Good day to everyone, my dear friends and readers of my blog. Today the topic will be quite sad, because it will concern viruses. I’ll tell you about an incident that happened at my work not so long ago. An employee called my department with an excited voice: “Dima, the virus has encrypted the files on the computer: what to do now?” Then I realized that it smelled like something was fried, but in the end I went to her to have a look.
Yes. Everything turned out to be sad. Most of the files on the computer were infected, or rather encrypted: Office documents, PDF files, 1C databases and many others. In general, the ass is complete. Probably only archives, applications and text documents(well, and a lot more). All these data changed their extension and also changed their names to something like sjd7gy2HjdlVnsjds. 
Also, several identical README.txt documents appeared on the desktop and in folders. They honestly say that your computer is infected and that you do not take any action, do not delete anything, do not scan with antiviruses, otherwise the files will not be returned. 
The file also says that these nice people will be able to restore everything as it was. To do this, they need to send the key from the document to their email, after which you will receive necessary instructions. They don’t write the price, but in fact it turns out that the cost of a return is something like 20,000 rubles.
Is your data worth the money? Are you ready to pay to remove the ransomware? I doubt. What to do then? Let's talk about this later. For now, let's start with everything in order. 
Where does it come from
Where does this nasty encryption virus come from? Everything is very simple here. People pick it up through email. As a rule, this virus penetrates organizations, corporate mailboxes, although not only. At first glance, you won’t mistake it for cocoa, since it does not come in the form of spam, but from a real-life serious organization, for example, we received a letter from the Rostelecom provider from their official mail.
The letter was completely ordinary, like “New tariff plans for legal entities". A PDF file is included inside. And when you open this file, you open Pandora's box. All important files are encrypted and converted in simple words into a "brick". Moreover, antiviruses don’t catch this crap right away. 
What I did and what didn't work
Naturally, no one wanted to pay 20 thousand for this, since the information was not worth that much, and besides, dealing with scammers was not at all an option. And besides, it’s not a fact that for this amount everything will be unlocked for you.
I ran the drweb cureit utility and it found the virus, but it was of little use, since even after the virus the files remained encrypted. Removing the virus turned out to be easy, but dealing with the consequences is much more difficult. I went to the Doctor Web and Kaspersky forums, and there I found the topic I needed, and also learned that neither there nor there could help with decryption yet. Everything was very heavily encrypted.
But search engines began to show results that some companies decrypt files for a fee. Well, this interested me, especially since the company turned out to be real, actually existing. On their website they offered to decipher five pieces for free in order to show their abilities. Well, I took and sent them the 5 most important files in my opinion. 
After some time, I received an answer that they managed to decipher everything and that for complete decoding they would charge me 22 thousand. Moreover, they did not want to give me the files. I immediately assumed that they were most likely working in tandem with scammers. Well, naturally they were sent to hell.
- using the programs "Recuva" and "RStudio"
- Running through various utilities
- Well, to calm myself down, I couldn’t help but try (although I knew perfectly well that it wouldn’t help) just to get the needful. Brad of course)
None of this helped me. But I still found a way out.\r\n\r\nOf course, if suddenly you have such a situation, then look at what extension the files are encrypted with. After that go to http://support.kaspersky.ru/viruses/disinfection/10556 and see what extensions are listed. If your extension is on the list, then use this utility. 
But in all 3 cases that I saw these ransomware, none of these utilities helped. Specifically, I encountered a virus "da vinci code" And "VAULT". In the first case, both the name and extension changed, and in the second, only the extension. In general, there are a whole bunch of such encryptors. I hear such bastards as xtbl, no more ransom, better call saul and many others.
What helped
Have you ever heard of shadow copies? So, when a recovery point is created, shadow copies of your files are automatically created. And if something happens to your files, you can always return them to the moment when the restore point was created. One wonderful program for recovering files from shadow copies will help us with this.
To start download and install the program "Shadow Explorer". If latest version If it fails (it happens), then install the previous one.
Go to Shadow Explorer. As we can see, the main part of the program is similar to Explorer, i.e. files and folders. Now pay attention to the upper left corner. There we see see the letter local disk and date. This date means that all submitted files on drive C are current at that time. I have it on November 30th. This means that the last restore point was created on November 30th. 
If we click on the date drop-down list, we will see for which dates we still have shadow copies. And if we click on the drop-down list of local drives and select, for example, drive D, we will see the date at which we have current files. But for disk D points are not created automatically, so this thing needs to be specified in the settings. This very easy to do.
