How to remove CryLock ransomware from the operating system
Written by Tomas Meskauskas on May 16, 2022 (updated)
What is CryLock?
Discovered by Albert Zsigovits, CryLock is the name of a malicious program, which is a new variant of Cryakl ransomware. This malware is designed to encrypt data and demand payment for decryption.
During the encryption process, all affected files are renamed according to the following pattern: developer’s email address; victim’s unique ID, and; an extension consisting of three random characters. The extension is randomized for every file.
After completion of this process, CryLock ransomware displays a pop-up window that contains the ransom message.
The message in the pop-up states that all data has been encrypted, including files such as documents, databases, backups and so on. According to the message, the only way to recover them is to purchase a unique decryption key (generated individually for each victim).
The cost of the key is not mentioned, however, it is stated that this will depend on how quickly users establish contact with the cyber criminals behind the infection. Additionally, this window has two countdown timers, which represent the time remaining until the ransom increases and decryption becomes impossible.
Communication is to be initiated via email and victims are instructed to use reliable email clients (e.g. Gmail, ProtonMail, AOL, etc.). The criminals’ email address is apparently temporary, and following 2-4 weeks, it will be blocked.
The messages users send must contain their External IP addresses and unique IDs (located in the messages and within filenames of compromised files). They can also include up to three encrypted files attached, should victims wish to test decryption free of charge.
The total size of these test files cannot exceed 5 MB (non-archived) and they must not contain valuable information (e.g. databases, backups, large excel sheets, etc.). The message warns users that attempting to decrypt the files with third party software can result in permanent data loss.
Unfortunately, in most cases of ransomware infections, file recovery is impossible without the involvement of the individuals responsible, unless the malware in question is still in development and/or has bugs/flaws. Whatever the case, you are strongly advised against contacting and/or meeting the demands of cyber criminals.
Despite paying, victims often receive none of the promised decryption tools/keys. Therefore, their files remain damaged beyond repair and they also experience significant financial loss. To prevent CryLock from further encryption, it must be eliminated from the operating system, however, removal will not restore already encrypted data.
The only viable solution is to recover files from a backup, provided one was made prior to the infection and was stored in a different location.
Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:
Picocode, Adhubllka, and Sivo are some examples of other ransomware infections. Malicious software under this classification encrypts data of infected systems and demands payment for the appropriate decryption tools. There are two main differences: cryptographic algorithm used (symmetric or asymmetric) and ransom size.
The latter ranges between three and four digit sums (in USD). Cyber criminals tend to prefer digital currencies (e.g. cryptocurrencies, pre-paid vouchers, etc.), since these transactions are difficult/impossible to trace.
To protect files from data encryption attacks, you are advised to store backups on remote servers and/or unplugged storage devices (ideally, in multiple locations).
How did ransomware infect my computer?
Ransomware and other malware is primarily spread through spam campaigns, trojans, software «cracking» (activation) tools, fake updaters and untrustworthy download sources. Spam campaigns are used to send deceptive emails by the thousand. These messages are usually disguised as «official», «important» or «urgent».
They have infectious files attached (or contain links leading to them). These attachments come in various formats (e.g. Microsoft Office and PDF documents, archive and executable files, JavaScript, etc.). Once opened, the infection process begins (i.e., they start downloading/installing malware).
Trojans are malicious programs capable of causing chain infections. Rather than activating licensed products, «cracking» tools can download/install malicious software. Fake updaters cause infections by abusing flaws of outdated programs and/or simply by installing malware rather than the updates.
Untrustworthy download channels such as unofficial and free file-hosting websites, P2P sharing networks (BitTorrent, Gnutella, eMule, etc.) and other third party downloaders present malicious software as normal content, or bundled with it.
Avast (Win32:Trojan-gen), BitDefender (Gen:Heur.Ransom.REntS.Gen.1), ESET-NOD32 (A Variant Of Win32/Filecoder.EQ), Kaspersky (HEUR:Trojan.Win32.Generic), Full List Of Detections (VirusTotal)
Symptoms
Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.
All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.
Malware Removal (Windows)
To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. ▼ Download Combo Cleaner To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
How to protect yourself from ransomware infections
Do not open suspicious and/or irrelevant emails. Any attachments (or links) present in suspect mail must never be opened, due to the threat of potential malware infections. All downloads should be performed from official and verified sources.
Program activation and updating should be performed using functions/tools provided by legitimate developers, as illegal activation («cracking») tools and third party updaters are high-risk. Have a reputable anti-virus/anti-spyware suite installed and kept up-to-date.
This software should be used for regular system scans and removal of detected threats. If your computer is already infected with CryLock, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate this ransomware.
Text presented in CryLock ransomware ransom message:
Price is raised! Your files have been encrypted. Price is raised!Your files will be lost after
What happened? All your documents, databases, backups and other important files have been encrypted due to a security problem with your PC. The only way to recover files is to purchase a unique private decryption key. If you want to recover files, write to us by e-mail: grand@horsef***er.org with the following details: External IP You unique ID 1381524425 The price depends on how fast you write to us, on timers you can see how many time do you have before price increasing. After payment we will send you the tool that will decrypt all your files. In case of no answer in 24 hours write us to this e-mail: horsef***er@tuta.io
Any guarantees? Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. Use trusted email clients (gmail.com, protonmail.com, aol.com, etc.) for communication; sometimes your letters do not reach us from corporate letters. Communication with us lasts 2-4 weeks, then we block mail for communication Your ID 515399964 Write to grand@horsef***er.org
The appearance of CryLock ransomware pop-up (GIF):
Screenshot of files encrypted by CryLock («[cyber_criminals’_email_address][victim’s_ID].[3_random_letters]» extension):
Another variant of CryLock ransomware pop-up window:
Text presented within this pop-up:
Payment will be raised after 1 day 23:34:57 Your files have been encrypted.
Your files will be lost after 4 days 23:34:57
What happened? All your documents, databases, backups and other important files have been encrypted due to a security problem with your PC. The only way to recover files is to purchase a unique private decryption key. If you want to recover files, write to us by e-mail: tomascry@protonmail.com with the following details: External IP You unique ID [-] The price depends on how fast you write to us, on timers you can see how many time do you have before price increasing. After payment we will send you the tool that will decrypt all your files. In case of no answer in 24 hours write us to this e-mail: markcry@pm.me
Any guarantees? Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. Use trusted email clients (gmail.com, protonmail.com, aol.com, etc.) for communication; sometimes your letters do not reach us from corporate letters. Communication with us lasts 2-4 weeks, then we block mail for communication Your ID [-] Write to tomascry@protonmail.com
Screenshot of the pop-up window («how_to_decrypt.hta«):
Text presented within:
Payment will be raised after 1 day 23:39:15 Your files have been encrypted. 0111100111101011001 Your files will be lost after 4 days 23:39:15 Decrypt files? Write to this mails: reddragon3335799@protonmail.ch or reddragon3335799@tutanota.com. Telegram @assist_decoder. You unique ID [59436244-F9E4D68F] Your ID [59436244-F9E4D68F] Write to reddragon3335799@protonmail.ch
Screenshot of files encrypted by this CryLock variant:
Screenshot of the updated CryLock ransomware pop-up window («how_to_decrypt.hta«):
Text presented within:
ENCRYPTED What happened? All your documents, databases, backups, and other critical files were encrypted. Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).
It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us.
To do this, please send your unique ID to the contacts below. E-mail:jericoni@pm.me copy Unique ID:[-]copy Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail crylock@danwin1210.me.During a short period, you can buy a decryption key with a 50% discount 2 days 23:54:14 The price depends on how soon you will contact us.All your files will be deleted permanently in:4 days 23:54:14 Attention! ! Do not try to recover files yourself. this process can damage your data and recovery will become impossible. ! Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price. ! Do not contact any intermediaries. They will buy the key from us and sell it to you at a higher price. What guarantees do you have?
Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)
Screenshot of the files encrypted by this CryLock ransomware variant («[jericoni@pm.me].[victim’s_ID]» extension):
Screenshot of the pop-up window («how_to_decrypt.hta«):
Text presented within:
happened? All your documents, databases, backups, and other critical files were encrypted. Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).
It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us.
To do this, please send your unique ID to the contacts below. E-mail:bigbosscry@pm.me copy Unique ID:[-] copy Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail crylock@usa.com.During a short period, you can buy a decryption key with a 50% discount 4 days 23:25:02 The price depends on how soon you will contact us.All your files will be deleted permanently in:6 days 23:25:02Attention! ! Do not try to recover files yourself. this process can damage your data and recovery will become impossible. ! Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price. ! Do not contact any intermediaries. They will buy the key from us and sell it to you at a higher price. What guarantees do you have?
Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)
Screenshot of files encrypted by this CryLock ransomware variant («[bigbosscry@pm.me][1].[-]» extension):
Examples of files encrypted by other variants of CryLock ransomware:
Example 1 («[omegawatch@protonmail.com[ferauto].[victim’s_ID]» extension):
Example 2 («[darkmask@mailfence.com[fervis].[victim’s_ID]» extension):
Yet another variant of a pop-up window («how_to_decrypt.hta«) delivered by CryLock ransomware:
Text presented within:
All files will be devare on: IF YOU READ THIS, ALL YOUR IMPORTANT DATA IS ENCRYPTED! In case you attempt to recover it with any third-party software, the encryption algorithm will irreversibly corrupt your files!
We’ve copied all of your documents, databases, and other essential files.
The only way for you to save your data is to buy the unique decryption key. If you try to cheat us or do anything else besides our offer, we’ll use the info we have against you. To get rid of any doubts regarding our words, contact us. You need to go through several steps:
Download the Tor Browser: hxxps://www.torproject.org/ Open it and proceed to the link: hxxp://d57uremugxjrafyg.onion/idFishEye Enter your unique ID and email and press Enter If you haven’t received any reaction in 24 hours, please contact us via email: eyefish@msgsafe.io
You have only four days to make the right choice! If we won’t receive your payment within this period, your domain network can be attacked again.
Hurry up! Your Personal ID: COPY ID
CryLock ransomware removal:
Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below: ▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Video suggesting what steps should be taken in case of a ransomware infection:
Quick menu:
Reporting ransomware to authorities:
If you are a victim of a ransomware attack we recommend reporting this incident to authorities. By providing information to law enforcement agencies you will help track cybercrime and potentially assist in the prosecution of the attackers. Here’s a list of authorities where you should report a ransomware attack. For the complete list of local cybersecurity centers and information on why you should report ransomware attacks, read this article.
List of local authorities where ransomware attacks should be reported (choose one depending on your residence address):
Isolating the infected device:
Some ransomware-type infections are designed to encrypt files within external storage devices, infect them, and even spread throughout the entire local network. For this reason, it is very important to isolate the infected device (computer) as soon as possible.
Step 1: Disconnect from the internet.
The easiest way to disconnect a computer from the internet is to unplug the Ethernet cable from the motherboard, however, some devices are connected via a wireless network and for some users (especially those who are not particularly tech-savvy), disconnecting cables may seem troublesome. Therefore, you can also disconnect the system manually via Control Panel:
Navigate to the «Control Panel«, click the search bar in the upper-right corner of the screen, enter «Network and Sharing Center» and select search result:
Click the «Change adapter settings» option in the upper-left corner of the window:
Right-click on each connection point and select «Disable«. Once disabled, the system will no longer be connected to the internet. To re-enable the connection points, simply right-click again and select «Enable«.
Step 2: Unplug all storage devices.
As mentioned above, ransomware might encrypt data and infiltrate all storage devices that are connected to the computer. For this reason, all external storage devices (flash drives, portable hard drives, etc.) should be disconnected immediately, however, we strongly advise you to eject each device before disconnecting to prevent data corruption:
Navigate to «My Computer«, right-click on each connected device, and select «Eject«:
Step 3: Log-out of cloud storage accounts.
Some ransomware-type might be able to hijack software that handles data stored within «the Cloud». Therefore, the data could be corrupted/encrypted. For this reason, you should log-out of all cloud storage accounts within browsers and other related software. You should also consider temporarily uninstalling the cloud-management software until the infection is completely removed.
Identify the ransomware infection:
To properly handle an infection, one must first identify it. Some ransomware infections use ransom-demand messages as an introduction (see the WALDO ransomware text file below).
This, however, is rare. In most cases, ransomware infections deliver more direct messages simply stating that data is encrypted and that victims must pay some sort of ransom. Note that ransomware-type infections typically generate messages with different file names (for example, «_readme.txt«, «READ-ME.txt«, «DECRYPTION_INSTRUCTIONS.txt«, «DECRYPT_FILES.html«, etc.). Therefore, using the name of a ransom message may seem like a good way to identify the infection. The problem is that most of these names are generic and some infections use the same names, even though the delivered messages are different and the infections themselves are unrelated. Therefore, using the message filename alone can be ineffective and even lead to permanent data loss (for example, by attempting to decrypt data using tools designed for different ransomware infections, users are likely to end up permanently damaging files and decryption will no longer be possible even with the correct tool).
Another way to identify a ransomware infection is to check the file extension, which is appended to each encrypted file. Ransomware infections are often named by the extensions they append (see files encrypted by Qewe ransomware below).
One of the easiest and quickest ways to identify a ransomware infection is to use the ID Ransomware website. This service supports most existing ransomware infections. Victims simply upload a ransom message and/or one encrypted file (we advise you to upload both if possible).
The ransomware will be identified within seconds and you will be provided with various details, such as the name of the malware family to which the infection belongs, whether it is decryptable, and so on.
Example 1 (Qewe [Stop/Djvu] ransomware):
Example 2 (.iso [Phobos] ransomware):
If your data happens to be encrypted by ransomware that is not supported by ID Ransomware, you can always try searching the internet by using certain keywords (for example, a ransom message title, file extension, provided contact emails, crypto wallet addresses, etc.).
Search for ransomware decryption tools:
Encryption algorithms used by most ransomware-type infections are extremely sophisticated and, if the encryption is performed properly, only the developer is capable of restoring data. This is because decryption requires a specific key, which is generated during the encryption. Restoring data without the key is impossible. In most cases, cybercriminals store keys on a remote server, rather than using the infected machine as a host. Dharma (CrySis), Phobos, and other families of high-end ransomware infections are virtually flawless, and thus restoring data encrypted without the developers’ involvement is simply impossible. Despite this, there are dozens of ransomware-type infections that are poorly developed and contain a number of flaws (for example, the use of identical encryption/decryption keys for each victim, keys stored locally, etc.). Therefore, always check for available decryption tools for any ransomware that infiltrates your computer.
Finding the correct decryption tool on the internet can be very frustrating. For this reason, we recommend that you use the No More Ransom Project and this is where identifying the ransomware infection is useful. The No More Ransom Project website contains a «Decryption Tools» section with a search bar. Enter the name of the identified ransomware, and all available decryptors (if there are any) will be listed.
Restore files with data recovery tools:
Depending on the situation (quality of ransomware infection, type of encryption algorithm used, etc.), restoring data with certain third-party tools might be possible. Therefore, we advise you to use the Recuva tool developed by CCleaner. This tool supports over a thousand data types (graphics, video, audio, documents, etc.) and it is very intuitive (little knowledge is necessary to recover data). In addition, the recovery feature is completely free.
Step 1: Perform a scan.
Run the Recuva application and follow the wizard. You will be prompted with several windows allowing you to choose what file types to look for, which locations should be scanned, etc. All you need to do is select the options you’re looking for and start the scan. We advise you to enable the «Deep Scan» before starting, otherwise, the application’s scanning capabilities will be restricted.
Wait for Recuva to complete the scan. The scanning duration depends on the volume of files (both in quantity and size) that you are scanning (for example, several hundred gigabytes could take over an hour to scan). Therefore, be patient during the scanning process. We also advise against modifying or deleting existing files, since this might interfere with the scan. If you add additional data (for example, downloading files/content) while scanning, this will prolong the process:
Step 2: Recover data.
Once the process is complete, select the folders/files you wish to restore and simply click «Recover». Note that some free space on your storage drive is necessary to restore data:
Create data backups:
Proper file management and creating backups is essential for data security. Therefore, always be very careful and think ahead.
Data backups: One of the most reliable backup methods is to use an external storage device and keep it unplugged. Copy your data to an external hard drive, flash (thumb) drive, SSD, HDD, or any other storage device, unplug it and store it in a dry place away from the sun and extreme temperatures. This method is, however, quite inefficient, since data backups and updates need to be made regularly. You can also use a cloud service or remote server. Here, an internet connection is required and there is always the chance of a security breach, although it’s a really rare occasion.
We recommend using Microsoft OneDrive for backing up your files. OneDrive lets you store your personal files and data in the cloud, sync files across computers and mobile devices, allowing you to access and edit your files from all of your Windows devices. OneDrive lets you save, share and preview files, access download history, move, delete, and rename files, as well as create new folders, and much more.
You can back up your most important folders and files on your PC (your Desktop, Documents, and Pictures folders). Some of OneDrive’s more notable features include file versioning, which keeps older versions of files for up to 30 days. OneDrive features a recycling bin in which all of your deleted files are stored for a limited time. Deleted files are not counted as part of the user’s allocation.
The service is built using HTML5 technologies and allows you to upload files up to 300 MB via drag and drop into the web browser or up to 10 GB via the OneDrive desktop application. With OneDrive, you can download entire folders as a single ZIP file with up to 10,000 files, although it can’t exceed 15 GB per single download.
