Modern technologies allow hackers to constantly improve their methods of fraud against ordinary users. As a rule, virus software that penetrates the computer is used for these purposes. Encryption viruses are considered especially dangerous. The threat is that the virus spreads very quickly, encrypting files (the user simply will not be able to open a single document). And if it’s quite simple, then it’s much more difficult to decrypt the data.

What to do if a virus has encrypted files on your computer

Anyone can be attacked by ransomware; even users who have powerful anti-virus software are not immune. File encrypting Trojans come in a variety of codes that may be beyond the capabilities of an antivirus. Hackers even manage to attack large companies in a similar way that have not taken care of the necessary protection of their information. So, having picked up a ransomware program online, you need to take a number of measures.

The main signs of infection are slow computer operation and changes in document names (can be seen on the desktop).

1. Restart your computer to stop encryption. When turning on, do not confirm the launch of unknown programs.
2. Run your antivirus if it has not been attacked by ransomware.
3. In some cases, shadow copies will help to restore information. To find them, open the “Properties” of the encrypted document. This method works with encrypted data from the Vault extension, about which there is information on the portal.
4. Download the latest version of the utility to combat ransomware viruses. The most effective ones are offered by Kaspersky Lab.

Ransomware viruses in 2016: examples

When fighting any virus attack, it is important to understand that the code changes very often, supplemented by new antivirus protection. Of course, security programs need some time until the developer updates the databases. We have selected the most dangerous encryption viruses of recent times.

Ishtar Ransomware

Ishtar is a ransomware that extorts money from the user. The virus was noticed in the fall of 2016, infecting a huge number of computers of users from Russia and a number of other countries. Distributed via email, which contains attached documents (installers, documents, etc.). Data infected by the Ishtar encryptor is given the prefix “ISHTAR” in its name. The process creates a test document that indicates where to go to obtain the password. The attackers demand from 3,000 to 15,000 rubles for it.

The danger of the Ishtar virus is that today there is no decryptor that would help users. Antivirus software companies need time to decipher all the code. Now you can only isolate important information (if it is of particular importance) onto a separate medium, waiting for the release of a utility capable of decrypting documents. It is recommended to reinstall the operating system.

Neitrino

The Neitrino encryptor appeared on the Internet in 2015. The attack principle is similar to other viruses of a similar category. Changes the names of folders and files by adding "Neitrino" or "Neutrino". The virus is difficult to decrypt; not all representatives of antivirus companies undertake this, citing a very complex code. Some users may benefit from restoring a shadow copy. To do this, right-click on the encrypted document, go to “Properties”, “Previous Versions” tab, click “Restore”. It would be a good idea to use a free utility from Kaspersky Lab.

Wallet or .wallet.

The Wallet encryption virus appeared at the end of 2016. During the infection process, it changes the name of the data to “Name..wallet” or something similar. Like most ransomware viruses, it enters the system through attachments in emails sent by attackers. Since the threat appeared very recently, antivirus programs do not notice it. After encryption, he creates a document in which the fraudster indicates the email for communication. Currently, antivirus software developers are working to decipher the code of the ransomware virus. [email protected]. Users who have been attacked can only wait. If the data is important, it is recommended to save it to an external drive by clearing the system.

Enigma

The Enigma ransomware virus began infecting the computers of Russian users at the end of April 2016. The AES-RSA encryption model is used, which is found in most ransomware viruses today. The virus penetrates the computer using a script that the user runs by opening files from a suspicious email. There is still no universal means to combat the Enigma ransomware. Users with an antivirus license can ask for help on the developer's official website. A small “loophole” was also found - Windows UAC. If the user clicks “No” in the window that appears during the virus infection process, he will be able to subsequently restore information using shadow copies.

Granit

A new ransomware virus, Granit, appeared on the Internet in the fall of 2016. Infection occurs according to the following scenario: the user launches the installer, which infects and encrypts all data on the PC, as well as connected drives. Fighting the virus is difficult. To remove it, you can use special utilities from Kaspersky, but we have not yet been able to decipher the code. Perhaps restoring previous versions of the data will help. In addition, a specialist who has extensive experience can decrypt, but the service is expensive.

Tyson

Was spotted recently. It is an extension of the already known ransomware no_more_ransom, which you can learn about on our website. It reaches personal computers from email. Many corporate PCs were attacked. The virus creates a text document with unlocking instructions, offering to pay a “ransom.” The Tyson ransomware appeared recently, so there is no unlocking key yet. The only way to restore information is to return previous versions if they were not deleted by a virus. You can, of course, take a risk by transferring money to the account specified by the attackers, but there is no guarantee that you will receive the password.

