WannaCry ransomware virus: what to do? The ransomware virus returned to Russia and Ukraine New ransomware virus treatment

Attacks by encryption viruses, leaks of hacking tools from American intelligence agencies, testing the strength of energy facilities, attacks on ICOs and the first successful theft of money from a Russian bank with the SWIFT system - the year 2017 was full of unpleasant surprises. Not everyone was ready for them. Quite the contrary. Cybercrime is getting faster and bigger. Pro-government hackers are no longer just spies, they steal money and carry out cyber sabotage.
Any counteraction to cyber threats is always a competition between armor and projectile. And the events of this year have shown that many companies and even states are succumbing to cybercriminals. Because they don’t know who the enemy is, how he acts and where to wait for the next blow. Most attacks need to be prevented at the stage of their preparation using Threat Intelligence early warning technologies. Staying a few steps ahead of cybercriminals means saving your money, information and reputation.

Ransomware viruses

The most widespread, both in terms of distribution and damage, in 2017 were cyber attacks using ransomware viruses. Behind them are pro-government hackers. Let's remember them by name.

Consequences of the WonnaCry attack: Rost supermarket, Kharkov, Ukraine.

Lazarus (also known as the Dark Seoul Gang) is the name of a North Korean group of hackers believed to be behind Bureau 121, one of the divisions of the Intelligence Directorate of the General Staff of the KPA (DPRK), responsible for conducting cyber operations. For many years, hackers from the North Korean group Lazarus spied on the ideological enemies of the regime - government agencies and private corporations in the United States and South Korea. Now Lazarus is attacking banks and financial institutions around the world: they are responsible for an attempt to steal almost $1 billion from the central bank of Bangladesh in February 2016, attacks on banks in Poland, as well as employees of the Central Bank of the Russian Federation, the Central Bank of Venezuela, the Central Bank of Brazil, the Central Bank of Chile and an attempt to withdraw from Far Eastern International Bank $60 million (see section "Targeted attacks on banks"). At the end of 2017, North Korean hackers were noticed in attacks on cryptocurrency services and attacks using mobile Trojans.

Trend of the year

On October 24, a large-scale cyber attack using the BadRabbit ransomware virus occurred in Ukraine and Russia. The virus attacked computers and servers of the Kyiv Metro, the Ministry of Infrastructure, and Odessa International Airport. Several victims also ended up in Russia - as a result of the attack, federal media editorial offices were damaged, and attempts to infect banking infrastructures were also recorded. As Group-IB has established, the Black Energy group is behind the attack.

Targeted attacks on banks

The criminal groups that attacked Russian banks in the spring and summer of 2017 switched their attention to other countries and regions: the USA, Europe, Latin America, Asia and the Middle East. At the end of the year they started working again in Russia.

In 2017, pro-government hackers changed their goals - they began to carry out cyber sabotage against the financial sector. To spy or steal money, hackers try to gain access to SWIFT, card processing. This spring, the BlackEnergy group hacked an integrator in Ukraine and gained access to a network of Ukrainian banks. A couple of months later, the WannyCry and NotPetya epidemic began, behind which the Lazarus and BlackEnergy groups stood.

However, by the beginning of October, when the Group-IB team submitted its annual report, we were full of cautious optimism: targeted attacks on banks in Russia fell by 33%. All criminal groups that attacked Russian banks gradually switched their attention to other countries and regions: the USA, Europe, Latin America, Asia and the Middle East. The end of the year spoiled the statistics - we recorded whole line cyber attacks on banks, in December there was the first successful attack on a Russian bank with SWIFT carried out by the Cobalt group.

Attacks on SWIFT

In October, the Far Eastern International Bank in Taiwan was robbed. Having reached the system of international interbank transfers (SWIFT), to which the bank was connected, the hackers were able to withdraw almost $60 million to accounts in Sri Lanka, Cambodia and the United States. The Lazarus group is believed to be behind the attack. In November, Nepal's largest non-state bank, NIC Asia Bank, was targeted by cybercriminals who gained access to the SWIFT system and withdrew $4.4 million to accounts in the US, UK, Japan and Singapore.

