Ransomware virus. BIG article
But later (after more than 3 weeks after the start of decryption), the situation changed for the better. During this period, I have successfully decrypted the data immediately after two viruses Trojan.Encoder.225 and Trojan.Encoder.263 on different PCs.
Recall: Trojans of the Trojan.Encoder family are malicious programs that encrypt files on the computer’s hard drive and require money to decrypt them. Files * .mp3, * .doc, * .docx, * .pdf, * .jpg, * .rar and so on may be encrypted.
It was not possible to personally get acquainted with the entire family of this virus, but, as practice shows, the method of infection, treatment and decryption is approximately the
same for everyone: 1. the victim is infected through a spam email with an attachment (less often by infection),
2. the virus is recognized and deleted ( already) almost any antivirus with fresh databases,
3. files are decrypted by selecting passwords-keys to the types of encryption used.
For example, Trojan.Encoder.225 uses RC4 encryption (modified) + DES, and Trojan.Encoder.263 uses BlowFish in CTR mode. These viruses are currently decrypted at 99% based on personal practice.
But not everything is so smooth. Some encryption viruses require months of continuous decryption (Trojan.Encoder.102), while others (Trojan.Encoder.283) cannot be decrypted at all, even for Doctor Web specialists, which, in fact, play a key role in this article. .
Now in order.
In early August 2013, I was approached by clients with the problem of encrypted files with the Trojan.Encoder.225 virus. The virus, at that time, is new, no one knows anything, on the Internet there are 2-3 subject links from Google on the Internet. After lengthy searches on the Internet, it turns out that the only (found) organization that deals with the problem of decrypting files after this virus is Doctor Web. Namely: it gives recommendations, helps in contacting technical support, develops its own decoders, etc.
Negative retreat.
And, taking this opportunity, I want to note two fatteningminus Kaspersky Lab. Which, when contacting their technical support, dismisses "we are working on this issue, we will notify the results by mail." And yet, the minus is that I never received a response to the request. 4 months later. Neither "horseradish" imagine the reaction time. And here I strive for the standard of "no more than one hour from the application."
It's a shame, comrade Yevgeny Kaspersky , Director General of Kaspersky Lab. But I have a good half of all companies "sitting" on it. Well, all right, licenses expire in January-March 2014. Needless to say, will I renew the license ?;) I
represent the faces of “specialists” from companies “simpler”, so to speak, of the non-giants of the anti-virus industry. Probably in general, "hid in a corner" and "quietly cried."
Although, what is already there, absolutely everyone "went wrong" to the fullest. The antivirus, in principle, should not have allowed this virus to get onto the computer. Especially considering modern technology. And “them”, the GIANTS of the anti-VIRA industry, supposedly got everything under control, “heuristic analysis”, “lead system”, “proactive defense” ...
WHERE THESE ALL SUPER SYSTEMS WERE WHEN THE EMPLOYEES DEPARTMENT OPENED “BEHAVIOR-FREE” "???
What was the employee supposed to think?
If YOU cannot protect us, then why do we need YOU at all?
And everything would be fine with Doctor Web, but just to get help, you naturally need to have a license for any of their software products. When contacting technical support (hereinafter TP), you must provide the Dr.Web serial number and do not forget to select “treatment request” in the line “Request Category:” or simply provide them with an encrypted file to the laboratory. I must say right away that the so-called “Dr.Web journal keys”, which are laid out in batches on the Internet, are not suitable, since they do not confirm the purchase of any software products, and are eliminated by TP specialists for one or two. It’s easier to buy the most “cheap” license. Because if you took up decryption, this license will pay off for you in the "mulion" time. Especially if the folder with photos "Egypt 2012" was in one copy ...
Attempt No. 1
So, having bought a “license for 2 PCs for a year” for the n-amount of money, contacting TP and providing some files, I got a link to the te225decrypt.exe decryption utility version 1.3.0.0. In anticipation of success, I launch the utility (you must point it to one of the encrypted * .doc files). The utility starts the selection, mercilessly loading the old E5300 DualCore processor, 2600 MHz (overclock to 3.46 GHz) / 8192 MB DDR2-800, HDD 160Gb Western Digital onto 90-100%.
