The ransomware virus continues to spread. The encryption virus continues to spread Where to go for guaranteed decryption

About a week or two ago, another hack from modern virus makers appeared on the Internet, which encrypts all the user’s files. Once again I will consider the question of how to cure a computer after a ransomware virus encrypted000007 and recover encrypted files. In this case, nothing new or unique has appeared, just a modification of the previous version.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Description of the CRYPTED000007 ransomware virus

The CRYPTED000007 encryptor is no fundamentally different from its predecessors. It works almost exactly the same way. But still there are several nuances that distinguish it. I'll tell you about everything in order.

It arrives, like its counterparts, by mail. Social engineering techniques are used to ensure that the user becomes interested in the letter and opens it. In my case, the letter talked about some kind of court and important information about the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.

In parallel with opening the document, file encryption starts. An information message from the Windows User Account Control system begins to constantly pop up.

If you agree to the proposal, then the backup copies of files in shadow copies of Windows will be deleted and restoring information will be very difficult. It is obvious that you cannot agree with the proposal under any circumstances. In this encryptor, these requests pop up constantly, one after another and do not stop, forcing the user to agree and delete the backup copies. This is the main difference from previous modifications of encryptors. I have never encountered requests to delete shadow copies without stopping. Usually, after 5-10 offers they stopped.

I will immediately give a recommendation for the future. It is very common for people to disable User Account Control warnings. There is no need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is to not constantly work under the computer administrator account unless there is an objective need for it. In this case, the virus will not have the opportunity to do much harm. You will have a better chance of resisting him.

But even if you have always answered negatively to the ransomware’s requests, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files with the same content on your desktop.

Your files have been encrypted. To decrypt ux, you need to send the code: 329D54752553ED978F94|0 to the email address [email protected]. Next you will receive all the necessary instructions. Attempts to decipher on your own will not lead to anything other than an irrevocable number of information. If you still want to try, then make backup copies of the files first, otherwise, in the event of a change, decryption will become impossible under any circumstances. If you have not received notification at the above address within 48 hours (only in this case!), use the contact form. This can be done in two ways: 1) Download and install Tor Browser using the link: https://www.torproject.org/download/download-easy.html.en In the Tor Browser address, enter the address: http://cryptsen7fo43rr6 .onion/ and press Enter. The page with the contact form will load. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Mailing address may change. I also came across the following addresses:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you discover that your files are encrypted, immediately turn off your computer. This must be done to interrupt the encryption process both on the local computer and on network drives. An encryption virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information there, then it will take him considerable time. Sometimes, even in a couple of hours, the ransomware did not have time to encrypt everything on a network drive with a capacity of approximately 100 gigabytes.

Next you need to think carefully about how to act. If you need information on your computer at any cost and you do not have backup copies, then it is better at this moment to turn to specialists. Not necessarily for money to some companies. You just need a person who is well versed in information systems. It is necessary to assess the scale of the disaster, remove the virus, and collect all available information on the situation in order to understand how to proceed.

Incorrect actions at this stage can significantly complicate the process of decrypting or restoring files. In the worst case, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and has finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. Moreover, not only the file extension will be replaced, but also the file name, so you won’t know exactly what kind of files you had if you don’t remember. It will look something like this.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done specifically to confuse people and encourage them to pay for file decryption.

And if your network folders were encrypted and there are no full backups, then this can completely stop the work of the entire organization. It will take you a while to figure out what was ultimately lost in order to begin restoration.

How to treat your computer and remove CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most important question is how to disinfect a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I would like to immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files at any cost, do not touch your computer, but immediately contact professionals. Below I will talk about them and provide a link to the site and describe how they work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from a computer, since the virus does not have the task of remaining on the computer at any cost. After completely encrypting the files, it is even more profitable for him to delete himself and disappear, so that it is more difficult to investigate the incident and decrypt the files.