In mid-December, it became known about a successful attack on a Russian bank using SWIFT (the international financial information transfer system). Let us recall that previously in Russia targeted attacks took place using card processing systems, ATMs and automated workplaces of the KBR (automated workplace client of the Bank of Russia).

The Cobalt group is likely involved in the attack. The penetration into the bank occurred through malware that was distributed by the group to banks several weeks ago - this type of attack is typical for Cobalt. The media reported that the criminals tried to steal about $1 million, but managed to withdraw about 10%. FinCERT, a structural division of the Central Bank for information security, in its report named the Cobalt group as the main threat to credit institutions.

According to Group-IB, the group has carried out at least 50 successful attacks on banks around the world: in Russia, Great Britain, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan and Malaysia . All summer and autumn they attacked banks around the world, tested new tools and schemes, and at the end of the year they did not slow down - almost every week we record their mailings with malicious programs inside.

Disembodiment and malicious scripts- a new (and now basic) principle of conducting attacks. Hackers try to remain undetected and to do this they use “disembodied” programs that work only in RAM and are destroyed after a reboot. In addition, scripts in PowerShell, VBS, PHP help them ensure persistence (anchoring) in the system, as well as automate some stages of the attack. We also notice that hackers do not attack banks head-on, but through trusted partners - integrators, contractors. They attack employees when they are at home, check personal email, social networks

Trend of the year

Discovery of the year: MoneyTaker

10 interesting facts about MoneyTaker

• Their victims were small banks - regional in Russia, and community banks with a low level of protection in the USA. Hackers penetrated one of the Russian banks through home computer system administrator.
• One of the American banks was hacked twice.
• Having carried out a successful attack, they continued to spy on bank employees by forwarding incoming letters to Yandex and Mail.ru addresses.
• This group always destroyed traces after an attack.
• They tried to withdraw money from one Russian bank through ATMs, but they did not work; shortly before this, the Central Bank took away the license from their owner. Withdrew money through the automated workplace of the CBD.
• Not only money was stolen, but also internal documents, instructions, regulations, and transaction logs. Judging by the stolen documents related to the work of SWIFT, hackers are preparing attacks on targets in Latin America.
• In some cases, hackers made changes to the program code on the fly - right during the attack.
• The hackers used the file SLRSideChannelAttack.exe., which was made publicly available by researchers.
• MoneyTaker used publicly available tools and purposefully hid any elements of attribution, preferring to remain in the shadows. The programs have only one author - this can be seen from the typical errors that migrate from one self-written program to another.

Leaks of intelligence hacking tools

Exploits from NSA and CIA leaks have begun to be actively used to carry out targeted attacks. They are already included in the main tools for conducting penetration tests against financially motivated and some pro-government hackers.

WikiLeaks and Vault7

Throughout the year, WikiLeaks methodically revealed the secrets of the CIA, publishing information about the hacking tools of the intelligence services as part of the Vault 7 project. One of them - CherryBlossom (“Cherry Blossom”) allows you to track the location and Internet activity of users connected to a wireless Wi-Fi router. Such devices are widely used in homes, offices, restaurants, bars, hotels, airports and government agencies. WikiLeaks even revealed the CIA's technology for spying on colleagues from the FBI, DHS, and NSA. Control technical services(OTS) at the CIA developed ExpressLane spyware to secretly extract data from the biometric intelligence system that the CIA distributes to its counterparts in the US intelligence community. A little earlier, WikiLeaks disclosed information about the Pandemic malware, designed to hack computers with shared folders, and about the ELSA program, which also tracks the geolocation of Wi-Fi-enabled devices and allows you to track user habits. Wikileaks began the Vault-7 series of publications in February 2017. The leaks contained information describing vulnerabilities in software, malware samples and computer attack techniques.

