Dr.Web is a library of free utilities. Encryption Trojans

To be honest, today I did not expect to encounter, perhaps, one of the latest modifications of this virus. Not so long ago, I already wrote a little about him on my website - it's time to tell more :)

As I said before - Trojan.Encoder is a Trojan that encrypts user files. There are more and more varieties of this horror, and according to approximate estimates, there are already about 8 of them, namely: Trojan.Encoder.19 , Trojan.Encoder.20 , Trojan.Encoder.21 , Trojan.Encoder.33 , Trojan.Encoder - 43, 44 and 45 and the last one, as I understand it, is not numbered. The author of the virus is a certain "Corrector".

Some information on versions (information taken partly from the site and partly from the site):

Trojan.Encoder.19 - after infecting the system, the Trojan leaves text file crypted.txt with a requirement to pay $10 for the decryptor program.

Another variant of Trojan.Encoder.19 bypasses all non-removable media and encrypts files with extensions from the following list:
.jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .asf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar , .zip, .db, .mdb, .dbf, .dbx, .h, .c, .pas, .php, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .sol, . jbc, .txt, .pdf.

Trojan.Encoder.20 - new version Trojan- ransomware, in which, compared to Trojan.Encoder.19, the mechanism for encryption and key generation has been changed.

Trojan.Encoder.21 - new modification Trojan in the file crypted.txt , which requires you to transfer money (89$) only with the help of a certain payment system, specified by the author of the virus, and do not use systems such as PAYPAL and cash. To spread Trojan.Encoder.21 uses sites that are known to be active Trojan distributors. Previous modifications used one-time links or links with a short duration for this. This feature Trojan.Encoder.21 can drastically increase the rate of its spread.

Trojan.Encoder.33 encrypts user data, but uses new mechanisms. Files with *.txt,*.jpg,*.jpeg,*.doc,*.docx,*.xls extensions that the Trojan transfers to folders are at risk:
C:\Documents and Settings\Local Settings\Application Data\CDD
C:\Documents and Settings\Local Settings\Application Data\FLR
At the same time, the original files are replaced with the message "FileError_22001".

Unlike previous modifications, Trojan.Encoder.33 does not display any messages demanding to pay various amounts of money. At the same time, the function of encrypting user data is carried out by this Trojan only if it manages to contact an external server.

The latter differ from the previous ones in a new document encryption key, as well as in the attacker's new contact details. Doctor Web specialists promptly created utilities that allow decrypting files access to which was blocked by new modifications of Trojan.Encoder . But one more, the "freshest" modification of Trojan.Encoder is especially interesting. This version of the Trojan adds the .DrWeb extension to encrypted files. As a result of the successful counteraction of Trojan.Encoder by the Dr.Web anti-virus, the author apparently had a desire to “spoil” by mentioning our trademark in the name of encrypted files.

In addition, Doctor Web's specialists found a link to one of the websites of the author of the latest modifications of Trojan.Encoder . Interestingly, the owner of this resource is trying to associate himself with Doctor Web using the images of a spider and a doctor, while the company has nothing to do with such sites. Obviously, this design is used to confuse inexperienced users and compromise Doctor Web.

The attacker is trying in every possible way to appear before the victims on the positive side - as a person helping to restore users' documents. On his website, he offers to watch a video that demonstrates the work of a document decryption utility, for which money is extorted.

According to available information, it can be assumed that one person is engaged in extorting money after encrypting files.

Doctor Web analysts have developed a decryption utility and offer it to all users free of charge to recover their files. For the convenience of users, the new version of the utility is equipped with a graphical interface module and is called Trojan.Encoder Decrypt .

Today I came across another (probably the newest) version of this dirty trick, which not only encrypted everything, but also does not have the crypted.txt file, which is necessary for the decryption program from dr.web in order to to decode the files back. Moreover, this (or not this, but some other) thing completely blocked access to avz and does not allow it to run on the computer in any way. It is impossible to either unpack the downloaded archive from or upload the folder directly to the computer, in short, it rests on its feet and hands, cutting off the avz base that lives in the Base folder and has the .avz extension. Trick with renaming the extension or remote start also had no effect. I had to spin. After deployment on the computer software package+ and thorough cleaning without a single reboot of the computer (this is important), as well as after manually nibbling left processes, startup items, kernel space modules and other horrors of life, avz still managed to start. A comprehensive analysis of the system using it revealed a whole cloud of troubles, brought out a number of viruses (Encoder itself was cleaned out by drweb), but .. Decrypt files special program does not come out due to the absence of crypted.txt or any other file close to it. I don't know of any other solution yet.

