The first ransomware Trojans of the Trojan.Encoder family appeared in 2006-2007. Since January 2009, the number of their varieties has increased by approximately 1900%! Currently, Trojan.Encoder is one of the most dangerous threats for users, having several thousand modifications. From April 2013 to March 2015, the Doctor Web virus laboratory received 8,553 requests to decrypt files affected by encoder Trojans.
Encryption viruses have almost won first place in requests to forums on information security. Every day, on average, 40 requests for decryption are received only by the employees of the Doctor Web virus laboratory from users infected with various types of encryption Trojans ( Trojan.Encoder, Trojan-Ransom.Win32.Xorist, Trojan-Ransom.Win32.Rector, Trojan.Locker, Trojan.Matsnu, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.GpCode, Digital Safe, Digital Case, lockdir.exe, rectorrsa, Trojan-Ransom.Win32.Rakhn, CTB-Locker, vault and so on). The main signs of such infections are changes in user file extensions, such as music files, image files, documents, etc., when you try to open them, a message appears from the attackers demanding payment for obtaining the decryptor. It is also possible to change the background image of the desktop, the appearance text documents and windows with corresponding messages about encryption, violation licensing agreements and so on. Encryption Trojans are especially dangerous for commercial companies, since lost data from databases and payment documents can block the company’s work for an indefinite period of time, leading to loss of profits.

Trojans from the Trojan.Encoder family use dozens of different algorithms for encrypting user files. For example, to find the keys to decrypt files encrypted by the Trojan.Encoder.741 using a brute force method, you will need:
107902838054224993544152335601 year

Decryption of files damaged by the Trojan is possible in no more than 10% of cases. This means that most user data is lost forever.

Today, ransomware demands up to 1,500 bitcoins.

Even if you pay a ransom to the attacker, it will not give you any guarantee of data recovery.

It comes to oddities - a case was recorded when, despite the ransom paid, the criminals were unable to decrypt files encrypted by the Trojan.Encoder they created, and sent the victim user for help... to the service technical support antivirus company!

How does infection occur?

• Through email attachments; method social engineering attackers force the user to open the attached file.
• Using Zbot infections disguised as PDF attachments.
• Through exploit kits located on hacked websites that exploit vulnerabilities on the computer to install an infection.
• Through Trojans that offer to download the player necessary to watch online videos. This usually happens on porn sites.
• Via RDP, using password guessing and vulnerabilities in this protocol.
• Using infected keygens, cracks and activation utilities.

In more than 90% of cases, users launch (activate) ransomware on their computers with their own hands.

When using RDP password guessing, an attacker he comes in on his own under a hacked account, turns it off himself or downloads an antivirus product and launches itself encryption.

Until you stop being scared of letters with the headings “Debt”, “Criminal Proceedings”, etc., attackers will take advantage of your naivety.

Think about it... Learn yourself and teach others the simplest basics of safety!

• Never open attachments from emails received from unknown recipients, no matter how scary the header may be. If the attachment arrived as an archive, take the trouble to simply view the contents of the archive. And if there executable file(extension .exe, .com, .bat, .cmd, .scr), then this is 99.(9)% a trap for you.
• If you are still afraid of something, do not be lazy to find out the true email address the organization from whose behalf the letter came to you. This is not so difficult to find out in our information age.
• Even if the sender’s address turns out to be true, do not be lazy to check by phone whether such a letter has been sent. The sender's address can be easily faked using anonymous smtp servers.
• If the sender says Sberbank or Russian Post, then this does not mean anything. Normal letters should ideally be signed with an electronic signature. Please carefully check the files attached to such emails before opening them.
• Do it regularly backups information on separate media.
• Forget about using simple passwords, which are easy to select and get into the organization’s local network using your data. For RDP access, use certificates, VPN access, or two-factor authentication.
• Never work with Administrator rights, pay attention to messages UAC even if they have "Blue colour" signed application, do not click "Yes", if you have not run installations or updates.
• Regularly install security updates not only operating system, but also application programs.
• Install password for antivirus program settings, different from the password account, enable the self-defense option

What to do in case of infection?