Hacking tools from another equally popular source - NSA leaks published by the Shadow Brokers group, were not only in high demand, but were also being improved and refined. A script has appeared on underground forums to automate the search for machines with SMB protocol vulnerabilities, based on utilities from American intelligence agencies published by the Shadow Brokers group in April of this year. As a result of the leak, the fuzzbunch utility and the ETERNALBLUE exploit ended up in open access, but after modification, a completely finished product makes it easier for attackers to attack.

Let us recall that it was the SMB protocol that was used by the WannaCry ransomware to infect hundreds of thousands of computers in 150 countries. A month ago, the creator of the Shodan search engine, John Matherly, said that 2,306,820 devices with open ports for access via the SMB protocol were found on the Internet. 42% (about 970 thousand) of them provide guest access, that is, anyone using the SMB protocol can access data without authorization.

In the summer, the Shadow Brokers group promised to publish new exploits for its subscribers every month, including for routers, browsers, mobile devices, compromised data from banking networks and SWIFT, information about nuclear and missile programs. Inspired by the attention, Shadow Brokers raised the initial subscription price from 100 Zcash coins (about $30,000) to 200 Zcash coins (about $60,000). VIP subscriber status costs 400 Zcash coins and allows you to receive custom exploits.

Attacks on critical infrastructure

The energy sector has become a testing ground for the research of new cyber weapons. The criminal group BlackEnergy continues to attack financial and energy companies. The tools at their disposal allow them to remotely control the Remote terminal unit (RTU), which are responsible for physically opening/closing the power grid.

The first virus that could actually disable equipment was Stuxnet, used by the Equation Group (Five Eyes/Tilded Team). In 2010, the virus penetrated the system of the Iranian uranium enrichment plant in Nathan and infected SIMATIC S7 Siemens controllers that rotated centrifuges with uranium at a frequency of 1000 revolutions per second. Stuxnet accelerated the centrifuge rotors to 1400 rpm, so much so that they began to vibrate and collapse. Of the 5,000 centrifuges installed in the hall, about 1,000 were disabled. The Iranian nuclear program has rolled back a couple of years.

After this attack there was a calm for several years. It turned out that all this time the hackers were looking for an opportunity to influence the ICS and disable them when necessary. The group that has moved further in this direction is Black Energy, also known as Sandworm.

Their test attack on a Ukrainian substation late last year showed what a new set of tools, dubbed Industroyer or CRASHOVERRIDE, can do. At the Black Hat conference, Industroyer software was called "the biggest threat industrial systems control since Stuxnet." For example, BlackEnergy tools allow you to remotely control Remote terminal units (RTUs), which are responsible for physically opening/closing the power grid. Armed with such tools, hackers can turn it into a formidable cyber weapon that will allow them to leave entire cities without light and water.

Problems may arise not only in Ukraine: new attacks on energy systems were recorded in the UK and Ireland in July. There were no disruptions to the power grid, but experts believe hackers could have stolen passwords to security systems. In the US, after malicious emails were sent to employees of energy companies, the FBI warned companies about possible cyber attacks.

Attacks on ICOs

For a long time, banks and their customers have been the main target of cybercriminals. But now they have strong competitors in the form of ICOs and blockchain startups - everything related to cryptocurrencies attracts the attention of hackers.

ICO (Initial Coin Offering - the procedure for the initial placement of tokens) is the dream of any hacker. Lightning fast, often quite simple attack cryptocurrency services and blockchain startups brings in millions of dollars in profit with minimal risk for criminals. According to Chainalysis, hackers managed to steal 10% of all funds invested in ICO projects in 2017 on Ethereum. The total damage was almost $225 million, with 30,000 investors losing an average of $7,500.

We analyzed about a hundred attacks on blockchain projects (exchanges, exchangers, wallets, funds) and came to the conclusion that the bulk of the problems lie in the vulnerability of the crypto-services themselves that use blockchain technology. In the case of Ethereum, problems were observed not with the platform itself, but with crypto-services: they encountered vulnerabilities in their own smart contracts, deface, compromise of admin accounts (Slack, Telegram), phishing sites copying the content of the websites of companies entering the ICO.