Therefore, I strongly recommend that all infected people first use the Dr.web Сureit + spybot bundle, and then contact dr.web directly for help in decrypting files. They promise to help and it's completely free.

Where the user picked up this virus, I, unfortunately, do not know.

Thank you for your attention and keep your computer safe. It is important.

Specialists of the anti-virus company Doctor Web have developed a method for decrypting files that have become inaccessible as a result of the action of a dangerous encoder Trojan Trojan.Encoder.2843, known to users as "Vault".

This version ransomware, which received the name according to Dr.Web classification Trojan.Encoder.2843, is actively distributed by cybercriminals using mass mailing lists. A small file containing a JavaScript script is used as an attachment to emails. This file extracts the application from itself, which performs the rest of the actions necessary to ensure the operation of the encoder. This version of the ransomware Trojan has been distributed since November 2, 2015.

The principle of operation of this malicious program is also very curious. To the system Windows registry encrypted dynamic library(.DLL) and in running process explorer.exe the Trojan embeds a small code that reads a file from the registry into memory, decrypts it, and transfers control to it.

List of encrypted files Trojan.Encoder.2843 also stored in system registry and for each of them uses a unique key consisting of capital Latin letters. Files are encrypted using Blowfish-ECB algorithms, the session key is encrypted using RSA using the CryptoAPI interface. Each encrypted file is given a .vault extension.

Doctor Web's specialists have developed a special technique that in many cases makes it possible to decrypt files damaged by this Trojan. If you are a victim of malware Trojan.Encoder.2843 please use the following guidelines:

• apply with the appropriate statement to the police;
• in no case do not try to reinstall the operating system, "optimize" or "clean" it using any utilities;
• do not delete any files on your computer;
• do not try to recover encrypted files yourself;
• contact Doctor Web's technical support service (this service is free for users of Dr.Web commercial licenses);
• attach any file encrypted by the Trojan to the ticket;
• wait for the response of the service specialist technical support; in connection with big amount requests, this may take some time.

We remind you that file decryption services are provided only to owners of commercial licenses for Dr.Web anti-virus products. Doctor Web does not fully guarantee the decryption of all files damaged by the encoder, but our experts will make every effort to save the encrypted information.

The first encrypting Trojans of the Trojan.Encoder family appeared in 2006-2007. Since January 2009, the number of their varieties has increased by about 1900%! Currently, Trojan.Encoder is one of the most dangerous threats for users, with several thousand modifications. From April 2013 to March 2015, Doctor Web's virus laboratory received 8,553 requests to decrypt files affected by encoder Trojans.
Encryption viruses almost won the first place in requests to forums on information security. Every day, an average of 40 applications for decryption are received only by the employees of the Doctor Web virus laboratory from users infected with various types of encryption trojans ( Trojan.Encoder, Trojan-Ransom.Win32.Xorist, Trojan-Ransom.Win32.Rector, Trojan.Locker, Trojan.Matsnu, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.GpCode, Digital Safe, Digital Case, lockdir.exe, rectorrsa, Trojan-Ransom.Win32.Rakhn, CTB-Locker, vault etc.). The main signs of such infections are changing the extensions of user files, such as music files, image files, documents, etc., when trying to open them, a message from the attackers appears demanding payment for obtaining the decryptor. It is also possible to change the background picture of the desktop, the appearance text documents and windows with corresponding messages about encryption, violation license agreements and so on. Encryption Trojans are especially dangerous for commercial firms, since lost data from databases and payment documents can block the work of a firm for an indefinite period, leading to a loss of profit.

Trojans of the Trojan.Encoder family use dozens of different encryption algorithms for user files. For example, to find keys for decrypting files encrypted by the Trojan.Encoder.741 using a simple enumeration method, you will need:
107902838054224993544152335601

Decryption of files damaged by the Trojan is possible in no more than 10% of cases. This means that most user data is lost forever.

Today, ransomware demands for decrypting files up to 1 500 bitcoins.

Even if you pay the ransom to the attacker, he will not give you any guarantee of information recovery.

It comes to curiosities - a case was recorded when, despite the paid ransom, the criminals could not decrypt files encrypted by the Trojan.Encoder they created, and sent the affected user for help ... to the anti-virus company's technical support service!