It is difficult to describe how to manually remove a virus, although I have tried to do this before, but I see that most often it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Usually, viruses are sent by mail in waves, and each time there is a new modification that is not yet detected by antiviruses. Universal tools that check startup and detect suspicious activity in system folders help.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool - a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit.
3. If the first two utilities do not help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com.

Most likely, one of these products will clear your computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave an example of the removal method and you can see it there. Briefly, step by step, you need to act like this:

1. We look at the list of processes, after adding several additional columns to the task manager.
2. We find the virus process, open the folder in which it sits and delete it.
3. We clear the mention of the virus process by file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor comes up first when it comes to a ransomware virus. The first thing I recommend is to use the service https://www.nomoreransom.org. What if you are lucky and they have a decryptor for your version of the CRYPTED000007 encryptor. I’ll say right away that you don’t have many chances, but trying is not torture. On the main page click Yes:

Then download a couple of encrypted files and click Go! Find out:

At the time of writing, there was no decryptor on the site.

Perhaps you will have better luck. You can also see the list of decryptors for download on a separate page - https://www.nomoreransom.org/decryption-tools.html. Maybe there's something useful there. When the virus is completely fresh, there is little chance of this happening, but over time, something may appear. There are examples when decryptors for some modifications of encryptors appeared on the network. And these examples are on the specified page.

I don’t know where else you can find a decoder. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encryptors. Only the authors of the virus can have a full-fledged decryptor.

How to decrypt and recover files after the CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

First, let's check if we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I talked about this request in more detail at the beginning of the story, when I talked about how the virus works.

To easily restore files from shadow copies, I suggest using a free program for this - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the upper left corner, you can select a backup copy if you have several of them. Check different copies for the necessary files. Compare by date for the most recent version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and specified the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be an older version than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using deleted file recovery tools. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard drive to do this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here; what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Filecoder.ED encryptor

Popular antiviruses detect the ransomware CRYPTED000007 as Filecoder.ED and then there may be some other designation. I looked through the major antivirus forums and didn't see anything useful there. Unfortunately, as usual, antivirus software turned out to be unprepared for the invasion of a new wave of ransomware. Here is a post from the Kaspersky forum.

Antiviruses traditionally miss new modifications of ransomware Trojans. Nevertheless, I recommend using them. If you are lucky and receive a ransomware email not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. A new version of ransomware is released, but antiviruses do not respond to it. As soon as a certain amount of material for research on a new virus accumulates, antivirus software releases an update and begins to respond to it.

I don’t understand what prevents antiviruses from responding immediately to any encryption process in the system. Perhaps there is some technical nuance on this topic that does not allow us to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and offer to stop the process.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are opened and sign the delivery/acceptance certificate for completed work.
4. Payment is made solely upon successful decryption results.

I'll be honest, I don't know how they do it, but you don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against the CRYPTED000007 virus

How to protect yourself from ransomware and avoid material and moral damage? There are some simple and effective tips:

1. Backup! Backup of all important data. And not just a backup, but a backup to which there is no constant access. Otherwise, the virus can infect both your documents and backup copies.
2. Licensed antivirus. Although they do not provide a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the encryptor, but after 3-4 days they begin to respond. This increases your chances of avoiding infection if you were not included in the first wave of distribution of a new modification of the ransomware.
3. Do not open suspicious attachments in mail. There is nothing to comment here. All ransomware known to me reached users via email. Moreover, every time new tricks are invented to deceive the victim.
4. Do not thoughtlessly open links sent to you from your friends via social networks or instant messengers. This is also how viruses sometimes spread.
5. Enable windows to display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will be .exe, .vbs, .src. In your everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I have already written before in every article about the ransomware virus. In the meantime, I say goodbye. I would be glad to receive useful comments on the article and the CRYPTED000007 ransomware virus in general.

Video about file decryption and recovery

Here is an example of a previous modification of the virus, but the video is completely relevant for CRYPTED000007.