There are several vulnerabilities:

• Phishing sites - clones of the official resource
• Site/web application vulnerabilities
• Attacks through company employees
• Attacks on IT infrastructure

We are often asked what to pay attention to, what to check first? There are three big blocks to pay attention to: protect people, protect processes and protect infrastructure.

Steal money using Android Trojans

The market for banking Android Trojans turned out to be the most dynamic and rapidly growing. Damage from banking Trojans for Android in Russia increased by 136% - it amounted to $13.7 million - and covered the damage from Trojans for personal computers by 30%.

We predicted this growth last year as malware infections become more undetectable and thefts become automated using the auto-fill method. According to our estimates, the damage from this type of attack in Russia over the past year amounted to $13.7 million.

Detention of members of the criminal group Cron

05.15.2017, Mon, 13:33, Moscow time , Text: Pavel Pritula

The other day, one of the largest and most “noisy” cyber attacks, judging by the press, took place in Russia: the networks of several departments and largest organizations, including the Ministry of Internal Affairs, were attacked by attackers. The virus encrypted data on employees' computers and extorted a large sum of money so that they could continue their work. This is a clear example that no one is immune from ransomware. However, this threat can be dealt with - we will show several methods that Microsoft offers.

What do we know about ransomware? It seems that these are criminals who demand money or things from you under the threat of adverse consequences. This happens in business from time to time, and everyone has a rough idea of ​​what to do in such situations. But what to do if a ransomware virus has settled on your work computers, blocks access to your data and demands that you transfer money to certain people in exchange for an unlock code? You need to contact specialists information security. And it’s best to do this in advance to avoid problems.

The number of cybercrimes has increased by an order of magnitude in recent years. Half of companies in major European countries have been attacked by ransomware, with more than 80% being targeted three or more times, according to SentinelOne research. A similar picture is observed around the world. Clearswift, a company specializing in information security, names a kind of “top” of countries most affected by ransomware – ransomware: the USA, Russia, Germany, Japan, the UK and Italy. Small and medium-sized businesses are of particular interest to attackers because they have more money and more sensitive data than individuals, and do not have the powerful security services of large companies.

What to do and, most importantly, how to prevent a ransomware attack? First, let's assess the threat itself. The attack can be carried out in several ways. One of the most common - Email. Criminals actively use social engineering methods, the effectiveness of which has not decreased at all since the days of the famous hacker of the 20th century, Kevin Mitnick. They can call an employee of the victim company on behalf of a real-life counterparty and, after the conversation, send an email with an attachment containing a malicious file. The employee will, of course, open it because he just spoke with the sender on the phone. Or an accountant may receive a letter purporting to be from the bailiff service or from the bank that services his company. No one is insured, and this is not the first time even the Ministry of Internal Affairs has suffered: a few months ago, hackers sent a fake invoice from Rostelecom with an encryption virus to the accounting department of the Kazan Line Directorate of the Ministry of Internal Affairs, which blocked the work of the accounting system.

The source of infection can be a phishing site that the user accessed using a fraudulent link, or a flash drive “accidentally forgotten” by one of the office visitors. More and more often, infections occur through unprotected mobile devices of employees, from which they access corporate resources. And the antivirus may not work: there are hundreds of malware known that bypass antiviruses, not to mention “zero-day attacks” that exploit newly discovered “holes” in the software.

What is “cyber ransomware”?

The program, known as ransomware, ransomware, blocks the user's access to the operating system and usually encrypts all data on the hard drive. A message is displayed on the screen stating that the computer is locked and the owner is obliged to transfer a large sum of money to the attacker if he wants to regain control of the data. Most often, a countdown of 2-3 days is displayed on the screen so that the user should hurry, otherwise the contents of the disk will be destroyed. Depending on the appetites of the criminals and the size of the company, ransom amounts in Russia range from several tens to several hundred thousand rubles.

Types of ransomware

Source: Microsoft, 2017

These malware have been known for many years, but in the last two or three years they have experienced a real boom. Why? Firstly, because people pay attackers. According to Kaspersky Lab, 15% of Russian companies attacked in this way choose to pay the ransom, and 2/3 of the companies in the world subjected to such an attack lost all or part of their corporate data.

