Encryption virus. BIG article
In the news “CAUTION. The Trojan.Encoder.225 encryption virus ” I have already talked in detail about one specific Trojan.Encoder.225 virus, but at that time I did not receive a decryption solution.
But later (more than 3 weeks after the start of decryption), the situation changed for the better. During this period, I successfully decrypted data immediately after two viruses, Trojan.Encoder.225 and Trojan.Encoder.263, on different PCs.
Recall that Trojans of the Trojan.Encoder family are malicious programs that encrypt files on the hard disk of a computer and require money to decrypt them. Files * .mp3, * .doc, * .docx, * .pdf, * .jpg, * .rar and so on can be encrypted.
It was not possible to personally meet the whole family of this virus, but, as practice shows, the method of infection, treatment and decryption is approximately the same for everyone:
1. the victim is infected through a spam letter with an attachment (less often an infectious route),
2. the virus is recognized and removed (already) by almost any antivirus with fresh bases,
3. Files are decrypted by selecting passwords-keys to the types of encryption used.
For example, Trojan.Encoder.225 uses RC4 (modified) + DES encryption, and Trojan.Encoder.263 uses BlowFish in CTR mode. These viruses are currently decrypted by 99% based on personal practice.
But not everything is so smooth. Some encryption viruses require months of continuous decryption (Trojan.Encoder.102), while others (Trojan.Encoder.283) do not at all lend themselves to correct decryption even for Dr.Web specialists, which, in fact, plays a key role in this article .
')
Now in order.
At the beginning of August 2013, clients turned to me with the problem of encrypted files with the Trojan.Encoder.225 virus. The virus, at that time, is new, no one knows anything, there are 2-3 Google thematic links on the Internet. After a long search on the Internet, it turns out that the only (found) organization that deals with the problem of decrypting files after this virus is Doctor Web. Namely: it gives recommendations, helps when contacting technical support, develops its own codebreaker, etc.
Negative retreat.
And, taking this opportunity, I want to mention two fatty minuses of Kaspersky Lab. Which, when contacting their technical support, shake “we are working on this issue, we will notify about the results by mail”. And yet, the downside is that I never received an answer to the request. 4 months later. No "horseradish" yourself reaction time. And here I am striving for the standard "not more than one hour from the registration of the application."
It is a shame, comrade Evgeny Kaspersky , general director of Kaspersky Lab. But I have a good half of all companies "sitting" on it. Well, okay, licenses end in January-March 2014. Needless to say, will I renew my license ?;)
I represent the faces of “specialists” from companies “simpler,” so to speak, the non-giants of the antivirus industry. Probably all "huddled in a corner" and "quietly cried."
Although, what is really there, absolutely everything is “fucked up” to the fullest. Antivirus, in principle, should not have allowed this virus to hit the computer. Especially considering the current technology. And for “them”, the GIANTS of the anti-VIRUS industry, supposedly everything is under control, “heuristic analysis”, “anticipation system”, “proactive defense” ...
WHERE THESE ALL ALL SUPER-SYSTEMS WERE WHEN THE EMPLOYEE OF THE PERSONNEL DEPARTMENT OPENED A “BEING-FREE” LETTER WITH A THEME “SUMMARY” ???
What should the employee think?
If YOU cannot protect us, then why do we need YOU at all?
And everything would be fine with Doctor Web, but only to get help, you must, of course, have a license for any of their software products. When contacting technical support (hereinafter referred to as TP), you must provide the Dr.Web serial number and do not forget to select “request for treatment” in the line “Request category” or simply provide them with an encrypted file to the laboratory. Immediately, I’ll make a reservation that the so-called “Dr.Web” journal keys, which are bundled up on the Internet, are not suitable, as they do not confirm the purchase of any software products, and are removed by TP specialists once or twice. It's easier to buy the most "cheap" license. Because if you took up the decoding - you this license will pay off in a "million" times. Especially if the folder with photos "Egypt 2012" was in one copy ...