As you can see, if for the disk C I have a fairly recent date, then for the disk D the last point was created almost a year ago. Well, then we do it point by point:
All. Now all that remains is to wait for the export to complete. And then we go to the very folder that you selected and check all the files for openability and functionality. All is cool). 
I know that there are some other offers on the Internet different ways, utilities and so on, but I won’t write about them, because this is the third time I’ve encountered this problem, and not once has anything but shadow copies helped me out. Although maybe I was just unlucky).
But unfortunately, the last time it was possible to restore only those files that were on drive C, since by default points were created only for drive C. Accordingly, there were no shadow copies for drive D. Of course, you also need to remember that there are restore points, which can lead to, so keep an eye on that too.
And so that shadow copies are created for others hard drives, you need for them too.
Prevention
In order to avoid problems with recovery, you need to do prevention. To do this, you need to adhere to the following rules.
By the way, this virus once encrypted files on a flash drive where our key certificates for digital signatures were located. So be very careful with flash drives too.
Best regards, Dmitry Kostin.
Not long ago appeared on the Internet new virus(and many of its modifications), which encrypts files on your computer and offers to order a program to decrypt them for money. In this case, the encrypted files are renamed and given names like this
DSC00122.JPG. [email protected] _XO101
The selected part consists of the e-mail of the virus author (to which the “victim” of the virus will send a decryption request) and the virus modification identifier. Each modification of the virus has its own encryption algorithm and, accordingly, requires its own decryptor.
Fortunately, the developers from Dr.Web have taken up this issue closely and are ready to provide special utility, which decrypts files corrupted by a virus. For convenience, below I post the utility itself and brief instructions on its use.
(password is the name of my site without “http://”)
Below are brief instructions.
Download the recovery utility, unpack the archive into an empty folder with a simple name (for example, “ C:\_dec"). Then run command line(Start - Run - cmd) and type the following there:
Here " [email protected] _XO101" is the prefix with which your files are renamed by the virus, pay attention to the dot at the beginning. A c:\myfiles\- this is the folder in which your encoded files are located. After launching the program will open a confirmation window
And after clicking on the “Continue” button, automatic treatment will begin. Upon completion of the program, you will receive a report, and all decoded files will be located next to the encoded ones in the folder you specified (the program does not delete encoded versions of files).
The authors of the program do not guarantee 100% treatment of all files, and I do not have the opportunity to test its operation on a large number of files, so please: whoever managed to cure files with this utility (or did not succeed) - write in the comments.
That's all! Be healthy!
P.S. To prevent the situation of your computer becoming infected from happening again, purchase it already normal antivirus. I use Kaspersky Internet Security, but apparently Dr.Web is also quite good. Believe me, one and a half thousand rubles a year for peace of mind and confidence in the future is a ridiculous price.
Hello friends! What a disaster, what a disaster! Yesterday I almost became a victim ransomware virus. And I wrote this article out of anger. So that you, dear reader, know how and what to do to avoid the “day of the cryptographer.” I got away with it this time. I'll tell you how. I will also share some of my observations and experiences on this topic.
We all periodically hear on TV about the viruses “petya”, “wanna-cry” and the like. These are the so-called “global stars”, of international class. If they are talked about on TV, and everything is fine on your computer, most likely you are no longer in danger of meeting a “star”. Measures have been taken. The virus has been detected and neutralized. Its signature is already in the database of your built-in antivirus. Much more dangerous are the encryption viruses that people don’t talk about on TV. They are written by our compatriots, “free artists”, not burdened by moral norms.
It was easier before. The ransomware virus blocked the desktop. There was an indecent banner on the screen that said, “You’re just like that.” You are punished, pay a fine. All this was treated quite quickly and easily. And pretty quickly, ransomware banners went out of fashion.
Then would-be programmers high road We decided that we needed to develop further. “Innocent” letters began to arrive by mail. Moreover, they often arrive at the beginning of the month, as well as on quarterly and annual dates. An unsuspecting chief (or not so) accountant opens such a letter. The content does not open. Nothing happens. She closes the letter. But, after an hour, he discovers that all document files, photographs, and databases are encrypted. And in every folder on the computer there is a file with an impudent, calm message.
Do not despair! Read the article! There are ways to help you protect yourself. I will now try to cover them in as much detail as possible.
So, the subject of the letter you receive may contain the following words: “to the chief accountant”, “to the accounting department”, “Reconciliation report”, “Summons from court”, “Arbitration”, the word “fine”, “court” is often found.