OneDrive comes with 5 GB of free storage out of the box, with an additional 100 GB, 1 TB, and 6 TB storage options available for a subscription-based fee. You can get one of these storage plans by either purchasing additional storage separately or with Office 365 subscription.
Creating a data backup:
The backup process is the same for all file types and folders. Here’s how you can back up your files using Microsoft OneDrive
Step 1: Choose the files/folders you want to backup.
Click the OneDrive cloud icon to open the OneDrive menu. While in this menu, you can customize your file backup settings.
Click Help & Settings and then select Settings from the drop-down menu.
Go to the Backup tab and click Manage backup.
In this menu, you can choose to backup the Desktop and all of the files on it, and Documents and Pictures folders, again, with all of the files in them. Click Start backup.
Now, when you add a file or folder in the Desktop and Documents and Pictures folders, they will be automatically backed up on OneDrive.
To add folders and files, not in the locations shown above, you have to add them manually.
Open File Explorer and navigate to the location of the folder/file you want to backup. Select the item, right-click it, and click Copy.
Then, navigate to OneDrive, right-click anywhere in the window and click Paste. Alternatively, you can just drag and drop a file into OneDrive. OneDrive will automatically create a backup of the folder/file.
All of the files added to the OneDrive folder are backed up in the cloud automatically. The green circle with the checkmark in it indicates that the file is available both locally and on OneDrive and that the file version is the same on both. The blue cloud icon indicates that the file has not been synced and is available only on OneDrive. The sync icon indicates that the file is currently syncing.
To access files only located on OneDrive online, go to the Help & Settings drop-down menu and select View online.
Step 2: Restore corrupted files.
OneDrive makes sure that the files stay in sync, so the version of the file on the computer is the same version on the cloud. However, if ransomware has encrypted your files, you can take advantage of OneDrive’s Version history feature that will allow you to restore the file versions prior to encryption.
Microsoft 365 has a ransomware detection feature that notifies you when your OneDrive files have been attacked and guide you through the process of restoring your files. It must be noted, however, that if you don’t have a paid Microsoft 365 subscription, you only get one detection and file recovery for free.
If your OneDrive files get deleted, corrupted, or infected by malware, you can restore your entire OneDrive to a previous state. Here’s how you can restore your entire OneDrive:
1. If you’re signed in with a personal account, click the Settings cog at the top of the page. Then, click Options and select Restore your OneDrive.
If you’re signed in with a work or school account, click the Settings cog at the top of the page. Then, click Restore your OneDrive.
2. On the Restore your OneDrive page, select a date from the drop-down list. Note that if you’re restoring your files after automatic ransomware detection, a restore date will be selected for you.
3. After configuring all of the file restoration options, click Restore to undo all the activities you selected.
The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups.
About the author:
I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.
PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.
How to decrypt ransomware [Jul 2021]
Get best practice tips for identifying ransomware strains, successful recovery of the encrypted hostage data, and preventing the attack in the first place.
File-encrypting ransomware is undoubtedly the worst type of malicious code as of yet. In case of such an attack, simply removing the infection is not enough. Decrypting hostage data is the actual challenge victims are confronted with. The ransomware threat landscape is heterogeneous. Some samples have weak crypto, with the secret decryption key being embedded in the malicious executable itself. Others are made professionally enough to thwart recovery.
One way or another, reviving locked files is on every contaminated user’s agenda. Data backups are a godsend in this context, but this route of incident response is still a weak link of most end users’ and even organizations’ security posture. So what is the best practice, universal walkthrough to restore files mutilated by a ransom Trojan if there are no backups available?
Step 1: Remove the ransomware
This point is somewhat controversial, because most of the widespread strains of crypto ransomware only persevere on an infected computer until the victim’s data has been encrypted. The self-termination routine being in place, some of the newer sophisticated samples go equipped with additional DDoS, identity theft or screen locking mechanisms. With that said, it always makes sense to ascertain that the ransom Trojan and its accompanying components are no longer on the machine.
One of the methods is to leverage System Restore, a native Windows feature that allows reverting the operating system to its earlier state. Although this technique does not apply to personal files, it can make the PC ransomware-free. However, if System Restore was not enabled when the attack took place, it’s no good as a troubleshooting vector. In this case, consider using an automatic antimalware suite, which will detect the ransomware and completely remove it.
Step 2: Resort to forensics for file recovery
The effectivity of using forensic tools for restoring ransomware-crippled files revolves around the specificity of the average ransomware onslaught. The fact is, most of these offending programs tend to obliterate the original files. The inaccessible objects sprinkled throughout the plagued PC are nothing but encrypted copies of a victim’s important data. It means that the deleted files may physically still be somewhere on the hard drive, unless the infection utilizes multiple overwrites to shred them beyond recovery. By leveraging software like Data Recovery Pro, you may be able to reinstate some of the original data entries. Just install the tool and run a scan to determine what’s recoverable.
One more avenue of file restoration has to do with what’s called the Volume Shadow Copy Service (VSS). In a nutshell, it denotes a system module that takes snapshots and saves reserve copies of files at certain intervals. You can view the list of the backup versions for an arbitrary file by going to its Properties and selecting the Previous Versions tab. The application called Shadow Explorer completely automates this routine, enabling users to select folders or files of interest and restore their shadow copies to a desired path.
In the event these do-it-yourself techniques end up futile, it’s high time you searched for specially crafted decryption tools. But first, it’s mandatory to find out what strain you are dealing with.
Step 3: Identify the ransomware
There are hundreds of different crypto ransomware families in the wild. To determine whether security researchers have released the right decryptor for your incident, the rule of thumb is to first figure out which strain has attacked your computer. Sometimes the ransom note straightforwardly mentions the name and iteration (including subversion) of the infection, as is the case with the notorious GandCrab or Cerber ransomware lineages.
If a match is found in Crypto Sheriff’s database, the service will display a page defining the type of the ransomware. Furthermore, it provides a button to download the appropriate free decryption tool if available. Users can also report the crime to their local law enforcement agency.
As opposed to ransomware identification, attack attribution isn’t really a component of the data decryption chain proper. However, it provides food for thought about who the adversary is. According to statistics provided by Kaspersky Lab, 47 out of 62 ransomware strains spotted in 2016 were created by Russian-speaking crooks. It means that 75% of all file-encrypting malware samples originate from Russia. These perpetrating programs infected at least 1.4 million people last year. The takeaway is that online extortion has a language. It’s Russian.
Keep in mind that determining what ransomware specimen is on board your computer is half the battle. The next move is to find out whether antimalware labs or security enthusiasts have a free decryption tool in store for the infection.
Step 4: Decrypt your files
Now that you know the name of your cyber adversary, it’s time to figure out if there is a file recovery solution that doesn’t presuppose submitting the ransom. Unfortunately, few strains of ransomware can be decrypted for free, as compared to the whopping general quantity of these infections on the loose.
The list of available free decryptors below, along with brief descriptions of the corresponding ransomware samples, is the starting point for your troubleshooting:
Most of these decryption tools are easy to use. The ones by Emsisoft, for instance, require that ransomware victims drag and drop an arbitrary encrypted file and its original version onto the decryptor’s window. The GandCrab decryptor by Bitdefender is even more intuitively built – it scans the whole system or specified path, spots all the hostage files and automatically decrypts them without user involvement if the ransomware version is supported. With some utilities, however, more advanced tech skills are necessary, such as the use of command prompt and the like. Furthermore, ransomware authors tend to tweak their code once in a while in order to defeat previously released decryptors. In any case, the list above should come in handy.
An additional recommendation is to look up the name of the ransomware on search engines, browse dedicated forums such as Bleeping Computer, and use the above-mentioned ID Ransomware and No More Ransom services. The best prevention tips are as follows: maintain regular data backups, do not open fishy email attachments, and use reliable security software that goes equipped with an anti-ransomware module.
Can you remove ransomware?
Can you remove ransomware?
Yes, you can – moreover, you shouldn’t run into any difficulties with it. Most security tools made by reputable publishers can easily identify the threat and eradicate all of its components. The funny thing is, many ransom trojans follow a self-termination tactic after encrypting a victim’s data and therefore you may not even have to remove the malicious code whatsoever. Even if this is the case, though, it’s cold comfort because your files remain encrypted regardless. Ultimately, it’s data decryption rather than ransomware removal that you need to focus on.
How does ransomware spread?
How does ransomware spread?
Attacks via RDP (Remote Desktop Protocol) hacks are gaining momentum as well. They are often leveraged to orchestrate targeted raids against organizations or local governments. By the way, such extortion campaigns have seen a huge spike in 2019. The criminals zero in on systems using default or weak RDP credentials and thereby take root in the enterprise network, being able to deposit and run their ransomware manually over the compromised connection.