Here, in parallel with me, a colleague on a core i5 2500k PC (overclocking to 4.5ghz) / 16 ram 1600 / ssd intel is included in the work (this is to compare the time spent at the end of the article).
After 6 days, my utility reported about decryption of 7277 files. But happiness did not last long. All files were decrypted "crookedly." That is, for example, microsoft office documents open, but with different errors: "Word found in the * .docx document content that could not be read" or "Cannot open the * .docx file due to errors in its contents." * .Jpg files also open either with an error, or 95% of the image appears to be blacked out or a light green-green background. Files * .rar - "Unexpected end of the archive."
In general, complete failure.
Attempt number 2
We write in TP about the results. Ask for a couple of files. A day later, they again give a link to the te225decrypt.exe utility, but already version 1.3.2.0. Well, let’s launch, there was still no alternative then. It takes about 6 days and the utility ends its work with the error "Unable to select encryption settings." Total 13 days "down the drain".
But we do not give up, on the account important documents of our * stupid * client without elementary backups.
Attempt number 3
We write in TP about the results. Ask for a couple of files. And, as you might have guessed, a day later they give a link to the same te225decrypt.exe utility, but already version 1.4.2.0. Well, let’s launch, there were no alternatives either from Kaspersky Lab, from ESET NOD32 or from other manufacturers of anti-virus solutions. And now, after 5 days 3 hours 14 minutes (123.5 hours), the utility reports the decryption of files (for a colleague on core i5, decryption took only 21 hours 10 minutes).
Well, I think it was-not. And lo and behold: complete success! All files are decrypted correctly. Everything opens, closes, looks, edits and saves properly.
Everyone is happy, THE END.
“And where is the story of the Trojan.Encoder.263 virus?”, You ask. And on the next PC, under the table ... was. Everything was simpler there: we write in Doctor Web’s TP, we get the te263decrypt.exe utility, run it, wait 6.5 days, voila! and everything is ready. To summarize, I can give a few tips from the Doctor Web forum in my edition:
What should be done in case of infection with a cryptographic virus:
- send Dr. Virus to the virus laboratory Web or in the form "Send suspicious file" encrypted doc-file.
- Wait for the answer of Dr.Web employee and then follow his instructions.
What NOT to do:
- change the extension of encrypted files; Otherwise, with a well-chosen key, the utility simply will not “see” the files that need to be decrypted.
- to use independently, without consulting with specialists, any programs for decrypting / recovering data.
Attention, having a server free from other tasks, I offer my free services for decrypting YOUR data. Server core i7-3770K with overclocking to * certain frequencies *, 16GB of RAM and Vertex SSD 4.
For all active users of the "hub", the use of my resources will be FREE !!!
Write to me in PM or other contacts. I already ate the "dog." Therefore, I am not too lazy to put the server for decryption at night.
This virus is the “scourge” of modernity and taking “loot” from fellow soldiers is not humane. Although, if someone “throws” a couple of bucks into my Yandex.Money account 410011278501419 - I will not mind. But this is not at all necessary. Contact. I process applications in my free time.
New information!
Beginning December 12, 2013, the distribution of a new virus from the same Trojan.Encoder series began under the classification of Doctor Web, Trojan.Encoder.263, but with RSA encryption. This view of today's date (12/20/2013) cannot be decrypted , since it uses a very strong encryption method.
I recommend to anyone who has suffered from this virus:
1. Using the built-in windows search, find all files containing the .perfect extension, copy them to an external medium.
2. Copy the CONTACT.txt file as well
. 3. Put this external media “on the shelf”.
4. Wait for the decoder utility to appear.
What NOT to do:
No contact with intruders. This is stupid. In more than 50% of cases, after “payment” in approximately 5000 rubles, you will not get ANYTHING. No money, no desheft.
In fairness, it is worth noting that on the Internet there are those “lucky ones” who received their files back by decryption for “loot”. But, you should not believe these people. If I were a virus writer, the first thing I would do was to spread information like “I paid and a decoder was sent to me !!!”.
Behind these "lucky ones" may still be the same attackers.
Well ... we wish good luck to other antivirus companies in creating utilities for decrypting files after viruses of the Trojan.Encoder group.
Special thanks for the work done to create decoder utilities to comrade v.martyanov from the Doctor Web forum.