Viruses themselves as a computer threat do not surprise anyone today. But if earlier they affected the system as a whole, causing failures in its performance, today, with the advent of such a variety as a ransomware virus, the actions of a penetrating threat concern more user data. It is perhaps even more of a threat than destructive Windows executables or spy applets.
What is a ransomware virus?
The code itself, written in a self-copying virus, involves encrypting almost all user data with special cryptographic algorithms, without affecting the system files of the operating system.
At first, the logic of the impact of the virus was not entirely clear to many. Everything became clear only when the hackers who created such applets began to demand money for restoring the original file structure. At the same time, the infiltrated ransomware virus itself is decryptedfiles due to its features does not allow. To do this, you need a special decryptor, if you like, a code, password or algorithm required to restore the content you are looking for.
The principle of penetration into the system and the operation of the virus code
As a rule, it is quite difficult to "pick up" such filth on the Internet. The main source of spread of "infection" is e-mail at the level of programs installed on a particular computer terminal, such as Outlook, Thunderbird, The Bat, etc. to user data is possible only at the level of cloud storage.
Another thing is an application on a computer terminal. Here, for the action of viruses, the field is so wide that it is impossible to imagine. True, it is also worth making a reservation here: in most cases, viruses are aimed at large companies from which you can “rip off” money for providing a decryption code. This is understandable, because not only on local computer terminals, but also on the servers of such firms, not only completely confidential information can be stored, but also files, so to speak, in a single copy that cannot be destroyed in any case. And then decrypting files after the encryption virus becomes quite problematic.
Of course, an ordinary user can be subjected to such an attack, but in most cases this is unlikely if you follow the simplest recommendations for opening attachments with extensions of an unknown type. EvenThe mail client detects an attachment with the-j.webp
If this is not done, when you open it with a double click (standard method), the activation of the code will start, and the encryption process will begin, after which the same Breaking_Bad (encryptor virus) will not only be impossible to delete, but the files will be restored after the threat is eliminated fail.
General consequences of penetration of all viruses of this type
As already mentioned, most viruses of this type enter the system through e-mail. Well, let's say, in a large organization, a letter arrives at a specific registered email with content like “We have changed the contract, the scan is in the attachment” or “You have been sent an invoice for the shipment of goods (a copy there)”. Naturally, an unsuspecting employee opens the file and…
All user files at the level of office documents, multimedia, specialized AutoCAD projects or any other archival data are instantly encrypted, and if the computer terminal is on a local network, the virus can be transmitted further, encrypting data on other machines (this becomes noticeable immediately by the “braking” of the system and the freezing of programs or currently running applications).
At the end of the encryption process, the virus itself apparently sends a kind of report, after whicha company may receive a message that such and such a threat has penetrated the system, and that only such and such an organization can decrypt it. This usually refers to the [email protected] virus. Next comes the demand to pay for decryption services with an offer to send several files to the client's email, most often fictitious.
Harm from exposure to the code
If anyone has not yet understood: decrypting files after a ransomware virus is a rather laborious process. Even if you don’t “be led” by the demands of the attackers and try to use official state structures to combat computer crimes and prevent them, usually nothing good comes of it.
If you delete all files, restore the system and even copy the original data from removable media (of course, if there is such a copy), everything will still be encrypted again when the virus is activated. So, you shouldn’t delude yourself too much, especially since when you insert the same flash drive into a USB port, the user will not even notice how the virus encrypts the data on it. That's when you definitely won't end up with problems.
Firstborn in the family
Now let's turn our attention to the first encryption virus. How to cure and decrypt files after exposure to the executable code contained in an email attachment with an offer of acquaintance, at the time of its appearance, no one had yet thought. Awareness of the scale of the disaster came only with time.
That virus had the romantic name "ILove you." An unsuspecting user opened an attachment in an email message and received completely unplayable multimedia files (graphics, video and audio). Then, however, such actions looked more destructive (damaging user media libraries), and no one demanded money for this.
The newest modifications
As you can see, the evolution of technology has become quite a profitable business, especially when you consider that many leaders of large organizations immediately run to pay for decryption activities, completely unaware that they can lose both money and information.
By the way, do not look at all these "left" posts on the Internet, they say, "I paid / paid the required amount, they sent me a code, everything was restored." Nonsense! All this is written by the developers of the virus themselves in order to attract potential, excuse me, "suckers". But, by the standards of an ordinary user, the amounts for payment are quite serious: from hundreds to several thousand or tens of thousands of euros or dollars.