How does infection occur?

• Through investment in e-mail; using social engineering, the attackers force the user to open the attached file.
• With Zbot infections disguised as PDF attachments.
• Through exploit kits located on hacked websites that use vulnerabilities on a computer to install an infection.
• Through Trojans that offer to download the player required to watch online videos. This is usually found on porn sites.
• Through RDP, using password guessing and vulnerabilities in this protocol.
• With the help of infected keygens, cracks and activation utilities.

When using RDP password guessing, the attacker he comes in under a hacked account, turns it off or unloads an anti-virus product and launches himself encryption.

Until you stop being afraid of letters with the headings "Debt", "Criminal Proceedings", etc., attackers will use your naivety.

Think... Learn for yourself and teach others the basics of security!

• Never open attachments from emails received from unknown recipients, no matter how intimidating the title may be. If the attachment came as an archive, take the trouble to simply view the contents of the archive. And if there is an executable file (extension .exe, .com, .bat, .cmd, .scr), then this is 99.(9)% a trap for you.
• If you are still afraid of something, do not be too lazy to find out the true email address the organization on behalf of which the letter was sent to you. It's not so difficult to find out in our information age.
• Even if the sender's address turned out to be true, do not be too lazy to clarify by phone the existence of such a sent letter. The sender address is easy to forge using anonymous smtp servers.
• If the sender says Sberbank or Russian Post, then this does not mean anything. Normal letters should ideally be signed with digital signature. Carefully check the files attached to such letters before opening.
• Do it regularly backups information on separate media.
• Forget about using simple passwords that are easy to pick up and get into local network organizations under your data. For RDP access, use certificates, VPN access, or two-factor authentication.
• Never work with Administrator rights, be attentive to messages UAC, even if they have "Blue colour" signed application, do not click "Yes", if you did not run installations or updates.
• Install security updates regularly, not only operating system but also application programs.
• Install password for antivirus settings, other than the password account, turn on the self-protection option

Let's quote the recommendations of Dr.Web and Kaspersky Lab:

• immediately turn off the computer to stop the action of the Trojan, the Reset / Power on button on your computer can save a significant part of the data;
• Comment site: Despite the fact that such a recommendation is given by well-known laboratories, in some cases its implementation will lead to more complicated decryption, since the key can be stored in random access memory and after rebooting the system, it will be impossible to restore it. To stop further encryption, you can freeze the execution of the ransomware process using Process Explorer or and for further recommendations.

Spoiler: Footnote

No encoder is able to encrypt all the data instantly, so until the end of the encryption, some part of it remains intact. And the more time has passed since the beginning of encryption, the less untouched data remains. Since our task is to save as many of them as possible, we need to stop the encoder. You can, in principle, start to analyze the list of processes, look for where the Trojan is in them, try to terminate it ... But, believe me, the unplugged power cord is much faster! regular completion Windows work not a bad alternative, but it may take some time, or the trojan may interfere with its actions. So my choice is to pull the cord. Undoubtedly, this step has its drawbacks: the possibility of corrupting the file system and the impossibility of further dumping the RAM. damaged file system for an unprepared person, the problem is more serious than the encoder. After the encoder, at least files remain, while damage to the partition table will make it impossible to boot the OS. On the other hand, a competent data recovery specialist will repair the same partition table without any problems, and the encoder may simply not have time to get to many files.

To initiate a criminal case against the malefactors, law enforcement agencies need a procedural reason - your statement about the crime. Sample Application

Get ready for the fact that your computer will be withdrawn for some time for examination.

If they refuse to accept your application, get a written refusal and file a complaint with a higher police authority (the police chief of your city or region).

• in no case do not try to reinstall the operating system;
• do not delete any files and mail messages on your computer;
• do not run any "cleaners" of temporary files and the registry;
• you should not scan and treat your computer with antiviruses and antivirus utilities, and even more so anti-virus LiveCD, in extreme cases, you can move infected files to the anti-virus quarantine;

Spoiler: Footnote

For decryption, an inconspicuous 40-byte file in a temporary directory or an incomprehensible shortcut on the desktop may have the greatest value. You probably don't know if they will be important for decryption or not, so it's best not to touch anything. Cleaning the registry is generally a dubious procedure, and some encoders leave traces of work important for decryption. Antiviruses, of course, can find the body of the encoder trojan. And they can even delete it once and for all, but then what will be left for analysis? How do we understand how and with what files were encrypted? Therefore, it is better to leave the animal on the disk. Another important point: I do not know of any system cleaner that would take into account the possibility of encoder operation, and would preserve all traces of its operation. And, most likely, such funds will not appear. Reinstalling the system will definitely destroy all traces of the Trojan, except for encrypted files.

