Modern technologies allow hackers to constantly improve the methods of fraud in relation to ordinary users. As a rule, for these purposes, viral software is used, penetrating the computer. Encrypting viruses are particularly dangerous. The threat is that the virus spreads very quickly, encrypting files (the user is simply not able to open a single document). And if it is quite simple, then much more difficult to decrypt data.

What to do if the virus encrypted the files on the computer

Each, even users who have a powerful antivirus software are insured by attacking an encrypter. Troyans file encryptionors are represented by various code, which may not be under the antivirus. Hackers even manage to attack a large company that did not take care of the necessary protection of their information. So, "picing" in online the program encrypter, it is necessary to take a number of measures.

The main signs of infection - the slow work of the computer and changing the names of documents (you can notice on the desktop).

1. Restart the computer to interrupt encryption. When you turn on, do not confirm the launch of unknown programs.
2. Run the antivirus if it has not been attacked an encrypter.
3. Copies will help restore information in some cases. To find them, open the "Properties" of the encrypted document. This method works with encrypted Vault expansion data, which is information on the portal.
4. Download the utility of the latest version to combat viruses-encrypters. The most effective offers Kaspersky Lab.

Encrybers Viruses in 2016: Examples

When dealing with any viral attack, it is important to understand that the code is very often changing, supplemented with the new protection against antiviruses. Of course, protection programs need some time as the developer does not update the base. We have selected the most dangerous viruses-encrypters of recent times.

ISHTAR RANSOMWARE.

IShtar - encryptionman extorting money from the user. The virus was seen in the fall of 2016, infected with a huge number of users of users from Russia and a number of other countries. It applies with the help of email distribution, in which nested documents are coming (installers, documents, etc.). ISHTAR infected with encrypperer is obtained in the name of the "ISHTAR" console. The process creates a test document in which it is indicated where to seek the password. The attackers require from 3,000 to 15,000 rubles for it.

The danger of the iShtar virus is that today there is no decryptor who would help users. Companies engaged in the creation of anti-virus software, it is necessary to decipher the entire code. Now you can only isolate important information (if they are of particular importance) to a separate medium, waiting for the output of the utility capable of deciphering the documents. It is recommended to reinstall the operating system.

Neitrino.

Neitrino encrypter appeared on the public spaces in 2015. On the principle of attacks similar to other viruses of this category. Changes the names of folders and files by adding "Neitrino" or "Neutrino". Decifractions The virus is with difficulty - not all representatives of antivirus companies are taken for this, referring to a very complex code. Some users can help restore the shadow copy. To do this, right-click on the encrypted document, go to Properties, the Previous Version tab, click Restore. It will not be superfluous to use the free utility from the Kaspersky Lab.

Wallet or .wallet.

Wallet virus appeared at the end of 2016. In the process of infection, changes the name of the data to the "name..wallet" or similar. Like most encrypter viruses, enters the system through attachments in emails that are sent by intruders. Since the threat appeared quite recently, the antivirus programs do not notice it. After the encryption creates a document in which the fraudster indicates the mail to communicate. Currently, anti-virus software developers are working on deciphering the code of the virus-encrypter [email protected]. Attack users can only wait. If the data is important, it is recommended to save them to an external drive, clearing the system.

Enigma.

Enigma virus encryption began infecting computers of Russian users at the end of April 2016. The AES-RSA encryption model is used, which is found in most extortionable viruses. The virus enters the computer with the help of a script that the user itself starts by opening the files from a suspicious email. There is still no universal tool to combat Enigma encryption. Users licensed to antivirus can ask for help on the official website of the developer. Also found a small "loophole" - Windows UAC. If the user clicks "No" in the window, which appears in the process of infection with the virus, it will be able to subsequently restore information using shadow copies.

Granit.

The new Virus-encrypter Granit appeared in the autumn of 2016. Infection occurs on the following script: the user starts a installer that infects and encrypts all the data on the PC, as well as connected drives. Fight with the virus is difficult. To delete, you can use special utilities from Kaspersky, but it has not been able to decipher the code. Perhaps it will help the restoration of previous data versions. In addition, a specialist who has a lot of experience can decipher, but the service is expensive.

Tyson.

It was recently seen. It is an extension of the already known encrypter No_more_ransom, which you can learn about our site. Enters personal computers from email. A lot of corporate PC has been attacked. The virus creates a text document with instructions for unlocking, offering to pay "ransom". Tyson encrypter appeared recently, so there is no key to unlock yet. The only way to restore information is to return the previous versions if they are not deleted by the virus. You can, of course, take a chance, transferring money to the score specified by attackers, but there is no guarantee that you will receive a password.

SPORA.