Attempt # 1
So, having bought a “license for 2 PCs for a year” for a n-sum of money, I turned to TP and provided some files and I received a link to the te225decrypt.exe utility-decoder version 1.3.0.0. In anticipation of success, I launch the utility (I must point it to one of the encrypted * .doc files). The utility starts the selection, mercilessly loading an old E5300 DualCore processor, 2600 MHz (overclocked to 3.46GHz) / 8192 MB DDR2-800, HDD 160Gb Western Digital to 90-100%.
Here, in parallel with me, a colleague on the PC core i5 2500k (overclocking to 4.5ghz) / 16 ram 1600 / ssd intel is included in the work (this is for comparing the time spent at the end of the article).
After 6 days, my utility reported decryption of 7,277 files. But the happiness did not last long. All files are decrypted "crookedly." That is, for example, microsoft office documents open, but with different errors: “The Word application found contents that could not be read in the * .docx document” or “The * .docx file could not be opened due to errors in its contents”. The * .jpg files also open either with an error, or 95% of the image is overwritten with a black or light green-green background. The files * .rar - "Unexpected end of the archive."
In general, complete failure.
Attempt # 2
We write in the TP about the results. Ask for a couple of files. A day later, again they give a link to the utility te225decrypt.exe, but already version 1.3.2.0. Well, we are launching, there was no alternative then. It takes about 6 days and the utility completes its work with the error "Unable to select encryption settings." Total 13 days "down the drain."
But we do not give up, on the account important documents of our * confused * client without elementary backups.
Attempt number 3
We write in the TP about the results. Ask for a couple of files. And, as you have already guessed, after a day they give a link to the same utility te225decrypt.exe, but now version 1.4.2.0. Well, we are launching, the alternatives haven’t been there, nor has it come from Kaspersky Lab or from ESET NOD32 or from other manufacturers of antivirus solutions. And now, after 5 days 3 hours 14 minutes (123.5 hours), the utility reports decryption of files (it took only 21 hours and 10 minutes for a colleague on a core i5 to decrypt files).
Well, I think, was-was not. And lo and behold: a complete success! All files are decrypted correctly. Everything opens, closes, looks, edited and saved regularly.
Everyone is happy, THE END.
“And where is the story about the virus Trojan.Encoder.263?”, You ask. And on the next PC, under the table ... was. Everything was simpler there: We are writing to the Doctor Web, we get the utility te263decrypt.exe, we start, we wait 6.5 days, voila! and everything is ready. Summarizing, I can give you some tips from the Doctor Web forum in my wording:
What should be done in case of infection with encryption virus:
- send to the viral laboratory Dr. Web or in the form "Send a suspicious file" encrypted doc file.
- Wait for the response of the Dr.Web employee and then follow his instructions.
What NOT to do:
- change the extension of encrypted files; Otherwise, with a well-chosen key, the utility simply does not “see” the files to be decrypted.
- use independently without consultation with specialists any programs for decrypting / restoring data.
Attention, having a server free from other tasks, I offer my gratuitous services to decrypt YOUR data. Server core i7-3770K with overclocking to * certain frequencies *, 16GB of RAM and SSD Vertex 4.
For all active users of "Habr" the use of my resources will be FREE !!!
Write to me in a personal or other contacts. I'm already on this "dog ate." Therefore, I am not too lazy to put a server on decryption for the night.
This virus, the scourge of modernity, and taking loot from fellow soldiers is not humane. Although, if someone “throws” a couple of bucks into my Yandex.Money account 410011278501419 - I will not mind. But this is not necessary. Contact us. I process applications in my free time.
New information!
Starting from December 8, 2013, the spread of a new virus from the same series of Trojan.Encoder began under the classification of "Doctor Web" - Trojan.Encoder.263, but with RSA encryption. This type of today's date (December 20, 2013) cannot be decrypted , as it uses a very strong encryption method.
I recommend to anyone who suffered from this virus:
1. Using the built-in search windows find all files containing the .perfect extension, copy them to external media.
2. Copy the same file CONTACT.txt
3. Put this external carrier "on the shelf."
4. Wait for the appearance of the decoder utility.
What NOT to do:
No need to get involved with intruders. This is stupid. In more than 50% of cases, after “payment” in about 5000r., You will not get ANYTHING. No money, no descrambler.
