaining everything. Well, since they don’t have a key, that means they shouldn’t interact with scammers.
But there is another, more “interesting” company that gives a 100% guarantee of the success of the operation. Her website is located at this address:
I tried to surf the specialized forums, but could not find reviews from real clients. That is, everyone knows about it, but few have used it. Vicious circle.
These guys work based on the results received, there are no prepayments. Again, I repeat, they provide a guarantee for decryption even crypted000007. This means they have a key and a decryptor. Hence the question: where do they get this stuff from? Or am I missing something?
I don’t want to say anything bad, perhaps they are kind and fluffy, they work honestly and help people. Although technically this is simply impossible without a master key. In any case, something incriminating was found against them.
How to protect yourself from a ransomware virus
I will give a few basic postulates that will help you stay safe and, in the event of penetration of such malware, reduce losses to a minimum. After all, I experienced all this on my own skin.
Make regular backups on removable (isolated from the network) media. Without exaggeration, I can say that this is the most important thing.
Don't work under account with administrator rights to minimize losses in case of infection.
Closely monitor the recipients of incoming letters and dropped links on social media. networks. No comments here.
Keep your antivirus program up to date. It may save you, but it’s not certain.
Be sure to enable files in Windows 7/10. We'll talk about this in detail in upcoming issues.
Do not disable User Account Control in Windows 7 and higher.
I, in turn, am left with office files completely encrypted by the virus. I will periodically look at all the resources indicated in the article, hoping to someday see a decryptor there. Perhaps luck will smile in this life, who knows.
It's one thing when the user's files are encrypted on home computer such as movies, music and so on. It’s completely different when you lose access to the entire records management of an enterprise for at least 5-7 years. It hurts, I already know.
If the system is infected with malware from the Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom families. Win32.CryptXXX, all files on the computer will be encrypted as follows:
- When Trojan-Ransom.Win32.Rannoh is infected, the names and extensions will change according to the pattern locked-<оригинальное_имя>.<4 произвольных буквы>.
- When Trojan-Ransom.Win32.Cryakl is infected, a label (CRYPTENDBLACKDC) is added to the end of the file contents.
- When infected with Trojan-Ransom.Win32.AutoIt, the extension changes according to the template<оригинальное_имя>@<почтовый_домен>_.<набор_символов>.
For example, [email protected] _.RZWDTDIC. - When infected with Trojan-Ransom.Win32.CryptXXX, the extension changes according to patterns<оригинальное_имя>.crypt,<оригинальное_имя>.crypz and<оригинальное_имя>.cryp1.
The RannohDecryptor utility is designed to decrypt files after infection with Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan- Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1, 2 and 3.
How to cure the system
To cure an infected system:
- Download the RannohDecryptor.zip file.
- Run RannohDecryptor.exe on the infected machine.
- In the main window, click Start checking.
- Specify the path to the encrypted and unencrypted file.
If the file is encrypted with Trojan-Ransom.Win32.CryptXXX, specify the largest file size. Decryption will only be available for files of equal or smaller size. - Wait until the end of the search and decryption of encrypted files.
- Restart your computer if required.
- after locked-<оригинальное_имя>.<4 произвольных буквы>To delete a copy of encrypted files after successful decryption, select .
If the file was encrypted by Trojan-Ransom.Win32.Cryakl, the utility will save the file in its old location with the extension .decryptedKLR.original_extension. If you have chosen Delete encrypted files after successful decryption, the transcribed file will be saved by the utility with the original name.
- By default, the utility displays the work report in the root system disk(the disk on which the OS is installed).
The report name is as follows: UtilityName.Version_Date_Time_log.txt
For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt
On a system infected with Trojan-Ransom.Win32.CryptXXX, the utility scans a limited number of file formats. If a user selects a file affected by CryptXXX v2, restoring the key may take a long time. In this case, the utility displays a warning.