Secondly, the tools of cybercriminals have become more sophisticated and accessible. And thirdly, the victim’s independent attempts to “guess the password” do not end well, and the police can rarely find the criminals, especially during the countdown period.

By the way. Not all hackers spend their time giving the password to the victim who transferred them the required amount.

What is the business problem

The main problem in the field of information security for small and medium-sized businesses in Russia is that they do not have money for powerful specialized information security tools, but there are more than enough IT systems and employees with whom various types of incidents can occur. To combat ransomware, it is not enough to have only a configured firewall, antivirus and security policies. You need to use all available tools, primarily those provided by the operating system vendor, because it is inexpensive (or included in the cost of the OS) and is 100% compatible with its own software.

The vast majority of client computers and a significant portion of servers run the OS Microsoft Windows. Everyone knows the built-in security features, such as “ Windows Defender" and "Windows Firewall", which, together with fresh OS updates and user rights restrictions, provide a level of security quite sufficient for the average employee in the absence of specialized tools.

But the peculiarity of the relationship between business and cybercriminals is that the former often do not know that they are being attacked by the latter. They believe themselves to be protected, but in fact, the malware has already penetrated the network perimeter and is quietly doing its job - after all, not all of them behave as brazenly as ransomware Trojans.

Microsoft has changed its approach to security: now it has expanded its line of information security products, and also focuses not only on maximizing the protection of companies from modern attacks, but also on making it possible to investigate them if an infection does occur.

Mail protection

Postal system as main channel penetration of threats into the corporate network must be additionally protected. To do this, Microsoft has developed the Exchange ATP (Advanced Treat Protection) system, which analyzes email attachments or Internet links and promptly responds to detected attacks. This is a separate product, it integrates with Microsoft Exchange and does not require deployment on each client machine.

Exchange ATP can even detect zero-day attacks because it runs all attachments in a special sandbox without releasing them to the public. operating system, and analyzes their behavior. If it does not contain signs of an attack, then the attachment is considered safe and the user can open it. A potentially malicious file is sent to quarantine and the administrator is notified about it.

As for links in letters, they are also checked. Exchange ATP replaces all links with intermediate ones. The user clicks on the link in the letter, gets to an intermediate link, and at this moment the system checks the address for security. The verification happens so quickly that the user does not notice the delay. If a link leads to an infected site or file, clicking on it is prohibited.

How Exchange ATP works

Source: Microsoft, 2017

Why does the verification occur at the moment of clicking, and not when receiving a letter - because then there is more time for research and, therefore, less computing power will be required? This was done specifically to protect against hackers’ trick of replacing content via a link. A typical example: a letter to Mailbox arrives at night, the system checks and finds nothing, and by the morning a file with a Trojan, for example, is already posted on the site via this link, which the user successfully downloads.

And the third part of the Exchange ATP service is the built-in reporting system. It allows you to investigate incidents that have occurred and provides data to answer the questions: when did the infection occur, how and where did it occur. This allows you to find the source, determine the damage and understand whether it was an accidental hit or a purposeful, targeted attack against this company.

This system is also useful for prevention. For example, an administrator can raise statistics on how many clicks were made on links marked as dangerous, and which users did this. Even if no infection has occurred, awareness-raising work still needs to be carried out with these employees.

True, there are categories of employees whose job responsibilities force them to visit a variety of sites - such as, for example, marketers researching the market. For them, Microsoft technologies allow you to configure a policy so that any downloaded files will be checked in the sandbox before being saved on the computer. Moreover, the rules are set literally in a few clicks.

Credential protection

One of the targets of cybercriminal attacks is user credentials. There are a lot of technologies for stealing user logins and passwords, and they must be countered by strong protection. There is little hope for the employees themselves: they invent simple passwords, use one password to access all resources and write them down on a sticky note that is glued to the monitor. This can be combatted by administrative measures and by programmatically setting password requirements, but there will still be no guaranteed effect.