Although exploit kits appear to be gradually fading away in the present-day ransomware propagation schemes, they continue to be a concern. This approach harnesses known software vulnerabilities as the entry point. It is particularly dangerous because the whole infection chain takes place silently and doesn’t give the would-be victims a heads up until their files are scrambled with a cipher. Incidentally, exploits are to blame for some of the biggest ransomware outbreaks in history, including the WannaCry and NotPetya cyber-epidemics.
There are also more ‘exotic’ spreading mechanisms that involve instant messages on social media, drive-by downloads on adult sites, or virus-tainted keygen applications. However, they are marginal as compared to the above three methods.
Can ransomware spread through network?
Can ransomware spread through network?
Yes, you can – moreover, you shouldn’t run into any difficulties with it. Most security tools made by reputable publishers can easily identify the threat and eradicate all of its components. The funny thing is, many ransom trojans follow a self-termination tactic after encrypting a victim’s data and therefore you may not even have to remove the malicious code whatsoever. Even if this is the case, though, it’s cold comfort because your files remain encrypted regardless. Ultimately, it’s data decryption rather than ransomware removal that you need to focus on.
Does antivirus stop ransomware?
Does antivirus stop ransomware?
Ideally, antivirus software should be able to detect such an attack and stop it in its tracks. However, reports about successful ransomware incursions against ostensibly well-protected systems keep hitting the headlines. There are a few aspects that play a role in this regard. First of all, some AVs are more effective than others. What matters is whether or not the tool goes with real-time protection, Internet security features, and heuristic analysis module. The frequency and quality of malware signature updates influence the app’s ransomware prevention efficiency as well. Lots of people opt for free security suites that lack some of these modules and capabilities.
Furthermore, cybercrooks are constantly coming up with new techniques that might slip under the radar of traditional antiviruses, even reputable ones with up-to-date definitions. Security is a process, and it requires permanent improvements of the defenses to keep up with the evolving threats. In summary, antivirus is an important layer of protection against ransomware, but it’s not a cure-all. You need to additionally follow safe online practices to take it up a notch.
How much did ransomware make in 2019?
How much did ransomware make in 2019?
First things first, it’s impossible to provide accurate numbers, because numerous victims choose not to report ransomware attacks. For businesses, this is a particularly touchy subject as it may entail reputational risks. Although such attacks saw a significant decline in terms of their quantity over the past few years, the criminals’ overall earnings are unlikely to have decreased. The malefactors aren’t really trying to catch small fish in a big pond anymore – instead, they switched to zeroing in on enterprises through highly targeted onslaughts, and the average amount of ransom per victim has grown multiple times.
The fourth generation of the Cerber ransomware is underway, dropping the Readme.hta ransom note and appending random extensions to one’s encrypted files.
The lineage of the highly dangerous Cerber ransom Trojan has been recently replenished with a new sample. The fresh spinoff has much in common with the other baddies that used to represent this family. In the meanwhile, it also exhibits unique characteristics that allow researchers to flag it as a standalone ransomware edition. These out-and-outer traits that have the biggest value analysis-wise include a different take on file format contortion, as well as the new way this infection now instructs its victims on recovery. As opposed to the formerly used uniform “.cerber3” extension, this iteration has come to concatenate a victim-specific random set of four hexadecimal characters to every data object that underwent enciphering. Therefore, a victim may see something like utTNNgp574.96b3 instead of an arbitrary personal file.
Readme.hta and ciphered files are straightforward indicators of compromise
It’s unclear why this additional layer of randomization has been introduced in the latest variant, but it has become the inalienable property of the Cerber ransomware virus. The filename muddling effect, by the way, is identical to the way the predecessor would handle hostage files: the Trojan replaces the initial values with a gibberish 10-character string. This wouldn’t pose much of a problem if it weren’t for the fact that each entry is also encrypted. So, editing filenames, which seems like a no-brainer, is also a no-go as far as data restoration is concerned. Cerber v4 leverages an unbreakable crypto routine to scrambling one’s files. Although the Advanced Encryption Standard (AES) is considered to be weaker than the asymmetric RSA algorithm, it is still virtually impossible to crack as long as it’s implemented the right way.
Recovery steps listed on the desktop
Another new feature that surfaced in the current 4.1.1. version of Cerber is the principle of providing the walkthrough to decrypt files. The ransom manual is no longer a combo of three documents in different formats. Instead, it’s a single file called Readme.hta. Because this is, in essence, an HTML application, it delivers some degree of user interaction. For instance, an infected person can now select their native language inside the interface. The rest of the instructions have hardly changed. The extortionists still upsell a tool named “Cerber Decryptor” via a secure Tor page. Therefore, victims are told to install the Tor Browser Bundle and visit their personal page – a choice of three corresponding URLs is provided in Readme.hta pane.
The Cerber Decryptor page displays down-to-earth details on data reviving options. The original ransom amount to submit is 1 Bitcoin, or about 600 USD. That’s a “special price” valid for five days since the encryption event. After the deadline, the ransom doubles and thus reaches 2 Bitcoin. For the user to keep track of the time left, the page contains a graphical countdown component. All in all, this is still a nearly immaculate compromise that’s hard to tackle after the fact. Fortunately, there are several applicable methods to unencrypt the locked random extension files. Keep reading this post to learn more.
Automatic removal of the Readme.hta (Cerber) virus
When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the adware gets found and eradicated from the affected computer.
1. Download and install the cleaning tool and click the Start Computer Scan button Download Cerber 4 removal tool
2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get Cerber 4 automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.
Recover files ciphered by the Readme.hta ransomware
Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.
Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.
Option 2: Recovery tools
The research of Cerber 4 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.
Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.
You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.
Did the problem go away? Check and see
Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.
List of available regions
Main regions
АМЕРИКА
ЕВРОПА, БЛИЖНИЙ ВОСТОК и АФРИКА
АЗИАТСКО-ТИХООКЕАНСКИЙ РЕГИОН
4 бесплатных дешифратора для файлов, зараженных программой-вымогателем
4 бесплатных дешифратора для файлов, зараженных программой-вымогателем
Подробнее о том, как расшифровать файлы бесплатно и не платить выкуп программам-вымогателям, используя утилиты Avast по удалению вирусов-шифровальщиков.
Программы-вымогатели становятся «флагманом» вредоносного ПО. За последний год мы зафиксировали рост числа атак шифрователей более чем в два раза (на 105%). Подобные вирусы блокируют доступ к файлам на компьютере, кодируя их и вымогая выкуп за предоставление кода для расшифровки.
Как расшифровать файлы бесплатно? Мы рады объявить о выпуске четырех инструментов для удаления программ-вымогателей и дешифровки файлов: Alcatraz Locker, CrySiS, Globe и NoobCrypt. Все дешифраторы для файлов доступны на нашей странице и являются бесплатными.
Там же представлено подробное описание каждого вида программ-вымогателей. Наши инструменты смогут помочь вам удалить вирус-шифровальщик и разблокировать файлы. Утилиты постоянно обновляются по мере развития перечисленных видов угроз.
С момента выпуска первого пакета из семи инструментов Avast для дешифровки нам было приятно получить множество отзывов с благодарностями и рассказами о том, как наши утилиты спасли чьи-то ценные данные или даже бизнес. Надеемся, новые программы для дешифровки помогут еще большему количеству пользователей.
Ниже приведено краткое описание четырех новых видов программ-вымогателей, для удаления которых были разработаны новые бесплатные утилиты.
Alcatraz
В отличие от большинства видов шифрователей, программа Alcatraz не имеет заданного списка расширений файлов, на которые она нацелена. Иными словами, программа шифрует все, что может. Чтобы предотвратить нанесение ущерба операционной системе, Alcatraz Locker шифрует только файлы в каталоге %PROFILES% (обычно C:\Users).
Вымогатель шифрует файлы, используя встроенные функции Windows (API-интерфейс шифрования):
В тексте сообщения с требованием выкупа утверждается, что программа использует шифрование AES-256 с 128-битовым паролем. Анализ данного вредоносного ПО показал, что это не так (применяется 128-байтовый, а не 128-битовый пароль). Однако вирус использует 160-битовый хэш (SHA1) в качестве исходного ключа для 256-битового шифрования AES. В API-интерфейсе шифрования, который используется программой, это реализуется довольно интересным образом:
Получившийся объединенный хэш используется в качестве исходного ключа для AES256.
После выполнения шифрования AES-256 программа-вымогатель также кодирует уже зашифрованный файл с помощью позиционной системы счисления с основанием 64 (BASE64), в результате чего зашифрованный файл приводится к типичной модели:
CrySiS
Программа CrySiS (известная также как JohnyCryptor и Virus-Encode) известна с сентября 2015 года. Использует сильные алгоритмы шифрования AES и RSA. Также особенность заключается в том, что она содержит список файловых расширений, которые не подвергаются блокировке.