Now let's look at the newest types of viruses of this type that have been recorded relatively recently. All of them are almost similar and belong not only to the category of ransomware, but also to the group of so-called extortionists. In some cases, they act more correctly (like paycrypt), seemingly sending out official business proposals or messages that someone cares about the security of a user or organization. Such an encryption virus simply misleads the user with its message. If he takes even the slightest action to pay, everything– “divorce” will be in full.
The relatively recent XTBL virus can be attributed to the classic ransomware variant. Typically, it enters the system through email messages containing attachments in the form of files with the.scr extension, which is standard for the Windows screensaver. The system and the user think that everything is in order and activate the viewing or saving of the attachment.
Alas, this leads to sad consequences: file names are converted into a set of characters, and.xtbl is added to the main extension, after which a message about the possibility of decryption is sent to the desired mail address after paying the specified amount (usually 5 thousand rubles).
This type of virus also belongs to the classics of the genre. It appears in the system after opening email attachments, and then renames user files, adding an extension like.nochance or.perfect at the end.
Unfortunately, decryption of this type of encryption virus to analyze the contents of the code, even at the stage of its appearance in the system, is not possible, because after the completion of its actions, it self-destructs. Even such, as many people think, a universal tool like RectorDecryptor does not help. Again, the user receives a letter demanding payment, which is given two days.
This type of threat works in the same way, but renames files in the standard version, adding to the extension.breaking_bad.
The situation is not limited to this. Unlike previous viruses, this one can also create another extension -. Heisenberg, so it is not always possible to find all infected files. So Breaking_Bad (encryption virus) is quite a serious threat. By the way, there are cases when even the licensed package of Kaspersky Endpoint Security 10 allows this type of threat to pass through.
Virus [email protected]
Here is another, perhaps the most serious threat, which is directed mostly at large commercial organizations. As a rule, a letter arrives in some department, containing supposedly changes to the supply agreement, or even just an invoice. An attachment can contain a regular-j.webp
How to decrypt this type of encryption virus? Judging by the fact that some unknown RSA-1024 algorithm is used there, no way. Based on the name, we can assume that this is a 1024-bit encryption system. But, if anyone remembers, today 256-bit AES is considered the most advanced.
Encryptor virus: how to cure and decrypt files with antivirus software
To date, no solutions have been found to decrypt threats of this type. Even such masters in the field of anti-virus protection as Kaspersky, Dr. Web and Eset cannot find the key to solving the problem when the ransomware virus has inherited the system. How to cure files? In most cases, it is suggested to send a request to the official websiteantivirus developer (by the way, only if the system has licensed software from this developer).
In this case, you need to attach several encrypted files, as well as their "he althy" originals, if any. In general, by and large, few people keep copies of data, so the problem of their absence only exacerbates an already unpleasant situation.
Possible ways to identify and eliminate the threat manually
Yes, conventional anti-virus scanning detects threats and even removes them from the system. But what to do with the information?
Some people try to use decryption programs like the RectorDecryptor (RakhniDecryptor) utility mentioned above. Note right away: this will not help. And in the case of the Breaking_Bad virus, it can only do harm. Here's why.
The fact is that people who create such viruses are trying to protect themselves and give guidance to others. When using decryption utilities, the virus may react in such a way that the entire system will crash, and with the complete destruction of all data stored on hard drives or logical partitions. This is, so to speak, a demonstrative lesson for all those who do not want to pay. We can only hope for official anti-virus laboratories.
However, if things are really bad, you will have to sacrifice information. To completely get rid of the threat, you need to format the entire hard drive, including virtual partitions, and then install the "OS"again.
Unfortunately, there is no other way out. Even rolling back the system to a specific saved restore point won't help. The virus may disappear, but the files will remain encrypted.
Instead of afterword
In conclusion, it is worth noting that the situation is as follows: the ransomware virus penetrates the system, does its dirty work and is not cured by any known means. Antivirus protection tools were not ready for this type of threat. It goes without saying that the virus can be detected after exposure or removed. But the encrypted information will remain in an unsightly form. So I would like to hope that the best minds of antivirus software companies will still find a solution, although, judging by the encryption algorithms, it will be very difficult to do so. Recall at least the Enigma cipher machine, which the German fleet had during the Second World War. The best cryptographers could not solve the problem of the algorithm for decrypting messages until they got their hands on the device. This is the case here as well.