Experts suggested how to cope with the virus”ransomware”

Эксперты подсказали, как справиться с вирусами-"вымогателями"

How to regain access to the files.

Ransomware becoming increasingly popular among hackers. Such viruses block access to files on the computer and demand a ransom for the decryption code. However, there are 4 free programs that will allow you to recover your files and not to get hooked to hackers, reports the with reference to 24ТВ.

There are four free tool to remove the ransomware and decrypt files: Alcatraz Locker, CrySiS, Globe and NoobCrypt. These tools can help you remove the virus the Trojan and unlock files. Utilities are constantly updated with the development of these types of threats.

AlcatrazAlcatraz Locker – a ransomware that was first discovered in mid-November 2016. Files locked by it, have extension .Alcatraz. When they are encrypted, you receive this message, which is located in the file ransomed.html on the desktop of the infected computer.

Unlike most types of encoders, the program Alcatraz is not of the specified list of file extensions to which it is directed. In other words, the program encrypts all that can. To prevent damage to the operating system, Alcatraz Locker only encrypts the files in the directory% PROFILES% (usually C: Users).

Ransomware encrypts files using the built-in Windows functions (API encryption).

According to the cryptographer, the only way to get back your data is payment 0,3283 bitcoins (about $ 1100 at the time of writing). By the way, the existence of the 30-day limit, referred to in the message demanding money is another illusion: to decrypt their documents at any time, even after 30 days.

Sagum CrySiS (also known as JohnyCryptor and Virus-Encode) is known from September 2015. Uses strong encryption algorithms AES and RSA. Also, the peculiarity lies in the fact that it contains the list of file extensions that are not subject to blocking.

Locked files are as follows: .id . . .

Although the ID and email address changed quite often, there are only three different names of extensions that are still used today: .xtbl, .lock and .CrySiS.

As a result, the names of encrypted files might look так:[email protected],[email protected],.{[email protected]}.lock{[email protected]}.CrySiS

Once locked, these files, the ransomware message appears below that describes how to return access encrypted data.

GlobeДанная program that has been around since August 2016 written in Delphi and is usually Packed UPX. Some variants are also packaged using Nullsoft installer.

Unpacked binary program is a global interface settings, in which the author of the blackmailer can make some changes in its characteristics.

Since attackers can modify the program, we are faced with many different options for creating encrypted files with different extensions.

The virus locks the files using RC4 or BlowFish. When the ransomware is configured to encrypt the file names, it executes it using the same algorithm that was used against the file itself. Then the name is encrypted using its own implementation of Base64 encoding.

Usually, the ransomware creates a file called “Read Me Please.hta” or “How to restore files.hta” that is displayed after a user logs in to the system.

NoobCryptNoobCrypt that I opened in the summer of 2016, is written in C # and uses the encryption algorithm AES256. The program has a graphical interface that is displayed after blocking access to the files.

This screen with the ransom demand – a strange mix of messages. For example, it requires to pay a certain amount in New Zealand dollars (NZD), but the means offers to transfer the address in the Bitcoin system. At the same time, the text proudly States that the program “was created in Romania.” A strange combination.

To decrypt files, the program offers NoobCrypt “unlock code” that must be bought. Twitter me was published free keys to delete all known versions of the NoobCrypt. However, to determine which one to use, had to manually. Thanks to the tool to decrypt you will not have to guess what code you want to apply.

Share Button