Хотя идентификационный номер и адрес электронной почты меняются довольно часто, есть только три различных имени расширений, которые, используются до сих пор:
В результате имена зашифрованных файлов могут выглядеть так:
Каждый подобный элемент содержит все данные, которые необходимы для его расшифровки. Файлы размером менее 262 144 байта зашифровываются полностью, а в окончании находится код, содержащий зашифрованный ключ AES вместе с остальными данными, такими как исходное имя файла, что позволяет выполнить полную расшифровку. Стоит отметить, что файлы, размер которых превышает 262 144 байта, шифруются лишь частично, однако и в этом случае использовать их не удастся. Такой способ работы вымогателя приводит к тому, что крупные файлы после шифрования еще больше увеличиваются в размере.
После блокировки этих файлов программа-вымогатель отображает сообщение, расположенное ниже, которое описывает способ возвращения доступа к зашифрованным данным. Это сообщение также содержится в файле под названием «Decryption instructions.txt», «Decryptions instructions.txt» или «README.txt» на рабочем столе зараженного ПК.
Вот пара примеров сообщений программы CrySiS с требованием выкупа:
Globe
Данная программа, существующая примерно с августа 2016 года, написана на языке Delphi и обычно упакована UPX. Некоторые варианты также упакованы при помощи установщика Nullsoft:
В распакованном бинарном виде программа представляет собой глобальный интерфейс «настройки», в которой автор вымогателя может вносить некоторые изменения в ее характеристики:
Так как злоумышленники могут изменять программу, мы столкнулись со множеством различных вариантов создания зашифрованных файлов с разнообразными расширениями.
Примечательно, что программа-вымогатель имеет режим отладки, который может быть включен при помощи следующей настройки реестра:
Вирус блокирует файлы при помощи алгоритмов RC4 или BlowFish. Когда программа-вымогатель настроена на шифрование имен файлов, она выполняет его при помощи того же алгоритма, который использовался в отношении самого файла. Затем название шифруется при помощи собственной реализации кодирования Base64.
Вот несколько примеров созданных расширений, которые могут быть расшифрованы при помощи утилиты Avast:
Как правило, данная программа-вымогатель создает файлы с именем «Read Me Please.hta» или «How to restore files.hta», которое отображается после входа пользователя в систему.
Не платите вымогателям! Используйте дешифратор для файлов Globe.
NoobCrypt
NoobCrypt, который я открыл летом 2016 года, написан на языке C# и использует алгоритм шифрования AES256. Программа имеет запоминающийся графический интерфейс, который отображается после блокировки доступа к файлам.
Данный экран с требованием выкупа — странная смесь сообщений. К примеру, он требует выплатить определенную сумму в долларах Новой Зеландии (NZD), но средства предлагает перевести на адрес в системе Bitcoin. В то же время текст с гордостью заявляет, что программа «создана в Румынии». Странное сочетание.
Название «NoobCrypt» было выбрано мной на основе обнаруженных в коде сообщений и ключа для расшифровки:
Чтобы расшифровать файлы, программа NoobCrypt предлагает «код разблокировки», который необходимо купить. В Twitter мной были опубликованы бесплатные ключи для удаления всех известных версий программы NoobCrypt (примеры: 1, 2, 3). Однако определять, какой из них следует использовать, приходилось вручную. Благодаря нашему инструменту для дешифровки вам уже не придется гадать, какой код нужно применить.
Автор даже подготовил демонстрационное видео, демонстрирующее функции, которые представлены как новые, в том числе использование «шифрования военного уровня» и «невозможность обнаружения антивирусами (кроме AVG)», что является обманом: многие антивирусы способны обнаружить эту программу.
Как видно на снимке внизу, автор даже упоминает мое имя на экране с инструкциями по выплате денег и за что-то меня благодарит. Возможно, за то, что я дал этому набору некачественного кода соответствующее название (теперь оно используется официально).
Сегодня мы представляем инструмент для дешифровки NoobCrypt, подходящий для всех его известных версий. Процесс разблокировки теперь выглядит намного проще, чем подбор нужного кода. Теперь вам не нужно платить деньги за предоставление ключа. И тем более полагаться на расшифровку своих файлов программе-вымогателю.
Ознакомьтесь с описанием программы NoobCrypt и инструментом для дешифровки на нашем сайте.
Как не стать жертвой программы-вымогателя
Прежде всего убедитесь, что на всех ваших устройствах установлен антивирус, например Avast (даже смартфоны могут быть заражены программой-вымогателем). Антивирус сможет заблокировать программы-вымогатели еще до того, как они причинят ущерб.
Следующая составляющая собственной безопасности — рациональность и предусмотрительность. Распространители программ-вымогателей часто используют методы социальной инженерии, чтобы обманом заставлять людей скачивать вредоносное ПО. Будьте осторожны при открытии ссылок и подозрительных вложений в почте, а также при скачивании материалов из Интернета. Убедитесь в надежности отправителя сообщения, скачивайте программное обеспечение только с доверенных сайтов.
Необходимо также выполнять регулярное и правильное резервное копирование своих данных. Храните резервные копии данных удаленно, иначе они могут также быть заблокированы вредоносным ПО.
Если вам не повезло и вы стали жертвой программ-вымогателей, попробуйте наши инструменты для дешифровки и проверьте, сможем ли мы помочь вам вернуть свои файлы!
Выражаю благодарность своим коллегам, Ладиславу Зезуле (Ladislav Zezula ) и Петру Щепански (Piotr Szczepanski), за подготовку дешифраторов, а также Яромиру Горейши (aromír Hořejší) за его анализ программы Alcatraz Locker.
Счастливые владельцы зашифрованных файлов могут получить обратно свои ключи/файлы.
В связи с тем, что «paycrypt», прежде чем запустить новый вариант бат-энкодера (paycrypt@gmail_com), предоставила в распоряжение вирус_аналитиков несколько мастер-ключей:
:user ID packet: «P-crypt (P-crypt) » :signature packet: algo 1, keyid 278605395C63D713 5C63D713/591A1333 (sig created 2014-03-01)
:user ID packet: «StyxKey (StyxKey) » :signature packet: algo 1, keyid BAC121F1F3E75FD0 F3E75FD0/01270FE6 (sig created 2014-05-26)
:user ID packet: «HckTeam (HckTeam) » :signature packet: algo 1, keyid 528FE439E578490A E578490A/F107EA9F (sig created 2014-06-01)
имеем возможность восстановить некоторые ваши файлы, если они были зашифрованы в определенный период времени.
Счастливыми в данном случае окажутся, к сожалению, лишь те, кому выпадет возможность восстановить свой ключ, и использовать его для расшифровки своих данных.
добавлю, что с помощью полученных приватных ключей возможно восстановить из KEY.PRIVATE сессионные секретные ключи secring.gpg пользователей, которые могут быть использованы для расшифровки файлов.
(извлекаем из KEY.PRIVATE и импортируем сессионный ключ) 1. gpg: encrypted with 1024-bit RSA key, ID F107EA9F, created 01.06.2014 «HckTeam (HckTeam) «
и passphrase к этим ключам для расшифровки файлов, зашифрованных бат-энкодером с расширением *.PZDC, *.CRYPT, *.GOOD. судя по созданным ключам, данные шифраторы были активны в июле 2014 года, параллельно с другими вариантами бат-энкодера: paycrypt@gmail_com/keybtc@gmail_com. (спасибо, thyrex, BloodDolly!)
В случае несложных парольных фраз (passphrase) для подбора пароля можно использовать утилиту для распределенного вычисления от Elcomsoft: ElcomSoft Distributed Password Recovery
Elcomsoft Distributed Password Recovery – высокопроизводительное решение для восстановления паролей к различным типам файлов (список поддерживаемых форматов). Программа построена по принципу «клиент-сервер» и позволяет задействовать для перебора паролей все имеющиеся компьютеры.
Комментарии
Decrypted: Kaspersky releases free decryptor for CryptXXX Ransomware
Thankfully, yesterday Kaspersky released a free decryptor for this ransomware.
bleepingcomputer.com Лаборатория Касперского и Intel Security/McAfee (видимо в результате удачной охоты за серверами с ключами) выпустили соответственно дешифраторы: ShadeDecryptor. и ShadeDecrypt для расшифрования файлов после Ransom.Shade.xtbl/breaking_bad. (он же грозный и непобедимый Filecoder.ED).