Let us quote the recommendations of Dr.Web and Kaspersky Lab:

• immediately turn off your computer to stop the Trojan, the Reset button on your computer can save a significant part of the data;
• Comment site: Despite the fact that such a recommendation is given by well-known laboratories, in some cases its implementation will complicate decryption, since the key may be stored in RAM and after rebooting the system, it will be impossible to restore it. To stop further encryption, you can freeze the execution of the ransomware process using Process Explorer or for further recommendations.

Spoiler: Footnote

No encoder is capable of encrypting all the data instantly, so until the encryption is completed, some part of it remains untouched. And the more time has passed since the start of encryption, the less untouched data remains. Since our task is to save as many of them as possible, we need to stop the operation of the encoder. You can, in principle, start analyzing the list of processes, look for where the Trojan is in them, try to terminate it... But, believe me, unplugging the power cord is much faster! Regular completion Windows operation is a good alternative, but it may take some time, or the Trojan may interfere with it through its actions. So my choice is to pull the cord. Undoubtedly, this step has its drawbacks: the possibility of damaging the file system and the impossibility of further taking a RAM dump. Damaged file system For an unprepared person, the problem is more serious than the encoder. At least the files remain after the encoder, but damage to the partition table will make it impossible to boot the OS. On the other hand, a competent data recovery specialist will repair the same partition table without any problems, but the encoder may simply not have time to reach many files.

To initiate criminal proceedings against attackers, law enforcement agencies need a procedural reason - your statement about the crime. Sample application

Be prepared for your computer to be seized for some time for examination.

If they refuse to accept your application, receive a written refusal and file a complaint with a higher police authority (the police chief of your city or region).

• Do not under any circumstances try to reinstall the operating system;
• do not delete any files or email messages on your computer;
• do not run any “cleaners” of temporary files and registry;
• You should not scan and treat your computer with antiviruses and antivirus utilities, and especially with antivirus LiveCDs; as a last resort, you can move infected files to antivirus quarantine;

Spoiler: Footnote

For decryption highest value may have an inconspicuous 40-byte file in a temporary directory or an incomprehensible shortcut on the desktop. You probably don't know whether they will be important for decryption or not, so it's better not to touch anything. Cleaning the registry is generally a dubious procedure, and some encoders leave traces of operation there that are important for decoding. Antiviruses, of course, can find the body of an encoder Trojan. And they can even delete it once and for all, but then what will be left for analysis? How will we understand how and what the files were encrypted with? Therefore, it is better to leave the animal on the disk. Another important point: I don't know of any system cleaner that takes into account the encoder's ability to operate and preserves all traces of its operation. And, most likely, such funds will not appear. Reinstalling the system will definitely destroy all traces of the Trojan, except for encrypted files.

• do not try to recover encrypted files on one's own;

Spoiler: Footnote

If you have a couple of years of writing programs under your belt, you really understand what RC4, AES, RSA are and what the differences are between them, you know what Hiew is and what 0xDEADC0DE means, you can give it a try. I don't recommend it to others. Let's say you found some miracle method for decrypting files and you even managed to decrypt one file. This is not a guarantee that the technique will work on all your files. Moreover, this is not a guarantee that using this method you will not damage the files even more. Even in our work there are unpleasant moments when serious errors are discovered in the decryption code, but in thousands of cases up to this point the code has worked as it should.

Now that it is clear what to do and what not to do, you can start deciphering. In theory, decryption is almost always possible. This is if you know all the data necessary for it or have an unlimited amount of money, time and processor cores. In practice, something can be deciphered almost immediately. Something will wait its turn for a couple of months or even years. In some cases, you don’t even have to tackle it: no one will rent a supercomputer for free for 5 years. It’s also bad that a seemingly simple case turns out to be extremely complex when examined in detail. It's up to you to decide who to contact.

• contact the anti-virus laboratory of a company that has a department of virus analysts dealing with this problem;
• Attach a Trojan-encrypted file to the ticket (and, if possible, an unencrypted copy of it);
• wait for the virus analyst's response. Due to big amount requests this may take some time.