I repeat once again - at the beginning of the month and on quarterly and annual dates, such “chain letters” most often arrive. The calculation is simple. An unfortunate accountant (usually a woman), whose quarterly reports are already “burning,” is ready to do anything to get back her statements, databases, tables, calculations and years of work.
Friends, do not follow the lead of extortionists. There is no guarantee of decryption. Why raise the self-esteem of these unfortunate “hackers” and give the opportunity to continue to rob honest and hardworking people? Don't transfer money to them! Recovery is possible provided that your computer is configured correctly and protected. Follow the recommendations!
How to protect yourself from a ransomware virus in Windows?
For the first time I was asked to help two or three years ago... And I remember then that I was struck by this, one might say, slyness. Once a virus enters the system, it works like a normal program. The databases of the installed licensed (!) antivirus did not contain their signatures, so at first antiviruses did not “consider” such “applications” as malicious.
Until calls to support became widespread. The malicious program encrypts all files on a computer of a certain type - text, documents, photographs, PDF files. And my yesterday’s “guest” has already encrypted even some files of the 1C program. There is progress.
But we weren’t born behind the stove... I’ll say right away that there’s no way to decrypt encrypted files third party program it won't work. I remember that Kaspersky Lab posted decryption programs on its website.
But, they are only for viruses of a certain type. It didn’t help me. Tomorrow the attacker will change the code, and this program will no longer help. The key is known only to the “developer”. And if he has already been imprisoned, no one will definitely send you a decryptor. To make you lighten your wallet, malicious code must overcome several lines of defense.
The first line of defense is your attentiveness and legibility. You always go to the same sites. If you receive mail, then almost all of it you receive is always from the same recipients and always with the same content.
When you receive a letter with unusual content, do not rush to open it. If you find yourself on an unfamiliar site and see an unusual window, do not rush to proceed.
If you or your organization has a website, remove information about your email address from there. If he is visible, then he will definitely end up on the mailing list of intelligent “highway romantics.” Give the address only to trusted persons and privately.
The second line of defense is a licensed domestic antivirus. Why licensed? I noticed that a paid licensed antivirus (which has passed the state certification of FSTEC) works better than the free one.
Once again, I rechecked something again after the “trial” version of Kaspersky (though a long time ago). The result was discouraging. I found a bunch of viruses then.. That's an observation. For real security you have to pay, albeit small, money.
Why a domestic antivirus? Because our certified anti-virus products maintain databases of unwanted and fraudulent sites. Foreign “colleagues” cannot always boast of this; their segment of the Internet is different; you cannot cover everything.
Run a virus scanner on your computer overnight at least once a month.
How does a ransomware virus get onto a computer?
To disguise the attachment, it is almost always sent in an archive. Therefore, first we will check the unusual letter with an antivirus. You need to save the file to your computer (the antivirus will already “look” at it). And then additionally right-click on the file saved on disk and check again:
The site is in the non-recommended database. This means that there have already been “alarm calls” from him. More, paid versions It is better to check Internet links for viruses “hardwired” into them than free ones. And when you click on such a link, they neutralize the virus, or add it to the “suspicious” list and block it.
At the end of March, I used these simple methods to catch another “quarterly” encryption virus from the mail. The only thing he managed to do was write me a message all over the computer that the files were encrypted, but this was not the case. They remained intact, the code worked only to create a message:
Please pay attention to what is indicated here email address a certain Vladimir Shcherbinin, 1991. Generation of the 90s... This is a false trail, because the real address is below. allows you to avoid tracking your computer on the Internet standard means. Through such a browser, the attacker invites you to contact him. Everything is anonymous. Nobody wants to sit in prison.
Unfortunately, it often happens that sometimes viruses bypass our first two lines of defense. In our haste, we forgot to scan the file, or maybe the antivirus has not yet received data about the new threat. But you can configure protection in the operating system.
How to set up ransomware protection in Windows 10?
We continue to build a deep, layered defense against ransomware viruses and not only ransomware. Files cannot be decrypted. But they can be restored. It's all about the settings. If you do them before the virus gets on the computer, the virus will not be able to do anything. And if he does, then it will be possible to restore the files.
The third line of defense is our computer. For a long time now, since 2003, Microsoft has been using “disk shadow copying” technology. For you and me, this means that any change to the system can be undone.
A “snapshot” of your hard drive, automatically without your knowledge. And the system stores it, adding only changes. This technology is used to backup data. You just need to turn it on.
Depending on the disk size and settings, up to 64 previous “shadow copies” can be stored on the volume. If this option is enabled, then encrypted files can be restored from a shadow copy that is quietly created daily.