In early 2017, a number of users became a victim of the new SPORA encrypter. According to the principle of operation, it is not very different from his fellow, but it boasts more professional performance: the instruction on getting a password is better compiled, the website looks more beautiful. A virus encryption screen SPORA in C, uses a combination of RSA and AES to encrypt the victim data. The attack was usually computers on which the 1C accounting program is actively used. The virus, hiding under the guise of a simple account in format.pdf, forces employees of companies to run it. Treatment has not yet been found.

1c.Drop.1

This virus encryption is for 1C appeared in the summer of 2016, violating the work of many accounting. Designed was designed specifically for computers using 1C software. Finding through the file in an email to the PC, offers the owner to update the program. Whatever the user clicked the virus, the virus will start encryption. Experts "Dr.Web" work on the decryption tools, but have not yet been found. Similar to that complex code that can be in several modifications. Protecting from 1C.DROP.1 is only the vigilance of users and regular archiving of important documents.

dA_VINCI_CODE.

New encrypter with an unusual name. A virus appeared in the spring of 2016. The predecessors are characterized by improved code and resistant encryption mode. DA_VINCI_Code infects a computer thanks to the executive application (attached, as a rule, to an email), which the user starts independently. Da Vinci Code encrypter (DA VINCI Code) copies the body to the system directory and the registry, providing automatic start when Windows is turned on. A unique ID is assigned to the computer of each victim (helps to get a password). It is almost impossible to decipher the data. You can pay money to intruders, but no one guarantees the password.

[email protected] / [email protected].

Two email addresses, which were often accompanied by encrypting viruses in 2016. It is they who serve to communicate the victim with an attacker. Addresses to the most different types of viruses are attached: da_vinci_code, no_more_ransom and so on. It is extremely recommended to communicate, as well as transfer money to fraudsters. Users in most cases remain without passwords. Thus, showing that the encrypters of intruders work, bringing income.

Breaking Bad.

It appeared in early 2015, but actively spread only in a year. The principle of infection is identical to other encrypters: installation of a file from an email, data encryption. Ordinary antiviruses, as a rule, do not notice the Breaking Bad virus. Some code cannot bypass Windows UAC, so the user has the opportunity to restore previous versions of documents. The decryptor has not yet introduced a single company developing antivirus software.

Xtbl

Very common encryptionman, which delivered trouble to many users. Finding on the PC, the virus in a matter of minutes changes the extension of the files by NTBL. A document is created in which the attacker extorts money. Some varieties of the XTBL virus cannot destroy the files to restore the system, which allows you to return important documents. The virus itself can be removed by many programs, but it is very difficult to decipher the documents. If it is the owner of a licensed antivirus, use technical support by attaching samples of infected data.

Kukaracha.

Cacaracha encrypter was seen in December 2016. The virus with an interesting name hides user files with the RSA-2048 algorithm, which is characterized by high resistance. Kaspersky anti-virus designated it as Trojan-ransom.win32.scatter.lb. Kukaracha can be removed from the computer so that the infection is not subject to other documents. However, infected today is almost impossible to decipher (a very powerful algorithm).

How does a virus encrypter work

There is a huge number of encrypters, but they all work according to a similar principle.

1. Entering a personal computer. As a rule, thanks to the attached file to an email. Installation Includes the user itself by opening the document.
2. File infection. Envically all types of file types are subjected to encryption (depending on the virus). A text document is created in which contacts are indicated to communicate with intruders.
3. Everything. The user cannot get access to any document.

Fighting means of popular laboratories

The widespread encryption holders who are recognized as the most dangerous threats for user data has become an impetus for many antivirus laboratories. Each popular company provides its users with programs to help fight encrypters. In addition, many of them help decipher document protection documents.

Kaspersky and encrybers viruses

One of the most famous anti-virus laboratories of Russia and the world offers today the most effective means to combat extortionable viruses. The first barrier for the encryption virus will be Kaspersky Endpoint Security 10 with the latest updates. Antivirus simply will not miss a threat to the computer (though, new versions may not stop). To decrypt information, the developer directly presents several free utilities:, XoristDecryptor, RakhniDecryptor and Ransomware Decryptor. They help to find a virus and pick up the password.

Dr. Web and encrypters

This laboratory recommends using their anti-virus program, the main feature of which has been reserved files. Storage with copies of documents, in addition, protected from unauthorized access of attackers. Owners of the Licensed Product Dr. The Web is available for assistance in technical support. True, experienced professionals can not always withstand this type of threats.

ESET NOD 32 and encrypters

At the same time, this company did not remain, providing its users with good protection against penetration of viruses to a computer. In addition, the laboratory recently released a free utility with relevant databases - ESET Crysis Decryptor. Developers declare that it will help in the struggle, even with the newest encrypters.