утилита содержит предположительно свыше 160 000 ключей
Возможно, кому то из пострадавших повезет оказаться в числе этих 160000, и расшифровать свои данные: xtbl/breaking_bad. Учитывая, что данных шифратор широко распространен в России, так думаю, что многие посетители форумов: virusinfo.info, forum.esetnod32.ru и др., смогут получить ключи и хороший шанс на расшифровку своих данных.
судя по темам forum.esetnod32.ru ключи в базу по времени шифрования были добавлены в интервале октябрь 2015-февраль 2016. В это время был активен еще xtbl, но затем его активность сменилась на breaking_bad.
здесь подробное описание работы с shadedecrypt от McAfee.
судя по сообщению hasherezade, получена часть приватных ключей к шифратору Chimera.
дамп приватных ключей выложен кем то из разработчиков Petya Ransomware, по его словам, имевшим доступ к части проекта Chimera.
получены мастер-ключи по шифратору CrySiS!
варианты этого шифратора: vegclass@aol.com.xtbl redshitline@india.com.xtbl .xtbl ecovector3@india.com.xtbl и многие другие.
DrWeb приводит более полный список адресов электронной почты, которые используются злоумышленниками для контактов и шифрования файлов.
Зашифрованные файлы получают суффикс с контактным адресом электронной почты и расширением. Известно два расширения, которые троянец присваивает зашифрованным файлам:
Злоумышленники оставляют следующие электронные адреса:
Extra header can be found prior to trailer and have following format:
For older versions it’s a zero terminated unicode string which is filename of original file.
For newer versions:
Zero(4 byte uint) | Type of encryption(1=partial,2=full) | Magic values(0xFFD1CEFFL for partial,
0xFFAE50FFL for full) | (size of header-original filename size(offset to filename) |ignorede for full, number of encrypted regions for partial | ignored for full, size of encrypted region if partial | ignored for full, CRC32(Encrypted regions) | ignored for full, offset to encrypted data for partial
If encryption is partial, there is an encrypted data after header. In both encryption types there is a original filename (unicode string) after headers.
думаю, в ближайшее время будут готовы универсальные дешифраторы по данному (и очень распространенному в России) шифратору.
RakhniDecryptor tool is designed to decrypt files encrypted by:
Crysis; Chimera; Rakhni; Agent.iih; Aura; Autoit; Pletor; Rotor; Lamer; Lortok; Cryptokluchen; Democry; Bitman (TeslaCrypt) version 3 and 4.
компания ESET выпустила дешифратор esetcrysisdecryptor
How do I clean a Crysis infection using the ESET Crysis decryptor? http://support.eset.com/kb6274/
Проверяем в работе дешифратор от ESET: esetcrysisdecryptor
результат расшифровки отличный.
Trendo Micro добавил расшифровку CrySiS (xtbl;crypt) в новом обновлении дешифратора:
Updated: 28 Nov 2016, ver:1.0.1654
CrySiS (JohnyCryptor, Virus-Encode, or Aura) is a ransomware strain that has been observed since September 2015. It uses AES256 combined with RSA1024 asymmetric encryption. Filename changes:
Encrypted files have many various extensions, including: .johnycryptor@hackermail.com.xtbl, .ecovector2@aol.com.xtbl, .systemdown@india.com.xtbl, .Vegclass@aol.com.xtbl, ..CrySiS, ..xtbl, ..xtbl, ..xtbl Ransom message:
After encrypting your files, one of the following messages appears (see below). The message is located in «Decryption instructions.txt», «Decryptions instructions.txt», or «*README.txt» on the user’s desktop.
тестировал на виртуальной машине вариант шифратора, который ESET детектирует как CrySiS.H
в итоге шифрования получаем записку о выкупе Decryption instructions.txt с таким содержанием:
проверил на ID Ransomware по зашифрованному файлу и записке о выкупе, получаю результат:
This ransomware is decryptable!
Click here for more information about CrySiS
запускаю последнюю версию Crysis decryptor
в итоге ничего не могу расшифровать.
переименовал группу зашифрованных файлов из *.crypted в *.crypt и все тестовые расшифровал. .
Kaspersky Lab пишет, что получена расшифровка для CryptXXX: crypt; cryp1, crypz
https://blog.kaspersky.com/cryptxxx-v3-ransomware/13628/ + Разработан дешифратор для третьей версии CryptXXX https://threatpost.ru/new-decryptor-unlocks-cryptxxx-v3-files/19779/ По crypt расшифровка была ранее. Добавили расшифровку cryp1, crypz. Проверять в работе дешифраторы от ЛК крайне неудобно. Нет функции проверки отдельно каталога с зашифрованными файлами, как это сделано в дешифраторах от ESET, Emsisoft, Avast. Чтобы проверить работоспособность дешифратора, необходимо проверять полностью весь диск, а то и не один. Судя по сообщениям на форуме, далеко не все гладко получается с расшифровкой crypt/cryp1/crypz.
Avast releases Three more Decryption Tools for Ransomware Victims
Мы хотели бы отметить, что существуют бесплатные инструменты дешифрования уже имеющиеся для этих штаммов. Исследователи безопасности Майкл Гиллеспи и Фабиан Wosar проделали большую работу и представили свои собственные решения для дешифровки этих штаммов.
Теперь вы можете быть удивлены, почему мы решили выпустить инструменты для этих штаммов, если другие инструменты уже доступны? Ну, это всегда лучше иметь несколько (бесплатно) вариантов и найти тот, который лучше всего работает для вас.
HiddenTear is one of the first open-sourced ransomware codes hosted on GitHub and dates back to August 2015. Since then, hundreds of HiddenTear variants have been produced by crooks using the original source code. HiddenTear uses AES encryption.
Ransom message: After encrypting files, a text file (READ_IT.txt, MSG_FROM_SITULA.txt, DECRYPT_YOUR_FILES.HTML) appears on the user’s desktop.
Jigsaw is a ransomware strain that has been around since March 2016. It’s named after the movie character “The Jigsaw Killer”. Several variants of this ransomware use the Jigsaw Killer’s picture in the ransom screen.
Stampado is a ransomware strain written using the AutoIt script tool. It has been around since August 2016. It is being sold on the dark web, and new variants keep appearing. One of its versions is also called Philadelphia.
File name changes: Stampado adds the “.locked” extension to the encrypted files. Some variants also encrypt the filename itself, so the encrypted file name may look like this “document.docx.locked” or 85451F3CCCE348256B549378804965CD8564065FC3F8.locked.
Alleged Master Keys for the Dharma Ransomware Released on BleepingComputer.com
судя по статье получены мастер-ключи для Crysis.dharma, следует ожидать в ближайшее время расшифровки для данного варианта Grysis.
подробнее о Dharma Ransomware можно узнать в русском блоге ID Ransomware update: LK обновила дешифратор RakhniDecryptor до версии 1.17.17 с возможностью расшифровки Crysis.dharma.
ESET обновил Crysis decryptor до версии 2.0.3 с поддержкой расширения *.dharma
Yesterday, I wrote about how someone posted in the BleepingComputer.com forums the alleged master decryption keys for the Dharma Ransomware. This was done in the same manner that the keys for Crysis were release, which Dharma is based on.
Kaspersky has tested the keys and has determined that they are indeed legitimate and can be used to encrypt Dharma encrypted files. These keys have been included in their RakhniDecryptor, which I have tested against a Dharma infection. The decryptor worked flawlessly!
For those who have been infected by the Dharma ransomware and still have files that are encrypted, you can use the guide below to decrypt the files for free. If you need help decrypting your files, feel free to ask in the Dharma Ransomware Help & Support Topic.
Update 3/2/17 10:08 AM EST: Right after I posted this article, I saw that ESET also released an updated decryptor that support the Dharma Ransomware. More info here.
Расшифровки Crysis.wallet пока что нет. Trendo Micro добавила расшифровку для Crysis.dharma в дешифратор Ransomware File Decryptor
Updated: 13 Mar 2017, ver: 1.0.1659
Выпущен мастер-ключ BTCWare Ransomware, доступен бесплатный дешифратор
Пользователи, у которых были файлы, зашифрованные с помощью старых версий BTCWare ransomware, могут восстановить свои файлы бесплатно после того, как исследователи безопасности создали decrypter для этого семейства ransomware. Работа над этим дешифратором началась в конце апреля.
После выпуска начальной версии BTCWare Decrypter в начале месяца пользователь выпустил мастер-ключ дешифрования для BTCware ransomware на форумах BleepingComputer. Хотя мы не знаем, является ли этот пользователь, называющий себя checker123, автором BTCWare ransomware или членом конкурирующего отряда Ransomware, саботирующего их конкуренцию, мы приветствуем это в любом случае.
На форуме Bleepingcomputer.com опубликована новая порция мастер-ключей шифратора Crysis для варианта Crysis.wallet,
Complete set of master keys:
думаю, в ближайшее время будут обновлены дешифраторы от ЛК, Avast, ESET.