• do not try to recover encrypted files on one's own;

Spoiler: Footnote

If you have a couple of years of writing programs behind you, you really understand what RC4, AES, RSA are and what is the difference between them, you know what Hiew is and what 0xDEADC0DE means, you can try. I do not recommend to others. Let's say you found some kind of miracle method for decrypting files and you even managed to decrypt one file. This is not a guarantee that the technique will work on all your files. Moreover, this is not a guarantee that by this method you will not spoil the files even more. Even in our work, there are unpleasant moments when serious errors are found in the decryption code, but in thousands of cases up to this point the code has worked as it should.

Now that it is clear what to do and what not to do, you can start decoding. In theory, decryption is almost always possible. This is if you know all the data you need for it or have an unlimited amount of money, time and processor cores. In practice, something can be deciphered almost immediately. Something will wait its turn for a couple of months or even years. For some cases, you can not even take it: no one will rent a supercomputer for nothing for 5 years. It is also bad that a seemingly simple case, upon detailed consideration, turns out to be extremely complex. Whom to contact is up to you.

• contact the company's anti-virus laboratory, which has a division of virus analysts dealing with this problem;
• attach the Trojan-encrypted file to the ticket (and, if possible, its unencrypted copy);
• wait for the response of the virus analyst. Due to the high volume of requests, this may take some time.

How to recover files?

Addresses with forms for sending encrypted files:

• Dr.Web (Applications for free decryption are accepted only from users of the Drweb complex antivirus)
• Kaspersky Lab (Requests for free decryption are only accepted from users of commercial Kaspersky Lab products)
• ESET LLC ( Applications for free decryption are only accepted from users of ESET commercial products)
• The No More Ransom Project (selection of codebreakers)
• Cryptographers - extortionists (selection of decryptors)
• ID Ransomware (selection of decryptors)

We absolutely not recommended restore files on your own, because with inept actions it is possible to lose all information without restoring anything !!! In addition, the recovery of files encrypted by some types of Trojans just impossible due to the strength of the encryption mechanism.

Utilities for recovering deleted files:
Some types of ransomware trojans create a copy of the file being encrypted, encrypt it, and delete the original file, in which case you can use one of the file recovery utilities (preferably use portable versions programs downloaded and written to a flash drive on another computer):

• R.saver
• Recuva
• JPEG Ripper - recovery utility damaged images
• JPGscan description)
• PhotoRec - utility for recovering damaged images (description)

Method for solving problems with some versions Lockdir

Folders encrypted with some versions of Lockdir can be opened with an archiver 7zip

After successful data recovery, you need to check the system for malware, for this you should run and create a topic with a description of the problem in the section

Recovery of encrypted files using operating system tools.

In order to restore files using the operating system, you must enable system protection before the Trojan encryptor gets on your computer. Most ransomware trojans will try to remove any shadow copies on your computer, but sometimes it fails (in the absence of administrator privileges and installed Windows updates) and you can use shadow copies to recover corrupted files.

It should be remembered that the command to remove shadow copies:

Code:

Vssadmin delete shadows

works only with administrator rights, so after enabling protection, you must work only as a user with limited rights and pay attention to all UAC warnings about an attempt to elevate rights.

Spoiler: How to enable system protection?

How to restore previous versions of files after they are corrupted?

Note:

Restoring from the properties of a file or folder using the " Previous Versions» available only in editions of Windows 7 and above "Professional". Home editions of Windows 7 and all editions of newer Windows have a workaround (under the spoiler).

Spoiler

The second way - this is the use of the utility shadowexplorer(you can download both the installer and the portable version of the utility).

Run the program
Select the drive and date for which you want to recover files

Select the file or folder to restore and click on it right click mice
Select a menu item Export and specify the path to the folder where you want to restore files from the shadow copy.