If a company cares about security, it differentiates access rights, and, for example, an engineer or sales manager cannot access the accounting server. But hackers have one more trick up their sleeve: they can send a letter from the captured account of an ordinary employee to a targeted specialist who has the necessary information (financial data or trade secrets). Having received a letter from a “colleague”, the recipient will absolutely open it and launch the attachment. And the ransomware will gain access to data valuable to the company, for the return of which the company can pay a lot of money.

To ensure that the captured account does not give attackers the opportunity to penetrate corporate system, Microsoft offers to protect it with Azure Multifactor Authentication. That is, to log in you need to enter not only the login/password pair, but also the PIN code sent via SMS, Push notification, generated mobile application, or answer a robot's phone call. Multifactor authentication is especially useful when working with remote employees who can log into the corporate system from different parts of the world.

Azure Multifactor Authentication

About a week or two ago, another hack from modern virus makers appeared on the Internet, which encrypts all the user’s files. Once again I will consider the question of how to cure a computer after a ransomware virus encrypted000007 and recover encrypted files. In this case, nothing new or unique has appeared, just a modification of the previous version.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Description of the CRYPTED000007 ransomware virus

The CRYPTED000007 encryptor is no fundamentally different from its predecessors. It works almost exactly the same way. But still there are several nuances that distinguish it. I'll tell you about everything in order.

It arrives, like its counterparts, by mail. Social engineering techniques are used to ensure that the user becomes interested in the letter and opens it. In my case, the letter talked about some kind of court and important information on the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.

In parallel with opening the document, file encryption starts. An information message from the Windows User Account Control system begins to constantly pop up.

If you agree with the proposal, then back up files in shadow copies of Windows will be deleted and recovery of information will be very difficult. It is obvious that you cannot agree with the proposal under any circumstances. In this encryptor, these requests pop up constantly, one after another and do not stop, forcing the user to agree and delete the backup copies. This is the main difference from previous modifications of encryptors. I have never encountered requests to delete shadow copies without stopping. Usually, after 5-10 offers they stopped.

I will immediately give a recommendation for the future. It is very common for people to disable User Account Control warnings. There is no need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is to not constantly work under account computer administrator, unless there is an objective need for it. In this case, the virus will not have the opportunity to do much harm. You will have a better chance of resisting him.

But even if you have always answered negatively to the ransomware’s requests, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files with the same content on your desktop.

Your files have been encrypted. To decrypt ux, you need to send the code: 329D54752553ED978F94|0 to the email address [email protected]. Next you will receive all the necessary instructions. Attempts to decipher on your own will not lead to anything other than an irrevocable number of information. If you still want to try, then make backup copies of the files first, otherwise, in the event of a change, decryption will become impossible under any circumstances. If you have not received notification at the above address within 48 hours (only in this case!), use the contact form. This can be done in two ways: 1) Download and install Tor Browser via the link: https://www.torproject.org/download/download-easy.html.en In the Tor Browser address box, enter the address: http://cryptsen7fo43rr6.onion/ and press Enter. The page with the contact form will load. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Mailing address may change. I also came across the following addresses:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you discover that your files are encrypted, immediately turn off your computer. This must be done to interrupt the encryption process both on the local computer and on network drives. An encryption virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information there, then it will take him considerable time. Sometimes, even in a couple of hours, the ransomware did not have time to encrypt everything on a network drive with a capacity of approximately 100 gigabytes.

Next you need to think carefully about how to act. If you need information on your computer at any cost and you do not have backup copies, then it is better at this moment to turn to specialists. Not necessarily for money to some companies. You just need someone who is good at information systems. It is necessary to assess the scale of the disaster, remove the virus, and collect all available information on the situation in order to understand how to proceed.

Incorrect actions on at this stage can significantly complicate the process of decrypting or restoring files. In the worst case, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and has finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. Moreover, not only the file extension will be replaced, but also the file name, so you won’t know exactly what kind of files you had if you don’t remember. It will look something like this.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done specifically to confuse people and encourage them to pay for file decryption.