• More than 200,000 computers have already been infected!

The main targets of the attack were aimed at the corporate sector, followed by telecommunications companies in Spain, Portugal, China and England.

• The biggest blow was dealt to Russian users and companies. Including Megafon, Russian Railways and, according to unconfirmed information, the Investigative Committee and the Ministry of Internal Affairs. Sberbank and the Ministry of Health also reported attacks on their systems.

For data decryption, the attackers demand a ransom of 300 to 600 dollars in bitcoins (about 17,000-34,000 rubles).

Windows 10 version 1909 update

Interactive infection map (CLICK ON MAP)
Ransom window
Encrypts files with the following extensions

Despite the virus's targeting of the corporate sector, the average user is also not immune from WannaCry penetration and possible loss of access to files.

• Instructions for protecting your computer and data on it from infection:

1. Install the Kaspersky System Watcher application, which is equipped with a built-in function to roll back changes caused by the actions of an encryptor that managed to bypass security measures.

2. Users of antivirus software from Kaspersky Lab are recommended to check that the “System Monitor” function is enabled.

3. Users of the antivirus program from ESET NOD32 for Windows 10 have been introduced to check for new available OS updates. If you took care in advance and had it enabled, then all the necessary new Windows updates will be installed and your system will be completely protected from this WannaCryptor virus and other similar attacks.

4. Also, users of ESET NOD32 products have such a function in the program as detecting yet unknown threats. This method is based on the use of behavioral, heuristic technologies.

If a virus behaves like a virus, it is most likely a virus.

Since May 12, the technology of the ESET LiveGrid cloud system has very successfully repelled all attacks of this virus, and all this happened even before the signature database was updated.

5. ESET technologies provide security also for devices running legacy systems Windows XP, Windows 8 and Windows Server 2003 ( We recommend that you stop using these outdated systems). Due to a very high level of threat emerging for these OSs, Microsoft decided to release updates. Download them.

6. To minimize the threat of harm to your PC, you must urgently update your version of Windows 10: Start - Settings - Update and Security - Check for updates (in other cases: Start - All Programs - Windows Update - Search for Updates - Download and install).

7. Install the official patch (MS17-010) from Microsoft, which fixes the SMB server error through which the virus can penetrate. This server is involved in this attack.

8. Make sure that all available security tools are running and in working order on your computer.

9. Scan your entire system for viruses. Upon exposure of a malicious attack called MEM:Trojan.Win64.EquationDrug.gen, reboot the system.

And once again I recommend that you check that the MS17-010 patches are installed.

Currently, specialists from Kaspersky Lab, ESET NOD32 and other antivirus products are actively working on writing a file decryption program that will help users of infected PCs to restore access to files.

A wave of a new encryption virus, WannaCry (other names Wana Decrypt0r, Wana Decryptor, WanaCrypt0r), has swept across the world, which encrypts documents on a computer and extorts 300-600 USD for decoding them. How can you tell if your computer is infected? What should you do to avoid becoming a victim? And what to do to recover?

After installing the updates, you will need to reboot your computer.

How to recover from the Wana Decrypt0r ransomware virus?

When the antivirus utility detects a virus, it will either remove it immediately or ask you whether to treat it or not? The answer is to treat.

How to recover files encrypted by Wana Decryptor?

We can’t say anything reassuring at the moment. No file decryption tool has yet been created. For now, all that remains is to wait until the decryptor is developed.

According to Brian Krebs, a computer security expert, at the moment the criminals have received only 26,000 USD, that is, only about 58 people agreed to pay the ransom to the extortionists. No one knows whether they restored their documents.

How to stop the spread of a virus online?

In the case of WannaCry, the solution to the problem may be to block port 445 on the Firewall, through which the infection occurs.

For decades, cybercriminals have successfully exploited flaws and vulnerabilities on the World Wide Web. However, in recent years there has been a clear increase in the number of attacks, as well as an increase in their level - attackers are becoming more dangerous and malware is spreading at a rate never seen before.