Ways to protect against ransomware trojans

Unfortunately, the ways to protect against ransomware trojans for ordinary users are quite complicated, since security policy settings or HIPS are required that allow only certain applications to access files and do not provide 100% protection in cases where a Trojan is introduced into the address space of a trusted application. Therefore, the only accessible way protection is backup user files to removable media. Moreover, if such a carrier is an external HDD or flash drive, these media should be connected to the computer only during the backup and be disconnected at all other times. For greater security, backups can be done by booting from live CD. Also, backups can be carried out on the so-called " cloud storage provided by some companies.

Setting antivirus programs to reduce the likelihood of being infected by ransomware trojans.

Applies to all products:

You need to enable the self-protection module and install complex password on the antivirus settings!!!

Hi all! Today I want to highlight one problem related to malware that encrypts files on your computer. There is such a problem, after which requests like “Help! The virus encrypted the files”, many computer wizards get the same issue, who sometimes even undertake to help, but in the end they use what is described below. And what is really to be done if the virus has encrypted the files on the computer?! Read the article to the end, listen to what is written, calm down and take action. Go!

Encryptors are varieties of the trojan encoder family (as dr. web classifies them, for example). The ransomware program itself is often caught after a while by the antivirus if it missed it. But the consequences of her work are depressing. What to do if you become a victim of this kind of filth? Let's figure it out. First you need to know roughly how the enemy works in order to stop loading everyone and everything with stupid questions in the hope that a shaman with a tambourine will appear now and solve your problem in an instant. So, the virus uses asymmetric keys, as far as I know, otherwise there would not be so many problems with it. Such a system uses two keys, one of which encrypts, the other decrypts. Moreover, the first is calculated from the second (but not vice versa). Let's try to visualize this and what is called on the fingers. Consider a couple of figures that clearly demonstrate the process of encryption and decryption.

We will not go into details about how public key. These two pictures demonstrate the process of encryption and then decryption, it's like closing a door and then opening it. What is the real problem with the ransomware virus? The problem is that you don't have any key at all. The attacker has the keys. And the encryption algorithms that use this technology are very cunning. You can somehow get the public key by examining the file, but that doesn't make sense because you need The secret key. And here's the catch with him. Even knowing the public key, it is almost impossible to get the secret one. It is clear that in films and books, as well as the stories of friends and acquaintances, there are some super-duper hackers who, with a wave of their little finger over the keyboard, will decrypt everything, hack everything in the forehead, and in the real world everything is not at all so simple. I will say that this problem cannot be solved head-on, period.

And now about what to do if you picked up this muck. You don't have many options. The most commonplace is to contact the author by e-mail, which he will kindly provide you with a new wallpaper for your desktop, and will also write in the name of each corrupted file. Be careful, otherwise you won't get any files or money. Option two - anti-virus companies, in particular Dr. Web. Contact technical support at https://support.drweb.ru/new/free_unlocker/for_decode/?lng=ru. Go through the items that are required and voila. True, there is one But! You must use a licensed antivirus from Dr. Web, if you do not have it, you will need to purchase a license. If successful, your request will go to the company's technical support service, and then wait for a response. Please pay special attention that this method does not give a 100% guarantee of complete decryption of all files, this is due to the fact that not all keys and algorithms are available. Other anti-virus companies are also involved in decryption, on similar conditions. The third option is to contact law enforcement. By the way, if you create a request to Doctor Web, even they will tell you about it. The third option may be protracted and unsuccessful (however, like the first two), but if successful, the attacker will be punished and he will harm people less, and the key will be given to antivirus companies. There is also a fourth option - unsuccessfully trying to find the miracle of the master, who will decipher it in some top-secret way. Go guys! But think! Well, if antivirus companies do not give a 100% guarantee and recommend contacting the police, then what else to look for? Don't waste your time and money, be realistic.

I summarize. Unfortunately, many people are offended by the craftsmen who send them to the police or to anti-virus company, begging them to help, but our dear users, understand that the masters are not omnipotent, and here you need excellent knowledge in cryptography, and they are unlikely to help. Therefore, use the three above methods, but be careful with the first ( extreme case), it’s better to contact the authorities, and at the same time try to save at least something with the help of specialists from an anti-virus company.
Yes, by the way, contacting the police will help other victims, and if everyone tries to do this, the infection will become many times less, so think not only about yourself but also about other people. And also be prepared for the fact that perhaps no one else will solve your problem except the author of the virus! Therefore, draw an important conclusion for yourself and wound valuable files in several copies on different devices or use cloud services.