How to recover files?

Addresses with forms for sending encrypted files:

• Dr.Web (Applications for free decryption are accepted only from users of the comprehensive Drweb antivirus)
• Kaspersky Lab (Requests for free decryption are accepted only from users of Kaspersky Lab commercial products)
• ESET, LLC ( Applications for free decryption are accepted only from users of ESET commercial products)
• The No More Ransom Project (selection of codebreakers)
• Encryptors - extortionists (selection of decipherers)
• ID Ransomware (selection of decryptors)

We We absolutely do not recommend restore files yourself, since if you do it ineptly, you can lose all the information without restoring anything!!! In addition, recovery of files encrypted by certain types of Trojans it's simply impossible due to the strength of the encryption mechanism.

Deleted file recovery utilities:
Some types of encryption Trojans create a copy of the encrypted file, encrypt it, and delete the original file. In this case, you can use one of the file recovery utilities (it is advisable to use portable versions programs downloaded and recorded on a flash drive on another computer):

• R.saver
• Recuva
• JPEG Ripper - utility for recovering damaged images
• JPGscan description)
• PhotoRec - a utility for restoring damaged images (description)

Method to solve problems with some versions Lockdir

Folders encrypted with some versions of Lockdir can be opened using an archiver 7-zip

After successful data recovery, you need to check the system for malware; to do this, you should run and create a topic describing the problem in the section

Recovering encrypted files using the operating system.

In order to restore files using the operating system, you must enable system protection before the ransomware Trojan gets onto your computer. Most ransomware Trojans will try to delete any shadow copies on your computer, but sometimes this will not be possible (if you do not have administrative privileges and installed Windows updates), and you can use shadow copies to recover damaged files.

Please remember that the command to delete shadow copies:

Code:

Vssadmin delete shadows

works only with administrator rights, so after enabling protection, you must work only as a user with limited rights and carefully pay attention to all UAC warnings about an attempt to escalate rights.

Spoiler: How to enable system protection?

How to restore previous versions of files after they are damaged?

Note:

Restoring from the properties of a file or folder using the " tab Previous versions» available only in editions of Windows 7 not lower than “Professional”. Home editions of Windows 7 and all editions of newer Windows operating systems have a workaround (under the spoiler).

Spoiler

Second way - this is the use of the utility ShadowExplorer(you can download both the installer and the portable version of the utility).

Run the program
Select the drive and date for which you want to recover files

Select the file or folder to recover and right-click on it
Select menu item Export and specify the path to the folder where you want to restore files from the shadow copy.

Ways to protect yourself from ransomware Trojans

Unfortunately, methods of protecting against ransomware Trojans for ordinary users are quite complicated, since they require security policy or HIPS settings that allow access to files only to certain applications and do not provide 100% protection in cases where a Trojan is embedded in the address space of a trusted application. Therefore, the only available method of protection is backup user files on removable media. Moreover, if such a carrier is an external HDD or a flash drive, these media should be connected to the computer only for the duration of the backup and be disconnected the rest of the time. For greater security, backups can be performed by booting from LiveCD. Backups can also be carried out on the so-called " cloud storage " provided by some companies.

Settings antivirus programs to reduce the likelihood of infection by encryption Trojans.

Applies to all products:

It is necessary to enable the self-defense module and install complex password to the antivirus settings!!!

If the system is infected with malware from the Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom families. Win32.CryptXXX, all files on the computer will be encrypted as follows:

• When Trojan-Ransom.Win32.Rannoh is infected, the names and extensions will change according to the pattern locked-<оригинальное_имя>.<4 произвольных буквы>.
• When Trojan-Ransom.Win32.Cryakl is infected, a label (CRYPTENDBLACKDC) is added to the end of the file contents.
• When infected with Trojan-Ransom.Win32.AutoIt, the extension changes according to the template<оригинальное_имя>@<почтовый_домен>_.<набор_символов>.
  For example, [email protected] _.RZWDTDIC.
• When infected with Trojan-Ransom.Win32.CryptXXX, the extension changes according to patterns<оригинальное_имя>.crypt,<оригинальное_имя>.crypz and<оригинальное_имя>.cryp1.