And if you had encrypted and network folders and there are no complete backups, this can completely stop the work of the entire organization. It will take you a while to figure out what was ultimately lost in order to begin restoration.

How to treat your computer and remove CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most important question is how to disinfect a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I would like to immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files at any cost, do not touch your computer, but immediately contact professionals. Below I will talk about them and provide a link to the site and describe how they work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from a computer, since the virus does not have the task of remaining on the computer at any cost. After completely encrypting the files, it is even more profitable for him to delete himself and disappear, making it more difficult to investigate the incident and decrypt the files.

It is difficult to describe how to manually remove a virus, although I have tried to do this before, but I see that most often it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant after a week or two. Usually, viruses are sent by mail in waves, and each time there is a new modification that is not yet detected by antiviruses. Universal tools that check startup and detect suspicious activity in system folders help.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool - a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit.
3. If the first two utilities do not help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com.

Most likely, one of these products will clear your computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave an example of the removal method and you can see it there. Briefly, step by step, you need to act like this:

1. We look at the list of processes, after adding several additional columns to the task manager.
2. We find the virus process, open the folder in which it sits and delete it.
3. We clear the mention of the virus process by file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor comes up first when it comes to a ransomware virus. The first thing I recommend is to use the service https://www.nomoreransom.org. What if you are lucky and they have a decryptor for your version of the CRYPTED000007 encryptor. I’ll say right away that you don’t have many chances, but trying is not torture. On home page click Yes:

Then download a couple of encrypted files and click Go! Find out:

At the time of writing, there was no decryptor on the site.

Perhaps you will have better luck. You can also see the list of decryptors for downloading on separate page- https://www.nomoreransom.org/decryption-tools.html. Maybe there's something useful there. When the virus is completely fresh, there is little chance of this happening, but over time, something may appear. There are examples when decryptors for some modifications of encryptors appeared on the network. And these examples are on the specified page.

I don’t know where else you can find a decoder. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encryptors. Only the authors of the virus can have a full-fledged decryptor.

How to decrypt and recover files after the CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

First, let's check if we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I talked about this request in more detail at the beginning of the story, when I talked about how the virus works.

To easily restore files from shadow copies, I suggest using free program for this purpose - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the left top corner you can select a backup copy if you have several of them. Check different copies for availability necessary files. Compare by date for the most recent version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, clicked right click mouse, selected Export and indicated the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be more old version, than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using recovery tools deleted files. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external HDD for this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here; what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to restore maximum amount files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Filecoder.ED encryptor

Popular antiviruses detect the ransomware CRYPTED000007 as Filecoder.ED and then there may be some other designation. I looked through the major antivirus forums and didn't see anything useful there. Unfortunately, as usual, antivirus software turned out to be unprepared for the invasion of a new wave of ransomware. Here is a post from the Kaspersky forum.

Antiviruses traditionally miss new modifications of ransomware Trojans. Nevertheless, I recommend using them. If you are lucky and receive a ransomware email not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. It turns out a new version ransomware, antiviruses do not respond to it. As soon as a certain amount of material for research on a new virus accumulates, antivirus software releases an update and begins to respond to it.

I don’t understand what prevents antiviruses from responding immediately to any encryption process in the system. Perhaps there is some technical nuance on this topic that does not allow us to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and offer to stop the process.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are opened and sign the certificate of delivery/acceptance of completed work.
4. Payment is made solely upon successful decryption results.

I'll be honest, I don't know how they do it, but you don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against the virus CRYPTED000007

How to protect yourself from ransomware and avoid material and moral damage? There are some simple and effective tips:

1. Backup! Backup copy all important data. And not just a backup, but a backup to which there is no constant access. Otherwise, the virus can infect both your documents and backup copies.
2. Licensed antivirus. Although they do not provide a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the encryptor, but after 3-4 days they begin to respond. This increases your chances of avoiding infection if you were not included in the first wave of distribution of a new modification of the ransomware.
3. Do not open suspicious attachments in mail. There is nothing to comment here. All ransomware known to me reached users via email. Moreover, every time new tricks are invented to deceive the victim.
4. Do not thoughtlessly open links sent to you from your friends via social media or messengers. This is also how viruses sometimes spread.
5. Turn on windows display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will be .exe, .vbs, .src. In your everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I have already written before in every article about the ransomware virus. In the meantime, I say goodbye. I would be glad to receive useful comments on the article and the CRYPTED000007 ransomware virus in general.