Encryptors (cryptolockers) mean a family malware, which, using various encryption algorithms, block user access to files on the computer (known, for example, cbf, chipdale, just, foxmail inbox com, watnik91 aol com, etc.).
Typically, the virus encrypts popular types of user files: documents, spreadsheets, 1C databases, any data sets, photographs, etc. File decryption is offered for money - the creators require you to transfer a certain amount, usually in bitcoins. And if the organization did not take proper measures to ensure safety important information, transferring the required amount to the attackers may be the only way to restore the company’s functionality.
In most cases, the virus spreads through email, masquerading as quite ordinary letters: notifications from the tax office, acts and contracts, information about purchases, etc. By downloading and opening such a file, the user, without realizing it, runs malicious code. The virus consistently encrypts necessary files, and also deletes the original instances using guaranteed destruction methods (so that the user cannot recover recently deleted files using special tools).
Modern ransomware
Encryptors and other viruses that block user access to data are not new problem V information security. The first versions appeared back in the 90s, but they mainly used either “weak” (unstable algorithms, small key size) or symmetric encryption (files from a large number of victims were encrypted with one key; it was also possible to recover the key by studying the virus code ), or even came up with their own algorithms. Modern copies do not have such disadvantages; attackers use hybrid encryption: using symmetric algorithms, the contents of files are encrypted at very high speed, and the encryption key is encrypted with an asymmetric algorithm. This means that to decrypt files you need a key that only the attacker owns, in source code I can't find the program. For example, CryptoLocker uses the RSA algorithm with a key length of 2048 bits in combination with the symmetric AES algorithm with a key length of 256 bits. These algorithms are currently recognized as crypto-resistant.
The computer is infected with a virus. What to do?
It is worth keeping in mind that although ransomware viruses use modern encryption algorithms, they are not capable of instantly encrypting all files on a computer. Encryption occurs sequentially, the speed depends on the size of the encrypted files. Therefore, if you find while working that your usual files and programs no longer open correctly, you should immediately stop working on the computer and turn it off. This way you can protect some files from encryption.
Once you have encountered a problem, the first thing you need to do is get rid of the virus itself. We will not dwell on this in detail; it is enough to try to cure your computer using anti-virus programs or remove the virus manually. It is only worth noting that the virus often self-destructs after the encryption algorithm is completed, thereby making it difficult to decrypt files without turning to attackers for help. In this case antivirus program may not find anything.
The main question is how to recover encrypted data? Unfortunately, recovering files after a ransomware virus is almost impossible. At least guarantee full recovery In case of successful infection, no one will have any data. Many antivirus manufacturers offer their assistance in decrypting files. To do this, you need to send an encrypted file and Additional information(file with attackers’ contacts, public key) through special forms posted on manufacturers’ websites. There is a small chance that a way to fight a particular virus has been found and your files will be successfully decrypted.
Try using recovery utilities deleted files. It is possible that the virus did not use guaranteed destruction methods and some files can be recovered (this can especially work with large files, for example with files of several tens of gigabytes). There is also a chance to recover files from shadow copies. When using recovery functions Windows systems creates snapshots that may contain file data for the duration of the recovery point creation.
If your data was encrypted in cloud services, contact technical support or study the capabilities of the service you use: in most cases, services provide a “rollback” function to previous versions files so they can be recovered.
What we strongly do not recommend doing is following the lead of ransomware and paying for decryption. There were cases when people gave money and did not receive the keys. No one guarantees that the attackers, having received the money, will actually send the encryption key and you will be able to restore the files.
How to protect yourself from a ransomware virus. Preventive measures
It is easier to prevent dangerous consequences than to correct them:
- Use reliable antivirus agents and regularly update anti-virus databases. It sounds trivial, but this will significantly reduce the likelihood of a virus successfully injecting itself into your computer.
- Keep backup copies of your data.
This is best done using specialized tools Reserve copy. Most cryptolockers are able to encrypt backup copies, too, so it makes sense to store backup copies on other computers (for example, on servers) or on alienated media.