First step - Go to This Computer - right mouse button "properties":
Extra options
Let’s open the “System Protection” tab. In the example, the protection option is disabled on one of the disks. Stand with the mouse on the selected drive and click “Configure”
Data can be restored from a copy from this window by clicking the “Restore” button
Make the settings as in the figure:
The next step is setting up User Account Control. Have you noticed that there has never been a story on TV about virus “epidemics” on Linux and Android devices?
Do attackers not notice them? They notice that they are actively writing viruses, but the virus is not working there yet. When you work on such a device, you do not have Administrator rights on it. You are an ordinary user, with ordinary rights, no one will let you change the system.
If your device is still under warranty and you assign administrator rights (root) to yourself using special means, the manufacturer will deprive you of the warranty for this. Any currently known virus, entering such a limited “user” prison environment, tries to change something, but to no avail, since commands to change the system are silently blocked. This is a huge advantage of Linux.
Microsoft (which means “small and gentle”), as part of its ideology, has allowed users to easily and freely change security settings in their operating systems.
So easy and free that the virus, once in the “administrator” environment, already acts with administrator powers, nothing interferes with it. Hence the massive epidemics and the conclusion that only the user of a Windows computer is responsible for the safety of their data. Which of us pays attention to the settings? Until the thunder strikes.. :-
I hope I convinced you. Everything is easy. Go to user accounts
We move the slider as convenient for us.
Now, when you launch any program with your knowledge (or without yours), the system will ask you for permission and notify you. Small and delicate ones love such windows...
And if you have Administrator rights, then you can allow its execution. But if you are an ordinary user, you will not allow it. From here again the conclusion is that it is best to have one password-protected one on your computer account Administrator, and all others should be ordinary users.
Of course, everyone has been familiar with this window for a long time, everyone has already put it on, everyone turns it off. But, if User Account Control is enabled, it will not allow the program to start even if remote connection to the computer directly. Like this. But, of two evils, you have to choose the lesser. Who likes what. Here's another short video on this topic
The next step is to configure folder permissions. For particularly important document folders, you can configure access rights for each such folder. In the properties of any folder (via right button mouse - “Properties”) there is a “Security” tab.
For example, we have Users on our computer, let’s say these are our little children. We don't want them to be able to change the contents of this folder. Therefore, click “Change”.
Gray checkmarks are what is set by default. We can check the boxes and “ban” everything. Even viewing. You can ban a user group (as in the figure). You can “Add” a specific user. The virus will not be able to do anything if “change” or “write” permissions are denied in this folder. Try blocking writing, and then copying a file to such a folder.
And yet, today we will consider such a measure of protection against viruses as backup files. For such a solution, you need to purchase and install another one on your computer in advance. HDD a volume no less than that on which your Windows is installed. Then you need to set up archiving for it.
Having failed there we find ourselves in the settings:
I only have the “D” partition of my hard drive at hand right now. This is possible, but only for the first time. Then you definitely need to buy yourself an external hard drive. Once you have chosen the archive location, click “Next”.
If you do not have a hard drive, we do everything as in the figure. In this case, only files in standard locations(My Documents, My Pictures Downloads, Desktop, etc.). Click “Next”.
That's all, friends. The process has begun. Here is a video that tells you how to create a system image and restore a file from the image
So, to effectively protect against ransomware viruses, it is enough to be careful, preferably have a paid domestic antivirus and configured for normal security operating system. “But how did you get the encryption virus if you’re so smart?” - the reader will ask me. I repent, friends.
All of the above settings were made to me. But, I turned everything off myself for about a couple of hours. My colleagues and I were remotely setting up a connection to a database that just didn’t want to be established.
It was decided to urgently use my computer as a test option. To make sure that the packets were not interfered with by the antivirus, network settings, and firewall, I quickly uninstalled the antivirus for a while and turned off user account control. Just everything. Read below to see what came of it.
When a ransomware virus gets onto your computer, what should you do?
Although it is not easy, first try not to panic. An attacker cannot know the contents of your computer. He is acting blindly. Not everything is encrypted. For example, programs and applications are usually not encrypted. Archives *.rar and *.7zip are also not available. try opening the archive. If it opens, that's good.
When I discovered the “surprise”, I began to guess that I had “gotten it”. I knew what I was doing... First, I installed the antivirus back. In a dejected state, I turned on User Account Control “full” again and ran an overnight scan of the system partition C:, on which Windows is installed.
It was necessary to extract the infected file. If you don't do this, there will be no point. Everything will be encrypted again. So first we treat the computer.