The specialists of the company "Doctor Web" are studying new Trojan-encrypter Trojan.encoder.12544. mentioned in the media as Petya, Petya.a, Expetya and Wannacry-2. Based on the preliminary analysis of the malicious program, the company "Doctor Web" provides recommendations, how to avoid infection, says what to do if the infection has already happened, and discloses the technical details of the attack.

Moving a lot of noise worm-encrypter Trojan.encoder.12544. It is a serious danger to personal computers running Microsoft Windows. Various sources call it a modification of a Trojan, known as Petya ( Trojan.ransom.369.), but Trojan.encoder.12544. It has only some similarity with him. This malicious program has penetrated the information systems of a number of state structures, banks and commercial organizations, and also infected the PC users in several countries.

Currently it is known that Trojan infects computers with the same set of vulnerabilities that were previously used by attackers to introduce on the computers of the victims of the Wannacry Trojan. Mass distribution Trojan.encoder.12544. It began in the first half of day 06/27/2017. When you start on a Trojan's attacham computer in several ways, it seeks available on the local network of PCs, after which the ports 445 and 139 starts to scan the list of IP addresses, finding the machines on which these ports are open, Trojan.encoder.12544. Trying to infect them using a widely known vulnerability in the SMB protocol (MS17-10).

In its body, Trojan contains 4 compressed resources, 2 of which are 32- and 64-bit versions of the Mimikatz utility designed to intercept the passwords of open sessions in Windows. Depending on the discharge of the OS, it unpacks the corresponding version of the utility, saves it to a temporary folder, after which it starts. With the help of the Mimikatz utility, as well as two other ways Trojan.encoder.12544. Gets a list of local and domain users authorized on an infected computer. Then he is looking for network folders available on the entry, trying to open them using the received credentials and save its copy there. To infect computers to which he managed to access, Trojan.encoder.12544. Uses the PSexec remote computer utility (it is also stored in the Trojan Resources) or the standard console utility to call WMIC.EXE objects.

The control of its re-launch of the encoder is carried out using the file stored in the C: \\ Windows \\ folder. This file has a name corresponding to the name of the Trojan without expansion. Since the intruders spread by intruders at the present moment has the name perfc.dat, the file that prevents it is re-started, will have the name C: \\ Windows \\ Perfc. However, it is worth the attackers to change the original name of the Trojan, and the creation of the C: \\ Windows \\ file in the PERFC folder is without expansion (as some antivirus companies advise), no longer save the computer from infection. In addition, the Trojan checks the availability of a file only if it has enough privileges in the operating system.

After the start, the Trojan sets up privileges for itself, loads its own copy to the memory and transfers control. Then the encoder overwrites its own file on the disk of the garbage dubbing and removes it. First of all Trojan.encoder.12544. Spotdits VBR (VOLUME BOOT RECORD, STOCK REVIEW OF THE DISCUMENT OF C:, the first disc sector is filled with garbage dashing. Then the encryption screen copies the original Windows boot record in another area of \u200b\u200bthe disk, after confiring it using the XOR algorithm, and it writes its instead. Next, it creates a job to restart the computer, and starts to encrypt all files detected on local physical disks. 3DS ,.7z ,.accdb ,.ai ,.asp ,.aspx ,.AVHD ,.Back ,.Bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .ml, .fdb, .gz, .h, .hdd, .kdbx , .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py,. pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .Work, .xls, .xlsx, .xvd, .zip.

The Trojan encrypts the files only on fixed disks of the computer, the data on each disk is encrypted in a separate thread. Encryption is carried out using the AES-128-CBC algorithms, its own key is created for each disk (this is a distinctive feature of the Trojan, not marked by other researchers). This key is encrypted using the RSA-2048 algorithm (other researchers reported that an 800-bit key is used) and is stored in the root folder of the encrypted disk to the file named readme.txt. Encrypted files do not receive additional expansion.

After completing the previously created task, the computer restarts, and the control is transmitted to the Trojan boot record. It demonstrates a text that resembles the message of the standard utility to check the CHDISK discs on the screen.

2017 was the year of encryptionors (Ransomware) - the most significant threat in the field of information security for both small, medium and large enterprises and home users. Such attacks as required ransom on many computers in the world, while capturing the headlines of all leading media in all countries. In fact, last year the total damage from encrypters amounted to about 5 billion US dollars, which makes these trolaries the most powerful and sophisticated type of cyber attacks, which showed 350% growth compared to 2016.

3. Conduct security audits and tests for vulnerabilities to clearly know the penetration points into your systems.

4. Use the modern and advanced multiplatform information security solution with the advanced protection options, such as, for conducting expert analysis in real time. This will allow you to prevent and detect such types of attacks, as well as perform the required response and recovery actions after the attack.

Technology Review