Video about file decryption and recovery

Here is an example of a previous modification of the virus, but the video is completely relevant for CRYPTED000007.

It continues its oppressive march across the Internet, infecting computers and encrypting important data. How to protect yourself from ransomware, protect Windows from ransomware - have patches been released to decrypt and disinfect files?

New ransomware virus 2017 Wanna Cry continues to infect corporate and private PCs. U Damage from virus attack totals $1 billion. In 2 weeks, the ransomware virus infected at least 300 thousand computers, despite warnings and security measures.

Ransomware virus 2017, what is it?- as a rule, you can “pick up” on seemingly the most harmless sites, for example, bank servers with user access. Once on the victim’s hard drive, the ransomware “settles” in system folder System32. From there the program immediately disables the antivirus and goes into "Autorun"" After every reboot, ransomware runs into the registry, starting his dirty work. The ransomware begins to download similar copies of programs like Ransom and Trojan. It also often happens ransomware self-replication. This process can be momentary, or it can take weeks until the victim notices something is wrong.

The ransomware often disguises itself as ordinary pictures, text files , but the essence is always the same - this is an executable file with the extension .exe, .drv, .xvd; Sometimes - libraries.dll. Most often, the file has a completely innocuous name, for example “ document. doc", or " picture.jpg", where the extension is written manually, and the true file type is hidden.

After encryption is complete, the user sees, instead of familiar files, a set of “random” characters in the name and inside, and the extension changes to a hitherto unknown one - .NO_MORE_RANSOM, .xdata and others.

Wanna Cry ransomware virus 2017 – how to protect yourself. I would like to immediately note that Wanna Cry is rather a collective term for all encryption and ransomware viruses, since recently it has infected computers most often. So, we'll talk about Protect yourself from Ransom Ware ransomware, of which there are a great many: Breaking.dad, NO_MORE_RANSOM, Xdata, XTBL, Wanna Cry.

How to protect Windows from ransomware. – EternalBlue via SMB port protocol.

Protecting Windows from ransomware 2017 – basic rules:

• Windows update, timely transition to a licensed OS (note: the XP version is not updated)
• updating anti-virus databases and firewalls on demand
• extreme care when downloading any files (cute “seals” can result in the loss of all data)
• Backing up important information to removable media.

Ransomware virus 2017: how to disinfect and decrypt files.

Relying on antivirus software, you can forget about the decryptor for a while. In laboratories Kaspersky, Dr. Web, Avast! and other antiviruses for now no solution for treating infected files was found. On this moment It is possible to remove the virus using an antivirus, but there are no algorithms to return everything “to normal” yet.

Some try to use decryptors like the RectorDecryptor utility, but this won't help: an algorithm for decrypting new viruses has not yet been compiled. It is also absolutely unknown how the virus will behave if it is not removed after using such programs. Often this can result in the erasure of all files - as a warning to those who do not want to pay the attackers, the authors of the virus.

At the moment the most effective way getting back lost data means contacting technical support. supplier support antivirus program which you are using. To do this, send a letter or use the form to feedback on the manufacturer's website. Be sure to add the encrypted file to the attachment and, if available, a copy of the original. This will help programmers in composing the algorithm. Unfortunately, for many, a virus attack comes as a complete surprise, and no copies are found, which greatly complicates the situation.

Cardiac methods of treating Windows from ransomware. Unfortunately, sometimes you have to resort to full formatting hard drive, which entails a complete change of OS. Many will think of restoring the system, but this is not an option - even a “rollback” will get rid of the virus, but the files will still remain encrypted.