If possible, run a scan of the entire computer using a free life disk from Dr Web or similar free utility from Kaspersky Kspersky Resque Disk 10.
In the morning, the following “monsters” were found in the quarantine of my antivirus:
Only three, it could have been worse. But these three encrypted all my goods. What do we do next? If archiving was configured, after treatment you just need to restore the files from the archive, and that’s it. I went into the archive, where I had a daily backup of my files set up for several months.
Having opened it, I saw that all the archives for all dates were also killed. The list is empty. Why did it happen?
Viruses are getting smarter. I myself disabled User Account Control after I uninstalled the antivirus. …….The first thing the virus did after that was to rejoice and delete all the backup files. And from that moment I began to gradually fall into despondency...
The second thing to do (I thought) is to restore the files from the shadow copy of the C: drive. For this I use free program to view shadow copies of the disk ShadowCopyView_ru_64 or 32-bit version. It allows you to quickly visually view and evaluate the contents of shadow copies, as well as restore individual folders.
When I looked at the last snapshots, it turned out that only encrypted copies remained... The second thing the virus did was kill my old shadow copies of the protected volume again, to make it more interesting for me... Or maybe they were overwritten by subsequent copies...Final...
It would seem that's it. Not all, friends. The main thing is not to give up.
A virus has encrypted files on a Windows 10 computer, what to do, how to cure it and how to fix it?
This is what our would-be hackers have not yet managed to get to. The last line of defense. Present only in Windows 10, I haven’t checked it yet, but I think the “seven” and “eight” do not have this new wonderful feature. I noticed her recently. This is a truly new and exciting feature. IN search bar let's hit the word "recovery"
In Control Panel, click "Recover Files Using File History"
I was delighted and immediately went, of course, to “Documents” and “Desktop”.
And I saw that the files were not encrypted. Hooray! “Thank you Green Arrow! The process has begun. The files have been restored. The computer has been cured of viruses. Security settings are done. What else is left to do?
You also need to delete encrypted files. You never know... But there are very, very many of them. How to quickly find and remove them? I've been using it for a long time file manager Total Commander. For my taste there is nothing better. The one who started with Far Manager will understand me. Tonal can quickly search files, and much more. We will clean the disks one by one.
Let's start with the system partition, select it by clicking the mouse or from the drop-down list in the upper left corner:
Press Alt + F7 on the keyboard simultaneously. We called up the file search panel.
You can search by name. You can do whatever you want. But we will use a mask. That is, we indicate the extension of the encrypted file *.freefoam through an asterisk and a dot (your “author” may be different, and the extension will be different). By this we indicated that ALL files with this extension need to be searched. Search location "C:". You can also specify all sections in this panel, not just “C:”. Click “Start Search”.
By pressing the “star” on the side keyboard, we highlight all the files in the panel in pink. To delete files to the trash, press F8 or Del:
We cleaned out all the remaining encrypted garbage like a vacuum cleaner. Let it sit in the basket for now. Then I'll delete it. In the same way, I cleaned all the sections one by one in about forty minutes. I have a lot of things encrypted.
But I was lucky, because it can happen worse. This new feature literally saved me. I don't know for sure whether enabling shadow copies affects this new feature. It looks like yes, but I haven't specifically checked. Somehow I don’t want to anymore :)
Write if you know. And the following conclusions can be drawn. In the presence of good antivirus And correct setting operating room windows systems 10 you can wipe the nose of the attacker and leave him with nothing. Bye, friends.
Has it ever happened that you received a message via Email, Skype or ICQ from an unknown sender with a link to a photo of your friend or congratulations on the upcoming holiday? You don’t seem to expect any kind of setup, and suddenly, when you click on the link, serious malicious software is downloaded to your computer. Before you know it, the virus has already encrypted all your files. What to do in such a situation? Is it possible to restore documents?
In order to understand how to deal with malware, you need to know what it is and how it penetrates the operating system. Besides, it doesn’t matter at all which Windows version you are using - the Critroni virus is aimed at infecting any operating system.
Encryption computer virus: definition and algorithm of action
A new one has appeared on the Internet computer virus new software, known to many as CTB (Curve Tor Bitcoin) or Critroni. This is an improved Trojan ransomware, similar in principle to the previously known malicious software CriptoLocker. If a virus has encrypted all files, what should you do in this case? First of all, you need to understand the algorithm of its operation. The essence of the virus is to encrypt all your files with the extensions .ctbl, .ctb2, .vault, .xtbl or others. However, you will not be able to open them until you pay the requested amount of money.