The RannohDecryptor utility is designed to decrypt files after infection with Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan- Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1, 2 and 3.

How to cure the system

To cure an infected system:

1. Download the RannohDecryptor.zip file.
2. Run RannohDecryptor.exe on the infected machine.
3. In the main window, click Start checking.

1. Specify the path to the encrypted and unencrypted file.
   If the file is encrypted with Trojan-Ransom.Win32.CryptXXX, specify the largest file size. Decryption will only be available for files of equal or smaller size.
2. Wait until the end of the search and decryption of encrypted files.
3. Restart your computer if required.
4. after locked-<оригинальное_имя>.<4 произвольных буквы>To delete a copy of encrypted files after successful decryption, select .

If the file was encrypted by Trojan-Ransom.Win32.Cryakl, the utility will save the file in its old location with the extension .decryptedKLR.original_extension. If you have chosen Delete encrypted files after successful decryption, the transcribed file will be saved by the utility with the original name.

1. By default, the utility displays the work report in the root system disk(the disk on which the OS is installed).

   The report name is as follows: UtilityName.Version_Date_Time_log.txt

   For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

In a system infected with Trojan-Ransom.Win32.CryptXXX, the utility scans limited quantity file formats. If a user selects a file affected by CryptXXX v2, restoring the key may take a long time. In this case, the utility displays a warning.

Doctor Web has released a free decryption utility for the new version of the ransomware Trojan.Encoder.19

The Doctor Web company reports the emergence of a new Trojan that encrypts user files. Doctor Web classified the Trojan program as Trojan.Encoder.19. Having infected the system, the Trojan leaves text file crypted.txt with a requirement to pay $10 for a decryptor program.

How to use the utility
Run file decryption on the entire C: drive. To do this, run the program with the following command line parameters:

Files on drive C: will be decrypted. At the end of the utility, decrypted files without the .crypt ending should appear next to the encrypted .crypt files. There is no need to delete encrypted files, because... The possibility of incorrect decryption cannot be ruled out.

If you were unable to decrypt some files, please send them to [email protected] the crypted.txt file from the root of the C: drive and several samples of encrypted files.

(Information from the manufacturer's page)

This program was suggested by: Wiper_off

This description, most likely, was written by a user and therefore may differ from the opinion of the loadion.com editors. Please keep in mind that this site may only be used for legal purposes and we distance ourselves from any unlawful use.

Based on a preliminary analysis of the malware, Doctor Web provides recommendations on how to avoid infection, tells what to do if infection has already occurred, and reveals the technical details of the attack.

The Trojan.Encoder.12544 encryption worm, which has caused a lot of noise, poses a serious threat to personal computers, working under the control Microsoft Windows. Various sources call it a modification of the Trojan known as Petya (Trojan.Ransom.369), but Trojan.Encoder.12544 has only some similarities with it. This malware penetrated into Information Systems a number of government agencies, banks and commercial organizations, and also infected the PCs of users in several countries.

It is currently known that the Trojan infects computers using the same set of vulnerabilities that were previously used by attackers to infiltrate the computers of victims of the WannaCry Trojan. Mass distribution of Trojan.Encoder.12544 began in the morning of June 27, 2017. When launched on the attacked computer, the Trojan searches for available local network The PC then starts scanning ports 445 and 139 using the list of received IP addresses. Having discovered machines on the network with these ports open, Trojan.Encoder.12544 tries to infect them using a well-known vulnerability in the SMB protocol (MS17-10).

In its body, the Trojan contains 4 compressed resources, 2 of which are 32- and 64-bit versions of the Mimikatz utility, designed to intercept passwords for open sessions in Windows. Depending on the bitness of the OS, it unpacks the corresponding version of the utility, saves it in a temporary folder, and then launches it. Using the Mimikatz utility, as well as two other methods, Trojan.Encoder.12544 obtains a list of local and domain users authorized on the infected computer. It then looks for writable network folders, tries to open them using the received credentials and save a copy there. To infect computers that it manages to gain access to, Trojan.Encoder.12544 uses a utility to control remote computer PsExec (it is also stored in the Trojan’s resources) or a standard console utility for calling Wmic.exe objects.