Limit permissions to change files in folders with backup copies, allowing only additional recording. In addition to the consequences of ransomware, backup systems neutralize many other threats associated with data loss. The spread of the virus once again demonstrates the relevance and importance of using such systems. Recovering data is much easier than decrypting it!
- Limit the software environment in the domain.
One more effective way The solution is to restrict the launch of some potentially dangerous file types, for example, with extensions .js, .cmd, .bat, .vba, .ps1, etc. This can be done using the AppLocker tool (in Enterprise editions) or policies SRP is centralized in the domain. There are quite a few on the web detailed guides, how to do it. In most cases, the user will not need to use the script files listed above, and the ransomware will have less chance of successfully infiltrating.
- Be carefull.
Mindfulness is one of the most effective methods of preventing threat. Be suspicious of every letter you receive from unknown persons. Do not rush to open all attachments; if in doubt, it is better to contact the administrator with a question.
Alexander Vlasov, senior engineer of the information security systems implementation department at SKB Kontur
Fighting new virus threats - ransomware
We recently wrote about the fact that new threats are spreading on the Internet - ransomware viruses or, more extensively, file-encrypting viruses; you can read about them in more detail on our website, at this link.
In this topic we will tell you how you can return data encrypted by a virus; for this we will use two decryptors, from Kaspersky and Doctor Web antiviruses, these are the most effective methods returning encrypted information.
1. Download utilities for decrypting files from the links: Kaspersky and Dr.WEB
Or decryptors for a specific type of encrypted files that are .
2. First, we will try to decrypt the files using a program from Kaspersky:
2.1. Launch the Kaspersky decryptor program, if it asks for some actions, for example permission to launch, we launch it, if it asks to update, we update it, this will increase the chances of returning encrypted data
2.2. In the program window that appears for decrypting files, we see several buttons. Configure advanced settings and start scanning.
2.3. If necessary, select Extra options and indicate where to search for encrypted files and, if necessary, delete them after decryption. I do not recommend choosing this option, files are not always decrypted correctly!
2.4. We launch the scan and wait for our virus-encrypted data to be decrypted.
3. If the first method did not work. Let's try to decrypt files using a program from Dr. WEB
3.1. After you have downloaded the decryption application, put it, for example, in the root of the "C:" drive., so the file "te102decrypt.exe" should be available at "c:\te102decrypt.exe"
3.2. Now let's go to command line (Start-Search-Type “CMD” without quotes-run by pressing Enter)
3.3. To start decrypting files write the command "c:\te102decrypt.exe -k 86 -e (encryptor code)". The ransomware code is an extension added to the end of the file, for example " [email protected] _45jhj" - write without quotes and brackets, observing spaces. You should get something like c:\te102decrypt.exe -k 86 -e [email protected] _45jhj
3.4. Press Enter and wait for the files to be decrypted that have been encrypted, in some cases several copies of the decrypted files are created, you try to run them, save the copy of the decrypted file that opens normally, the rest can be deleted.
Download other file decryptors:
Attention: be sure to save a copy of the encrypted files on an external drive or another PC. The decryptors presented below may not decrypt files, but only corrupt them!
It is best to run the decryptor on virtual machine or on a specially prepared computer, having previously downloaded several files onto them.
The decryptors presented below work as follows: For example, your files are encrypted with the amba encryptor and the files look like “Agreement.doc.amba” or “Account.xls.amba”, then download the decryptor for amba files and just run it, it will find all files with this extension and decrypt it, but I repeat, protect yourself and first make a copy of the encrypted files, otherwise you may lose your incorrectly decrypted data forever!
If you do not want to take risks, then send several files to us, after contacting us using the feedback form, we will launch the decryptor on a specially prepared computer, isolated from the Internet.
The submitted files were scanned by Kaspersky antivirus latest version and with latest updates bases