Introduction

We're talking about ransomware, which took an incredible leap in 2017, causing damage to thousands of organizations around the world. For example, in Australia, ransomware attacks such as WannaCry and NotPetya even caused concern at the government level.

Summing up the “successes” of ransomware malware this year, we will look at the 10 most dangerous ones that caused the greatest damage to organizations. Let's hope that next year we will learn our lessons and prevent this type of problem from entering our networks.

NotPetya

The attack of this ransomware began with the Ukrainian accounting program M.E.Doc, which replaced 1C, which was banned in Ukraine. In just a few days, NotPetya infected hundreds of thousands of computers in more than 100 countries. This malware is a variant of the older Petya ransomware, the only difference being that the NotPetya attacks used the same exploit as the WannaCry attacks.

As NotPetya spread, it affected several organizations in Australia, such as the Cadbury chocolate factory in Tasmania, which had to temporarily shut down their entire IT system. The ransomware also managed to infiltrate the world's largest container ship, owned by Maersk, which reportedly lost up to $300 million in revenue.

WannaCry

This ransomware, terrible in its scale, has practically taken over the entire world. His attacks used the infamous EternalBlue exploit, which exploits a vulnerability in the Microsoft Server Message Block (SMB) protocol.

WannaCry infected victims in 150 countries and more than 200,000 machines on the first day alone. We published this sensational malware.

Locky

Locky was the most popular ransomware in 2016, but remained active in 2017. New variants of Locky, dubbed Diablo and Lukitus, emerged this year using the same attack vector (phishing) to launch exploits.

It was Locky who was behind the email fraud scandal at Australia Post. According to the Australian Competition and Consumer Commission, citizens have lost more than $80,000 due to this scam.

CrySis

This instance was distinguished by its masterful use of the Remote Desktop Protocol (RDP). RDP is one of the most popular methods for distributing ransomware because it allows cybercriminals to compromise machines that control entire organizations.

CrySis victims were forced to pay between $455 and $1,022 to recover their files.

Nemucod

Nemucod is distributed using a phishing email that looks like an invoice for transportation services. This ransomware downloads malicious files stored on hacked websites.

In terms of the use of phishing emails, Nemucod is second only to Locky.

Jaff

Jaff is similar to Locky and uses similar techniques. This ransomware is not notable for its original methods of spreading or encrypting files, but on the contrary, it combines the most successful practices.

The attackers behind it demanded up to $3,700 for access to encrypted files.

Spora

To spread this type of ransomware, cybercriminals hack legitimate websites by adding JavaScript code to them. Users who land on such a site will receive a pop-up warning prompting them to update their Chrome browser to continue browsing the site. After downloading the so-called Chrome Font Pack, users became infected with Spora.

Cerber

One of the many attack vectors that Cerber uses is called RaaS (Ransomware-as-a-Service). According to this scheme, attackers offer to pay for the distribution of the Trojan, promising a percentage of the money received. Thanks to this “service,” cybercriminals send out ransomware and then provide other attackers with the tools to distribute it.

Cryptomix

This is one of the few ransomware that does not have a specific type of payment portal available within the dark web. Affected users must wait for the cybercriminals to email them instructions.

Users from 29 countries were victims of Cryptomix; they were forced to pay up to $3,000.

Jigsaw

Another malware from the list that began its activity in 2016. Jigsaw inserts an image of the clown from the Saw film series into spam emails. As soon as the user clicks on the image, the ransomware not only encrypts, but also deletes the files if the user is too late in paying the $150 ransom.

conclusions

As we see, modern threats are using increasingly sophisticated exploits against well-protected networks. While increased awareness among employees can help manage the impact of infections, businesses need to go beyond basic cybersecurity standards to protect themselves. Defending against today's threats requires proactive approaches that leverage real-time analytics powered by a learning engine that includes understanding threat behavior and context.