Spora

At the beginning of 2017, a number of users became victims of the new Spora ransomware. In terms of its operating principle, it is not very different from its counterparts, but it boasts a more professional design: the instructions for obtaining a password are better written, and the website looks more beautiful. The Spora ransomware virus was created in C language and uses a combination of RSA and AES to encrypt the victim’s data. As a rule, computers on which the 1C accounting program was actively used were attacked. The virus, hiding under the guise of a simple invoice in .pdf format, forces company employees to launch it. No treatment has been found yet.

1C.Drop.1

This 1C encryption virus appeared in the summer of 2016, disrupting the work of many accounting departments. It was developed specifically for computers that use 1C software. Once on the PC via a file in an email, it prompts the owner to update the program. Whatever button the user presses, the virus will begin encrypting files. Dr.Web specialists are working on decryption tools, but no solution has been found yet. This is due to the complex code, which may have several modifications. The only protection against 1C.Drop.1 is user vigilance and regular archiving of important documents.

da_vinci_code

A new ransomware with an unusual name. The virus appeared in the spring of 2016. It differs from its predecessors in its improved code and strong encryption mode. da_vinci_code infects the computer thanks to an execution application (usually attached to an email), which the user launches independently. The da Vinci encryption tool copies the body to the system directory and registry, ensuring automatic launch when Windows is turned on. Each victim's computer is assigned a unique ID (helps to obtain a password). It is almost impossible to decrypt the data. You can pay money to attackers, but no one guarantees that you will receive the password.

[email protected] / [email protected]

Two email addresses that were often accompanied by ransomware viruses in 2016. They serve to connect the victim with the attacker. Attached were addresses for a variety of types of viruses: da_vinci_code, no_more_ransom, and so on. It is highly recommended not to contact or transfer money to scammers. Users in most cases are left without passwords. Thus, showing that the attackers' ransomware works, generating income.

Breaking Bad

It appeared at the beginning of 2015, but actively spread only a year later. The infection principle is identical to other ransomware: installing a file from an email, encrypting data. Conventional antivirus programs, as a rule, do not notice the Breaking Bad virus. Some code cannot bypass Windows UAC, leaving the user with the option to restore previous versions of documents. No company developing anti-virus software has yet presented a decryptor.

XTBL

A very common ransomware that has caused trouble for many users. Once on the PC, the virus changes the file extension to .xtbl in a matter of minutes. A document is created in which the attacker extorts money. Some variants of the XTBL virus cannot destroy files for system recovery, which allows you to get back important documents. The virus itself can be removed by many programs, but decrypting documents is very difficult. If you are the owner of a licensed antivirus, use technical support by attaching samples of infected data.

Kukaracha

The Cucaracha ransomware was discovered in December 2016. The virus with an interesting name hides user files using the RSA-2048 algorithm, which is highly resistant. Kaspersky antivirus labeled it as Trojan-Ransom.Win32.Scatter.lb. Kukaracha can be removed from the computer so that other documents are not infected. However, infected ones are currently almost impossible to decrypt (a very powerful algorithm).

How does a ransomware virus work?

There are a huge number of ransomware, but they all work on a similar principle.

1. Access to a personal computer. Typically, thanks to an attached file to an email. The installation is initiated by the user himself by opening the document.
2. File infection. Almost all types of files are encrypted (depending on the virus). A text document is created that contains contacts for communicating with the attackers.
3. All. The user cannot access any document.

Control agents from popular laboratories

The widespread use of ransomware, which is recognized as the most dangerous threat to user data, has become an impetus for many antivirus laboratories. Every popular company provides its users with programs that help them fight ransomware. In addition, many of them help with document decryption and system protection.

Kaspersky and ransomware viruses

One of the most famous anti-virus laboratories in Russia and the world offers today the most effective tools for combating ransomware viruses. The first barrier to the ransomware virus will be Kaspersky Endpoint Security 10 with the latest updates. The antivirus simply will not allow the threat to enter your computer (although it may not stop new versions). To decrypt information, the developer presents several free utilities: XoristDecryptor, RakhniDecryptor and Ransomware Decryptor. They help find the virus and select the password.

Dr. Web and ransomware

This laboratory recommends using their antivirus program, the main feature of which is file backup. The storage with copies of documents is also protected from unauthorized access by intruders. Owners of licensed product Dr. Web function is available to request help from technical support. True, even experienced specialists cannot always resist this type of threat.

ESET Nod 32 and ransomware

This company did not stand aside either, providing its users with good protection against viruses entering their computer. In addition, the laboratory recently released a free utility with up-to-date databases - Eset Crysis Decryptor. The developers say that it will help in the fight against even the newest ransomware.