Trojan-Ransom.Win32.Shade and Trojan-Ransom.Win32.Onion viruses are common. They are very similar to STV in their local action. They can be distinguished by the extension of the encrypted files. Trojan-Ransom encodes information in .xtbl format. When you open any file, a message appears on the screen stating that your personal documents, databases, photos and other files have been encrypted by malware. To decrypt them, you need to pay for a unique key, which is stored on a secret server, and only in this case will you be able to perform decryption and cryptographic operations with your documents. But don’t worry, much less send it to specified number money, there is another way to combat this type of cybercrime. If just such a virus got onto your computer and encrypted all the .xtbl files, what should you do in such a situation?
What not to do if an encryption virus penetrates your computer
It happens that in a panic we install antivirus program and with its help, we remove virus software automatically or manually, losing important documents along with it. This is unpleasant, in addition, the computer may contain data that you have been working on for months. It's a shame to lose such documents without the possibility of their recovery.
If the virus has encrypted all .xtbl files, some try to change their extension, but this also does not lead to positive results. Reinstalling and formatting the hard drive will permanently remove the malicious program, but at the same time you will lose any possibility of document recovery. In this situation, specially created decryption programs will not help, because the ransomware software is programmed using a non-standard algorithm and requires a special approach.
How dangerous is a ransomware virus for a personal computer?
It is absolutely clear that not a single malicious program will benefit your personal computer. Why is such software created? Oddly enough, such programs were created not only for the purpose of defrauding users of as much money as possible. In fact viral marketing quite beneficial to many antivirus inventors. After all, if a virus encrypted all the files on your computer, where would you turn first? Naturally, seek the help of professionals. What are encryption tools for your laptop or personal computer?
Their operating algorithm is non-standard, so it will be impossible to cure infected files with conventional anti-virus software. Removing malicious objects will result in data loss. Only moving to quarantine will make it possible to secure other files that the malicious virus has not yet managed to encrypt.
Expiration date of encryption malware
If your computer is infected with Critroni (malware) and the virus has encrypted all your files, what should you do? You cannot decrypt .vault-, .xtbl-, .rar formats yourself by manually changing the extension to .doc, .mp3, .txt and others. If you do not pay the required amount to cybercriminals within 96 hours, they will send you intimidating correspondence by email stating that all your files will be permanently deleted. In most cases, people are influenced by such threats and they reluctantly but obediently carry out the said actions, fearing to lose precious information. It's a pity that users do not understand the fact that cybercriminals are not always true to their word. Once they receive the money, they often no longer worry about decrypting your locked files.
When the timer expires, it closes automatically. But you still have a chance to recover important documents. A message will appear on the screen indicating that time has expired, and you can view more detailed information about the files in the documents folder in a specially created notepad file DecryptAllFiles.txt.
Ways encryption malware penetrates the operating system
Typically, ransomware viruses enter a computer through infected email messages or through fake downloads. These could be fake flash updates or fraudulent video players. As soon as the program is downloaded to your computer using any of these methods, it immediately encrypts the data without the possibility of recovery. If the virus has encrypted all .cbf, .ctbl, .ctb2 files into other formats and you do not have a backup copy of the document stored on removable media, assume that you will no longer be able to recover them. On this moment antivirus laboratories do not know how to crack such encryption viruses. Without the required key, you can only block infected files, move them to quarantine or delete them.
How to avoid getting a virus on your computer
Ominous all .xtbl files. What to do? You've already read a lot unnecessary information, which is written on most websites, and you do not find the answer. It so happens that at the most inopportune moment, when you urgently need to submit a report at work, a thesis at a university, or defend your professor’s degree, the computer begins to live its own life: it breaks down, becomes infected with viruses, and freezes. You must be prepared for such situations and keep information on the server and removable media. This will allow you to reinstall the operating system at any time and after 20 minutes work at the computer as if nothing had happened. But, unfortunately, we are not always so enterprising.
To avoid infecting your computer with a virus, you first need to install a good antivirus program. You must have a properly configured Windows Firewall, which protects against various malicious objects getting through the Network. And the most important thing: do not download software from unverified sites or torrent trackers. To avoid infecting your computer virus programs, be careful what links you click on. If you receive an email from an unknown recipient with a request or offer to see what is hidden behind the link, it is best to move the message to spam or delete it altogether.
To prevent the virus from encrypting all .xtbl files one day, antivirus software laboratories advise free way protection against infection by encryption viruses: once a week, inspect their condition.
The virus has encrypted all files on the computer: treatment methods
If you have become a victim of cybercrime and the data on your computer has been infected with one of the encryption types malware, then it's time to try to recover the files.