In fairness it should be noted that on the Internet there are those "lucky ones" who, for "loot", received their files back by decrypting. But, to trust these people is not worth it. If I were a virus writer, the first thing that I did was - duck, it spread information like “I paid and a descrambler was sent to me !!!”.
Behind these "lucky ones" there may be all the same intruders.
Well ... we wish good luck to the rest of the antivirus companies in creating a utility for decrypting files after viruses of the Trojan.Encoder group.
Special thanks for the work done to create utilities-decoders for comrade v.martyanov from the Doctor Web forum.
But later (more than 3 weeks after the start of decryption), the situation changed for the better. During this period, I successfully decrypted data immediately after two viruses, Trojan.Encoder.225 and Trojan.Encoder.263, on different PCs.
Recall that Trojans of the Trojan.Encoder family are malicious programs that encrypt files on the hard disk of a computer and require money to decrypt them. Files * .mp3, * .doc, * .docx, * .pdf, * .jpg, * .rar and so on can be encrypted.
It was not possible to personally meet the whole family of this virus, but, as practice shows, the method of infection, treatment and decryption is approximately the same for everyone:
1. the victim is infected through a spam letter with an attachment (less often an infectious route),
2. the virus is recognized and removed (already) by almost any antivirus with fresh bases,
3. Files are decrypted by selecting passwords-keys to the types of encryption used.
For example, Trojan.Encoder.225 uses RC4 (modified) + DES encryption, and Trojan.Encoder.263 uses BlowFish in CTR mode. These viruses are currently decrypted by 99% based on personal practice.
But not everything is so smooth. Some encryption viruses require months of continuous decryption (Trojan.Encoder.102), while others (Trojan.Encoder.283) do not at all lend themselves to correct decryption even for Dr.Web specialists, which, in fact, plays a key role in this article .
')
Now in order.
At the beginning of August 2013, clients turned to me with the problem of encrypted files with the Trojan.Encoder.225 virus. The virus, at that time, is new, no one knows anything, there are 2-3 Google thematic links on the Internet. After a long search on the Internet, it turns out that the only (found) organization that deals with the problem of decrypting files after this virus is Doctor Web. Namely: it gives recommendations, helps when contacting technical support, develops its own codebreaker, etc.
Negative retreat.
And, taking this opportunity, I want to mention two fatty minuses of Kaspersky Lab. Which, when contacting their technical support, shake “we are working on this issue, we will notify about the results by mail”. And yet, the downside is that I never received an answer to the request. 4 months later. No "horseradish" yourself reaction time. And here I am striving for the standard "not more than one hour from the registration of the application."
It is a shame, comrade Evgeny Kaspersky , general director of Kaspersky Lab. But I have a good half of all companies "sitting" on it. Well, okay, licenses end in January-March 2014. Needless to say, will I renew my license ?;)
I represent the faces of “specialists” from companies “simpler,” so to speak, the non-giants of the antivirus industry. Probably all "huddled in a corner" and "quietly cried."
Although, what is really there, absolutely everything is “fucked up” to the fullest. Antivirus, in principle, should not have allowed this virus to hit the computer. Especially considering the current technology. And for “them”, the GIANTS of the anti-VIRUS industry, supposedly everything is under control, “heuristic analysis”, “anticipation system”, “proactive defense” ...
WHERE THESE ALL ALL SUPER-SYSTEMS WERE WHEN THE EMPLOYEE OF THE PERSONNEL DEPARTMENT OPENED A “BEING-FREE” LETTER WITH A THEME “SUMMARY” ???
What should the employee think?
If YOU cannot protect us, then why do we need YOU at all?
And everything would be fine with Doctor Web, but only to get help, you must, of course, have a license for any of their software products. When contacting technical support (hereinafter referred to as TP), you must provide the Dr.Web serial number and do not forget to select “request for treatment” in the line “Request category” or simply provide them with an encrypted file to the laboratory. Immediately, I’ll make a reservation that the so-called “Dr.Web” journal keys, which are bundled up on the Internet, are not suitable, as they do not confirm the purchase of any software products, and are removed by TP specialists once or twice. It's easier to buy the most "cheap" license. Because if you took up the decoding - you this license will pay off in a "million" times. Especially if the folder with photos "Egypt 2012" was in one copy ...