The encoder controls its restart using a file it saves in the C:\Windows\ folder. This file has a name that matches the Trojan's name without the extension. Since the worm sample currently being distributed by attackers is named perfc.dat, the file that prevents it from running again will be named C:\Windows\perfc. However, as soon as attackers change the original name of the Trojan, creating a file in the C:\Windows\ folder with the name perfc without an extension (as some antivirus companies advise) will no longer save the computer from infection. In addition, the Trojan checks for the presence of a file only if it has sufficient privileges in the operating system to do so.

After starting, the Trojan configures its privileges, loads its own copy into memory and transfers control to it. The encoder then overwrites its own disk file with junk data and deletes it. First of all, Trojan.Encoder.12544 corrupts VBR (Volume Boot Record, partition boot record) of drive C:, the first sector of the disk is filled with garbage data. The ransomware then copies the original bootloader Windows entry to another section of the disk, having previously encrypted it using the XOR algorithm, and writes its own instead. Next, it creates a task to restart the computer and begins to encrypt all files with the extensions .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, detected on local physical disks. .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx , .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, . pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip.

The Trojan encrypts files only on fixed computer drives; data on each drive is encrypted in a separate stream. Encryption is carried out using AES-128-CBC algorithms, each disk has its own key (this is distinctive feature Trojan, not noted by other researchers). This key is encrypted using the RSA-2048 algorithm (other researchers have reported using an 800-bit key) and is saved to the root folder of the encrypted drive in a file named README.TXT. Encrypted files do not receive an additional extension.

After completing the previously created task, the computer reboots and control is transferred to the Trojan boot record. It displays text on the screen of an infected computer that resembles a message from the standard CHDISK disk scanning utility.

At this time, Trojan.Encoder.12544 encrypts MFT (Master File Table). Having completed encryption, Trojan.Encoder.12544 displays on the screen the attackers’ demand for payment of a ransom.

If at the time of startup a message appears on the screen about launching the CHDISK utility, immediately turn off the power of the PC. The boot record in this case will be damaged, but it can be fixed using the utility Windows recovery or Recovery Console by booting from the distribution disk. Boot record recovery is usually possible in the OS Windows versions 7 and later, if the disk has a hidden partition used by the system with a backup copy of critical Windows data. In Windows XP, this boot recovery method will not work. You can also use Dr.Web LiveDisk for this - create boot disk or a flash drive, boot from this removable device, launch the Dr.Web scanner, scan the affected disk, select the “Disarm” function for the threats found.

According to reports from various sources, the only box used by distributors is Trojan.Encoder.12544 Email is currently blocked, so they are basically unable to contact their victims (to offer file decryption, for example).

In order to prevent infection by the Trojan.Encoder.12544 Trojan, Doctor Web recommends promptly creating backup copies of all critical data on independent media, as well as using the Dr.Web Data Loss Prevention function Security Space. In addition, you must install all operating system security updates. Doctor Web specialists continue to investigate the Trojan.Encoder.12544 ransomware.

Frankly speaking, today I never expected to encounter, perhaps, one of the latest modifications of this virus. Not long ago I wrote a little about it on my website - it’s time to tell you more :)

As I already said - Trojan.Encoder is a Trojan program that encrypts user files. There are more and more varieties of this horror and, according to rough estimates, there are already about 8 of them, namely: Trojan.Encoder.19, Trojan.Encoder.20, Trojan.Encoder.21, Trojan.Encoder.33, Trojan.Encoder - 43, 44 and 45 and the last one, as I understand it, is not numbered. The author of the virus is a certain “Corrector”.

Some information on versions (information taken partly from the site and partly from the site):

Trojan.Encoder.19 - having infected the system, the Trojan leaves a text file crypted.txt with a requirement to pay $10 for the decryptor program.