There are several ways to treat infected documents for free:
- The most common method, and probably the most effective at the moment, is backing up documents and then restoring them in the event of an unexpected infection.
- The software algorithm of the CTB virus works in an interesting way. Once on the computer, it copies files, encrypts them, and deletes the original documents, thereby eliminating the possibility of their recovery. But with the help of Photorec or R-Studio software, you can manage to save some untouched original files. You should know that the longer you use your computer after it has been infected, the less likely it is that you will be able to recover all the necessary documents.
- If the virus has encrypted all .vault files, there is another good way to decrypt them - using shadow copy volumes. Of course, the virus will try to permanently and irrevocably delete them all, but it also happens that some files remain untouched. In this case, you will have a small but chance of restoring them.
- It is possible to store data on file hosting services such as DropBox. It can be installed on your computer as a local disk mapping. Naturally, the encryption virus will infect him too. But in this case, it is much more realistic to restore documents and important files.
Software prevention of personal computer virus infection
If you are afraid of getting hit by the sinister malicious software on your computer and do not want an insidious virus to encrypt all files, you should use an editor local politics or Windows groups. Thanks to this integrated software, you can set up a program restriction policy - and then you will not be worried about your computer becoming infected.
How to recover infected files
If the CTB virus has encrypted all files, what should you do in this case to restore the necessary documents? Unfortunately, at the present time, not a single antivirus laboratory cannot offer decryption of your files, but neutralize the infection, its complete removal from a personal computer is possible. All effective methods of information recovery are listed above. If your files are too valuable to you, and you haven’t bothered to make them backup copy on removable media or Internet disk, then you will have to pay the amount of money requested by the cybercriminals. But there is no chance that the decryption key will be sent to you even after payment.
How to find infected files
To see the list of infected files, you can go to this path: “My Documents”\.html or “C:”\”Users”\”All Users”\.html. This html sheet contains data not only about random instructions, but also about infected objects.
How to block an encryption virus
Once the computer has been infected with malware software, the first necessary action on the part of the user is to connect to the network. This is done by pressing the F10 keyboard key.
If the Critroni virus accidentally got onto your computer and encrypted all files in .rar, .ctbl, .ctb2, .xtbl, .vault, .cbf or any other format, then it is already difficult to recover them. But if the virus has not yet made many changes, it is likely to be blocked using a software restriction policy.
Have you become a victim of ransomware? Don't pay the ransom!
Our free decryptors will help you regain access to locked files various types software described below that requires a ransom. Just select a title to view signs of infection and get free help.
Want to avoid ransomware infections in the future?
Alcatraz Locker
Alcatraz Locker is one of the ransomware programs that was first discovered in mid-November 2016. It uses the AES 256 method in combination with Base64 encoding to encrypt files.
Changing file names.
Encrypted files receive the extension .Alcatraz.
Ransom message.
ransomed.html» on the desktop:
If Alcatraz has encrypted your files, click here to download our free decryptor to unlock it.
Apocalypse
Apocalypse is a type of ransomware that was first discovered in June 2016. Signs of infection are described below.
Changing file names.
Apocalypse adds extensions .encrypted, .FuckYourData, .locked, .Encryptedfile or .SecureCrypted Thesis.doc.locked.)
Ransom message.
When opening a file with the extension .How_To_Decrypt.txt, .README.Txt, .Contact_Here_To_Recover_Your_Files.txt, .How_to_Recover_Data.txt or .Where_my_files.txt(For example, Thesis.doc.How_To_Decrypt.txt) a message similar to the following will appear:
BadBlock
BadBlock is a type of ransomware that was first discovered in May 2016. The signs of infection are described below.
Changing file names.
BadBlock does not rename files.
Ransom message.
Having encrypted your files, the BadBlock Trojan displays one of the following messages (using the example file Help Decrypt.html):
If BadBlock has encrypted your files, click here to download our free decryptor to unlock it.
Bart
Bart is a type of ransomware that was first discovered in late June 2016. Signs of infection are described below.
Changing file names.
Bart program adds text .bart.zip at the end of file names (for example, instead of Thesis.doc the file will be called Thesis.docx.bart.zip). This encrypted ZIP archive contains the source files.
Ransom message.
After encrypting the files, Bart changes the desktop background as shown below. The text in this image can also be used to identify the Bart program. Text is stored on the desktop in files recover.bmp And recover.txt.
If Bart has encrypted your files, click here to download our free decryptor to unlock it.