Wallet Ransomware Master Keys Released on BleepingComputer. Avast Releases Free Decryptor
ЛК обновил RakhniDecryptor до версии 1.19.3.0
20:25:09.0424 0x0b24 Trojan-Ransom.Win32.Rakhni decryption tool 1.19.3.0 May 18 2017
ESET обновил Crysis decryptor до версии 2.0.4
Avast выпускает новый инструмент для дешифрования вымогателей BTСWare.
Jakub Křoustek, 24 May 2017
Special thanks to Ladislav Zezula for working on this blog post and the decryptor tool!
If you’ve been hit by the BTCWare ransomware, you can now recover your files without paying the ransom. To decrypt your files, download Avast’s free decryptor tool here.
BTCWare ransomware began spreading in March 2017. Since then, we have seen five variants, that can be distinguished by the extension of encrypted files:
The encrypted symmetric key is stored as a base64-encoded string %USERPROFILE%\Desktop\key.dat.
6 мая 2017 года главный секретный ключ был опубликован BleepingComputer. дешифратор Avast BTCWare (avast_decryptor_btcware.exe) не использует этот ключ, (потому что ключ не работает для всех вариантов). Взамен, используется brute force ( «грубая сила») для извлечения пароля, который был использован вымогателем для шифрования файлов.
https://www.avast.com/ransomware-decryption-tools#btcware протестировал расшифровку одного из вариантов *.theva ключ был найден и все тестовые файлы успешно расшифрованы: добавлю, что данный ключ успешно использован для расшифровки файлов и другим инструментом, созданным М.Гиллеспи https://download.bleepingcomputer.com/demonslay335/BTCWareDecrypter.zip
AES-NI Ransomware Dev выпускает ключи дешифрования
https://xakep.ru/2017/05/26/aes-ni-keys/ Avast оперативно выпускает дешифратор для AES-NI
AES_NI is a ransomware strain that first appeared in December 2016. Since then, we’ve observed multiple variants, with different file extensions. For encrypting files, the ransomware uses AES-256 combined with RSA-2048.
The ransomware adds one of the following extensions to encrypted files: .aes_ni .aes256 .aes_ni_0day
In what has become a welcome trend, today another ransomware master decryption key was released on BleepingComputer.com. This time the key that was released is for the XData Ransomware that was targeting the Ukraine around May 19th 2017.
At 12:31PM EST, a new member named guest0987654321 posted a RSA private decryption key in our XData support topic and implied that this was the master decryption key for the ransomware.
Now that XData is no longer running on the computer, we can begin to decrypt the encrypted files. First you need to download the RakhniDecryptor, extract the program, and then run it.
Rakhni Decryptor (updated 30-5-2017 with XData)
рабочая версия дешифратора должна быть 1.20.1.0
http://www.nomoreransom.org/uploads/RakhniDecryptor.zip ESET releases decryptor for AESNI ransomware variants, including XData
Releasing master keys for older ransomware variants has become somewhat of a trend these days. Shortly after the release of the updated Crysis decryptor, master keys for some of the variants of the AES-NI family were published – specifically Win32/Filecoder.AESNI.B and Win32/Filecoder.AESNI.C, also known as XData.
Based on this, ESET experts have prepared an AES-NI decryption tool.
Clean an AES-NI or XData infection using the ESET AES-NI decryptor
BloodDolly добавил ремарку по этому отзыву:
Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version.
The BTCWare author announced this leak on the Bleeping Computer forum thread that offers support for victims of BTCWare infections. BTCWare is one of the most active ransomware families today, which you can easily tell by the size of the support forum threat that has now reached 20 pages, compared to other ransomware support threads that are only 1-2 pages long.
The crook made his announcement on June 30, saying he plans to officially release the private decryption key in five days, but agreed to provide Gillespie with a copy of the private decryption key in advance after the researcher reached out to verify his identity.
Below is a list of all the BTCWare file extensions Gillespie’s decrypter can handle.
Выпущен дешифратор для всех трех вариантов оригинальной версии Petya Ransomware: RED/GREEN/GOLDENEYE!
The Petya tool has a special UI. To boot your OS back to normal, do the following:
Select the Petya family on your machine from the ransomware note screen then choose a screen font color from the dropdown option.
Enter your personal decryption code in the boxes found on the ransomware note screen.
The decryption code is case sensitive. Click the Decrypt Key button to show the decrypt key in the text box. On the infected machine, enter the decrypt key from the tool and click Enter to reboot the machine and boot your OS back to normal.
и keyid: 0x3639A9EE3ED78E85)
т.о. я восстановил известным ключом «HckTeam (HckTeam) » несколько сессионных секретных ключей (secring.gpg)
0x369AE471 (создан 24.06.2014г) и расшифровал тестовые файлы от пользователя. + paycrypt (paycrypt)
0xF4CF450E (создан 25.06.2014г) добавлю, что наиболее полная и точная информация по bat-encoder была оперативно подготовлена на форуме DrWeb
Информация по трояну: BAT.Encoder.2. Распространение этого трояна началось в середине мая 2014 года, но модификация с расширением *.paycrypt@gmail_com могла появиться позже.
Криптография: GPG. Для paycrypt@gmail_com известны такие ключи: F107EA9F/E578490A и F05CF9EE/3ED78E85. Для unblck@gmail_com известен ключ F107EA9F/E578490A. Для unstyx@gmail_com известны ключи F107EA9F/E578490A и 01270FE6/F3E75FD0
Для *.keybtc@gmail_com известен ключ A3CE7DBE
Расшифровка: возможна для некоторых вариантов, которые идентифицируются по ID ключа:
The decryption tool will not run if:
It can’t find a valid ransom note It cannot find a valid encrypted file (i.e a file that is not corrupted) It can’t decrypt the User ID field in the ransom note It cannot pass the test of decrypting 5 random files in the folder / drive – this helps us protect from corruption files that might be encrypted with a different family of ransomware and that are stored in the same folder as BTCWare-encrypted ransomware.
Your Files were affected by BTCWare V3 <.cryptowin,.theva>using AES192 with chunk-size = 1KB Found a valid ransom-note: [G:\DATA\shifr\encode_files\BTCware\theva\10BitDefender\#_README_#.inf] Found a valid user-ID: [xQZ7cYHcLB0xWev/2Ges51n7PfSX7v/E0VStm5Fyfb+ULKLBA/QyofB8+nW9G1Gu4bToCl+DctS67Hpl7I4KrMsvRwh7Ze87bYhSzOsKCUg4d3jCY1p7SFl/9t6eKv6DNc5FHsCJtIKb3B1edPGGhiVAeycew/5IXD9hdHJGTaA=] Decrypted user-ID: [SX-33hmqLLP95F7539eVcB5f53O6JepJ4L3hch3CwmcA0BPTo438OsI3UegKwVWbd93u3700h76o6-2015-07-08] Searching for encrypted files: [50] encrypted files found Testing decryption for 5 random encrypted files: . Probing Finished [SUCCESS]
Your Files were affected by BTCWare V2 <.onyon,.xfile>using RC4 with chunk-size = 10MB Found a valid ransom-note: [G:\DATA\shifr\encode_files\BTCware\onyon\50\bitdef_test\!#_DECRYPT_#!.inf] Found a valid user-ID: [pui7KbO0JLYa4c9P9243EH5dGV+Mjpcp2o9t/GBSVntMB6p38mY3SmZDq+DxnVb1H28pSMATEY08IBz1khGnSqfaWBhsUPGXqrWsH0DEiyhdHd/71MfVMAIx9atJ5JqOcig56bPZHOCUxzP7f9CEeAbeBGHTkv1mkV5P510ORqM=] Decrypted user-ID: [OBAMA-lUNz3r1hT100C44516fL6kzmp0DzIUW52ZL30D9tCYQX3ddz4DJERTb64qKXi39A-2017-07-07] Searching for encrypted files: [24] encrypted files found Testing decryption for 5 random encrypted files: . Probing Finished [SUCCESS]
Decrypt Files: . Total decrypted files: [24]
Your Files were affected by BTCWare V3 <.cryptowin,.theva>using AES192 with chunk-size = 1KB Found a valid ransom-note: [G:\DATA\shifr\encode_files\BTCware\cryptowin\10\bit_def_test\#_HOW_TO_FIX.inf] Found a valid user-ID: [ZlVoCSJf+/Ntp26YFXbaRffwFAO63Ssgai9MUlaPtKYHPMSO7PVhqaoUxArenZTrqByWydQek91IPNcqmcJNQkeOtCul/8IvuxZhs91WxC8TUx6wvX2nAPtlmHoOT2Pa35AGaWjIGdvo4Kt3IIvqQu4Z8DJoA2+M0541oTIdK0g=] Decrypted user-ID: [ADM-Q01Xa5aI2TaqIF3sB38ek98S3-2017-07-07] Searching for encrypted files: [24] encrypted files found Testing decryption for 5 random encrypted files: . Probing Finished [SUCCESS]
Your Files were affected by BTCWare V4 <.master,.aleta,.blocking,.gryphon>using AES256 with chunk-size = 10MB Found a valid ransom-note: [G:\DATA\shifr\encode_files\BTCware\master\10\bit_def_test\!#_RESTORE_FILES_#!.inf] Found a valid user-ID: [9R6bU4aF6u6rqZU9FcpCsGSDlD5h3o2lSrEbu6hzwRA01yM4VtE6W33uYUhpby1enyWGBFCwvA0zGcAjNe5XMG4mdOgA7KBiqHW+fGZiLnMeJdtTycKt27ieCkZkKzmsPYXXcXDkXBe6yIPH6wv62c1V/QAl7x9b8DmO42761tI=] Decrypted user-ID: [3-77881E1D8228D88E347306CE888335BB18951329755514507628F5C7CADDD6E57627E360-2017-07-07] Searching for encrypted files: [19] encrypted files found Testing decryption for 5 random encrypted files: . Probing Finished [SUCCESS]
Понятно, что для расшифровки файлов использованы полученные мастер-ключи. В отличие от avast_decryptor_btcware.exe дешифратор от BitDefender для BTCWare не использует brute force для получения ключа.