Another variant of Trojan.Encoder.19 bypasses all non-removable media and encrypts files with extensions from the following list:
.jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .asf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar , .zip, .db, .mdb, .dbf, .dbx, .h, .c, .pas, .php, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .sol, . jbc, .txt, .pdf.

Trojan.Encoder.20 - new version Trojan horse-ransomware, in which the encryption and key generation mechanism has been changed compared to Trojan.Encoder.19.

Trojan.Encoder.21 is a new modification of the Trojan in the file crypted.txt, which requires you to transfer money ($89) only using a certain payment system, indicated by the author of the virus, and do not use systems such as PAYPAL and cash. To distribute Trojan.Encoder.21, it uses sites that are known to be active distributors of Trojans. Previous modifications used one-time links or short-time links for this purpose. This feature Trojan.Encoder.21 can dramatically increase the rate of its spread.

Trojan.Encoder.33 encrypts user data, but uses new mechanisms. Files with the extension *.txt,*.jpg,*.jpeg,*.doc,*.docx,*.xls are at risk, which the Trojan transfers to the following folders:
C:\Documents and Settings\Local Settings\Application Data\CDD
C:\Documents and Settings\Local Settings\Application Data\FLR
In the same time original files are replaced by the message "FileError_22001".

Unlike previous modifications, Trojan.Encoder.33 does not display any messages demanding to pay various amounts of money. At the same time, the function of encrypting user data is carried out by this Trojan only if it manages to contact an external server.

The latter differ from the previous ones with a new document encryption key, as well as new contact information for the attacker. Doctor Web specialists promptly created utilities that allow you to decrypt files to which access was blocked by new modifications of Trojan.Encoder. But one more, most recent modification of Trojan.Encoder is especially interesting. This version of the Trojan adds the .DrWeb extension to encrypted files. Due to the successful counteraction of Trojan.Encoder by the Dr.Web antivirus, the author apparently had a desire to “mischief” by mentioning our brand in the name of the encrypted files.

In addition, Doctor Web specialists have at their disposal a link to one of the websites of the author of the current Trojan.Encoder modifications. It is interesting that the owner of this resource is trying to associate himself with Doctor Web, using the images of a spider and a doctor, while the company has nothing to do with such sites. Obviously, this design is used to confuse inexperienced users and compromise Doctor Web.

The attacker tries in every possible way to present himself to the victims on the positive side - as a person helping to restore users’ documents. On his website, he offers to watch a video that demonstrates the work of a document decryption utility, for which money is extorted.

According to available information, it can be assumed that one person is engaged in extorting money after encrypting files.

Doctor Web analysts have developed a decryption utility and offer it to all users free of charge to recover their files. For the convenience of users, the new version of the utility is equipped with a module GUI and is called Trojan.Encoder Decrypt.

Today I came across another (possibly the newest) version of this dirty trick, which not only encrypted everything - it also does not have the crypted.txt file, which is necessary for the decryption program from dr.web in order to to decode the files back. Moreover, this (or not this, but some other) thing has completely blocked access to avz and does not allow it to be launched on the computer in any way. It is impossible to either unpack the downloaded archive from , or upload the folder directly to the computer; in short, it rests with its feet and hands, cutting off the avz databases that live in the Base folder and have the .avz extension. The trick of renaming the extension or launching it remotely also had no effect. I had to spin around. After deploying the software package + on the computer and thoroughly cleaning it without even rebooting the computer (this is important), as well as after manually gnawing out left processes, startup elements, kernel space modules and other horrors of life, avz was finally able to start. A comprehensive analysis of the system using it revealed a whole cloud of troubles, removed a number of viruses (Encoder itself was cleaned by drweb), but... Decrypt files special program does not work due to the absence of crypted.txt or any other file close to it. I don't know any other solution yet.

Therefore, I strongly recommend that everyone who has become infected first use the Dr.web Сureit + spybot combination, and then contact dr.web directly for help in decrypting files. They promise to help and completely free of charge.

Unfortunately, I don’t know where the user picked up this virus.

Thanks for your attention and keep your computer safe. It is important.