Gratitude. We would like to thank Peter Conrad, the author of the PkCrack program, who allowed us to use his library in our decryptor for the Bart ransomware Trojan.
Crypt888
Crypt888 (also known as Mircop) is a type of ransomware that was first discovered in June 2016. Signs of infection are described below.
Changing file names.
Crypt888 program adds text Lock. to the beginning of file names (for example, instead of Thesis.doc the file will be called Lock.Thesis.doc).
Ransom message.
After encrypting your files, Crypt888 changes your desktop background to one of the options below.
If Crypt888 has encrypted your files, click here to download our free decryptor to unlock it.
CryptoMix (standalone version)
CryptoMix (also known as CryptFile2 and Zeta) is one of the ransomware programs that was first noticed in March 2016. At the beginning of 2017, a new variety of CryptoMix appeared, called CryptoShield. Both versions of the program encrypt files using the AES256 algorithm with a unique encryption key, which is downloaded from a remote server. If the server is unavailable or the user does not have an Internet connection, the ransomware encrypts the files using a fixed key (“offline key”).
Note. The proposed decryptor is capable of unlocking only files encrypted using an “offline key”. In cases where an offline key was not used to encrypt files, our decryptor will not be able to restore access to the files.
Changing file names.
.CRYPTOSHIELD, .rdmk, lesli, .scl, .code, .rmd or .rscl.
Ransom message.
After encrypting files on your PC, you can find the following files:
If CryptoMix has encrypted your files, click here to download our free decryptor to unlock it.
CrySiS
CrySiS (JohnyCryptor, Virus-Encode or Aura) is one of the ransomware programs that was first noticed in September 2015. It uses AES256 encryption in combination with the asymmetric RSA1024 encryption method.
Changing file names.
Encrypted files have one of the following extensions:
[email protected]
,
[email protected]
,
[email protected]
,
[email protected]
,
.{[email protected]).CrySiS,
.{[email protected]).xtbl,
.{[email protected]).xtbl,
.{[email protected]).xtbl
Ransom message.
After encrypting your files, the program displays one of the following messages. This message is contained in a file called " Decryption instructions.txt», « Decryptions instructions.txt" or "* README.txt"on the desktop.
If CrySiS has encrypted your files, click here to download our free decryptor to unlock it.
Globe
Globe is one of the ransomware that was first discovered in August 2016. It uses the RC4 or Blowfish encryption method. Signs of infection are described below.
Changing file names.
Globe appends one of the following extensions to the file name: .ACRYPT, .GSupport, .blackblock, .dll555, .duhust, .exploit, .frozen, .globe, .gsupport, .kyra, .purged, .raid, [email protected] , .xtbl, .zendrz, .zendr or .hnyear. Moreover, some versions of the program encrypt the file name itself.
Ransom message.
After encrypting the files, the program displays the following message, which is located in the file “ How to restore files.hta" or " Read Me Please.hta»):
If Globe has encrypted your files, click here to download our free decryptor to unlock it.
HiddenTear
HiddenTear is one of the first ransomware programs with open source, hosted on GitHub and known since August 2015. Since then, scammers using open source, hundreds of variations of the HiddenTear program have been created. HiddenTear uses AES encryption.
Changing file names.
Encrypted files receive one of the following extensions (but may have others): .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨 , .8lock8, .fucked, .flyper, .kratos, .crypted, .CAZZO, .doomed.
Ransom message.
When files are encrypted, the user's home screen displays text file (READ_IT.txt, MSG_FROM_SITULA.txt, DECRYPT_YOUR_FILES.HTML). Various options can also display a ransom message:
If HiddenTear has encrypted your files, click here to download our free decryptor to unlock it.
Jigsaw
Jigsaw is one of the ransomware programs that has been around since March 2016. She is named after the movie villain nicknamed "Jigsaw Killer". Some variants of this program use an image of this character on the screen with a ransom demand for unlocking.
Changing file names.
Encrypted files receive one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush, [email protected] or .gefickt.
Ransom message.
Once the files are encrypted, one of the screens below will be displayed:
If Jigsaw has encrypted your files, click here to download our free decryptor to unlock it.
Legion
Legion is a type of ransomware that was first discovered in June 2016. The following are the symptoms of an infection.
Changing file names.
Legion adds something like [email protected]$.legion or [email protected]$.cbf at the end of file names. (For example, instead of Thesis.doc the file will be called [email protected]$.legion.)
Ransom message.
After encrypting your files, Legion changes your desktop background and displays a pop-up window similar to this:
If Legion has encrypted your files, click here to download our free decryptor to unlock it.
Loading...