Энциклопедия от Amigo-A по шифраторам содержит детальную информацию по семейству BTCWare:
Sophos:Мы обобщили некоторые подробности методов шифрования файлов для разных вариантов BTCWare.
## [1.1.0.9] + Added option to force decryption as a certain version of the malware than what is auto-detected (rare cases) + Added ransomware version and bug explanations to changelog
## [1.1.0.4] + Fixed enabling of decrypt button if directory is selected before a key is entered + Added option to force RC4 decryption vs AES (rare cases)
## [1.1.0.17] + Fixed support for delete option when file was not actually encrypted
## [1.1.0.16] + Added check for whether file is actually encrypted before attempting to decrypt
## [1.1.0.13] + Fixed bug with multiple layers of encryption by different versions of the malware + Added option to force decryption of only a single layer (rare cases) + Added option to clear loaded AES keys (rare cases of working with multiple layers) + Added more warnings of certain options + Organized advanced settings
проверил возможность расшифровки после атаки WNCRY с помощью утилиты Wannakey
Специалист французской компании Quarkslab Адриен Гинье (Adrien Guinet) сообщает, что он нашел способ расшифровать данные, пострадавшие в результате атаки шифровальщика WannaCry.
This software allows to recover the prime numbers of the RSA private key that are used by Wanacry.
It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.
This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : «After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.». So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.
If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory.
That’s what this software tries to achieve.
Это программное обеспечение позволяет восстанавливать простые числа секретного ключа RSA, которые используются Wanacry.
Он делает это, ища их в процессе wcry.exe. Это процесс, который генерирует закрытый ключ RSA. Основная проблема заключается в том, что CryptDestroyKey и CryptReleaseContext не стирают простые числа из памяти, прежде чем освобождать связанную память.
На самом деле это не ошибка авторов авторских прав, поскольку они правильно используют API Windows Crypto. Действительно, для того, что я тестировал, в Windows 10 CryptReleaseContext очищает память (и поэтому эта техника восстановления не будет работать). Он может работать под Windows XP, потому что в этой версии CryptReleaseContext не выполняет очистку. Более того, MSDN заявляет это для этой функции: «После вызова этой функции освобожденный дескриптор CSP больше не действителен. Эта функция не уничтожает ключевые контейнеры или пары ключей». Таким образом, кажется, что в Windows нет чистых и кросс-платформенных способов для очистки этой памяти.
Если вам повезет (то есть связанная память не была перераспределена и стерта), эти простые числа могут быть все еще в памяти.
Содержимое папки C:\test\decrypt
C:\test\decrypt>wannakey.exe Gather list of processes. Warning: unable to open process 0: ¦рЁрьхЄЁ чрфрэ эхтхЁэю.
Warning: unable to retrieve the full path of the process for PID 4: ¦ряЁюё ReadP rocessMemory шыш WriteProcessMemory сvы тvяюыэхэ Єюы№ъю ўрёЄшўэю.
Current directory is ‘C:\test\crypt’ Using PID 3716 and working directory C:\test\crypt. Reading public key from C:\test\crypt\00000000.pky. blob_header: 06 02 00 00 00 A4 00 00 ==== pub_key: 52 53 41 31 00 08 00 00 01 00 01 00 ==== Keylen: 256 N: 2D 81 DB 19 F3 FA D9 0E 88 7C 43 02 9F 06 87 C0 73 7A 4A 55 A1 1A 27 2C C1 82 43 5B 09 39 E9 C4 C4 5C C3 08 73 C8 04 F8 99 75 78 E4 DA 7D 67 AE C5 58 4C 07 BA 2D 50 69 B6 CC 5E 32 FD 17 D3 CE CB 38 87 5C 4C E5 6B A9 E2 CA 33 B4 02 B2 E5 94 36 B2 22 DD 7F 00 5B 5A 91 AD 9B 68 3E 4F B9 DE 57 97 FB 22 44 A3 91 18 37 C6 64 2F C5 53 F1 E0 57 36 16 F1 1E 98 E8 C1 A2 5E 88 F0 E0 FC DC A8 2A C8 6A F5 D9 C0 51 3E D3 87 DE 3B A4 50 EC 19 3D 18 F7 5C 6A 64 F8 72 F4 15 20 C3 AE 35 3F 29 98 95 7A D4 23 56 05 D2 D1 1A DF 8F 42 0F 80 45 6E 4A 2F 58 03 4D 3E 98 BB 7D 38 3C 18 E7 10 63 3C C5 94 BE E7 C3 BA FD F1 EC E3 2D CC 5A 7C BD CD FB E2 28 A5 FD A0 B8 BD FF 59 25 2A DF 31 9D 84 6E 1F 03 8A A4 C8 A2 F1 B4 E9 02 B0 66 8A 7F BA 0B 16 0E BD 88 58 2D 86 D7 92 A4 99 43 CC 9F ==== Generating the private key in ‘C:\test\crypt\00000000.dky’. Done! You can now decrypt your files with the «official» decryptor interface by clicking on the «Decrypt» button!
Расшифровка файлов на Windows XP выполнена успешно. На Win 7×86 не получилось восстановить ключ.
C:\test\decrypt>wannakey.exe Gather list of processes. Warning: unable to open process 0: ╧рЁрьхЄЁ чрфрэ эхтхЁэю.
Current directory is ‘C:\test\crypt’ Using PID 2772 and working directory C:\test\crypt. Reading public key from C:\test\crypt\00000000.pky. blob_header: 06 02 00 00 00 A4 00 00 ==== pub_key: 52 53 41 31 00 08 00 00 01 00 01 00 ==== Keylen: 256 N: C9 39 76 1E CC B9 86 8F B4 F4 D9 36 F3 B3 4F 9F 79 24 02 48 0E 32 33 23 0A 10 92 8C ED 34 9B 11 C2 8A 02 68 AF E5 4B 57 DF 67 3A D7 19 13 82 47 EE 13 2C D7 5A 85 80 39 5E F5 25 92 1C 64 D4 DE 5F E7 AF 47 EB FB C8 14 E0 01 F9 CA E3 16 36 A9 94 9A 13 61 DD BF E3 41 02 7A 5C 64 81 D7 A7 79 5D A9 E8 3B 9B 5D BC E0 91 A3 BE 87 7D DE EF 2C C6 07 C2 EC 5A E4 B5 D7 EC 3E D0 D7 BF 12 ED D9 83 AF 6C 32 4E F5 A2 F3 8E C7 2B 69 2A 0E D6 9C D4 BD 7E 20 AA 6F DF A4 23 2E 32 0C 3D B5 6E 2D 84 A9 6D 8F FB 31 9C AB 29 6E 29 77 8C 00 FE AD 41 DB C3 E7 EB C7 21 0C 3E 4B 10 10 02 88 59 F2 C2 AE 01 F8 2E 57 0C C9 1C A8 78 FA 11 D4 C2 F5 EF 31 A1 52 9B F2 F4 F5 43 57 40 B6 70 42 35 27 79 82 8E 16 45 AF F9 B7 4A F5 5F 9B 1F C5 2D 1C 2B 5E 09 A7 99 70 2B E7 46 B9 88 A4 AE 68 20 BA ==== Error: no prime that divides N was found!
Written by Tomas Meskauskas on May 16, 2022 (updated)
Readme.hta and ciphered files are straightforward indicators of compromise
.