Attempt # 1
So, having bought a “license for 2 PCs for a year” for a n-sum of money, I turned to TP and provided some files and I received a link to the te225decrypt.exe utility-decoder version 1.3.0.0. In anticipation of success, I launch the utility (I must point it to one of the encrypted * .doc files). The utility starts the selection, mercilessly loading an old E5300 DualCore processor, 2600 MHz (overclocked to 3.46GHz) / 8192 MB DDR2-800, HDD 160Gb Western Digital to 90-100%.
Here, in parallel with me, a colleague on the PC core i5 2500k (overclocking to 4.5ghz) / 16 ram 1600 / ssd intel is included in the work (this is for comparing the time spent at the end of the article).
After 6 days, my utility reported decryption of 7,277 files. But the happiness did not last long. All files are decrypted "crookedly." That is, for example, microsoft office documents open, but with different errors: “The Word application found contents that could not be read in the * .docx document” or “The * .docx file could not be opened due to errors in its contents”. The * .jpg files also open either with an error, or 95% of the image is overwritten with a black or light green-green background. The files * .rar - "Unexpected end of the archive."
In general, complete failure.
Attempt # 2
We write in the TP about the results. Ask for a couple of files. A day later, again they give a link to the utility te225decrypt.exe, but already version 1.3.2.0. Well, we are launching, there was no alternative then. It takes about 6 days and the utility completes its work with the error "Unable to select encryption settings." Total 13 days "down the drain."
But we do not give up, on the account important documents of our * confused * client without elementary backups.
Attempt number 3
We write in the TP about the results. Ask for a couple of files. And, as you have already guessed, after a day they give a link to the same utility te225decrypt.exe, but now version 1.4.2.0. Well, we are launching, the alternatives haven’t been there, nor has it come from Kaspersky Lab or from ESET NOD32 or from other manufacturers of antivirus solutions. And now, after 5 days 3 hours 14 minutes (123.5 hours), the utility reports decryption of files (it took only 21 hours and 10 minutes for a colleague on a core i5 to decrypt files).
Well, I think, was-was not. And lo and behold: a complete success! All files are decrypted correctly. Everything opens, closes, looks, edited and saved regularly.
Everyone is happy, THE END.
“And where is the story about the virus Trojan.Encoder.263?”, You ask. And on the next PC, under the table ... was. Everything was simpler there: We are writing to the Doctor Web, we get the utility te263decrypt.exe, we start, we wait 6.5 days, voila! and everything is ready. Summarizing, I can give you some tips from the Doctor Web forum in my wording:
What should be done in case of infection with encryption virus:
- send to the viral laboratory Dr. Web or in the form "Send a suspicious file" encrypted doc file.
- Wait for the response of the Dr.Web employee and then follow his instructions.
What NOT to do:
- change the extension of encrypted files; Otherwise, with a well-chosen key, the utility simply does not “see” the files to be decrypted.
- use independently without consultation with specialists any programs for decrypting / restoring data.
Attention, having a server free from other tasks, I offer my gratuitous services to decrypt YOUR data. Server core i7-3770K with overclocking to * certain frequencies *, 16GB of RAM and SSD Vertex 4.
For all active users of "Habr" the use of my resources will be FREE !!!
Write to me in a personal or other contacts. I'm already on this "dog ate." Therefore, I am not too lazy to put a server on decryption for the night.
This virus, the scourge of modernity, and taking loot from fellow soldiers is not humane. Although, if someone “throws” a couple of bucks into my Yandex.Money account 410011278501419 - I will not mind. But this is not necessary. Contact us. I process applications in my free time.
New information!
Starting from December 8, 2013, the spread of a new virus from the same series of Trojan.Encoder began under the classification of "Doctor Web" - Trojan.Encoder.263, but with RSA encryption. This type of today's date (December 20, 2013) cannot be decrypted , as it uses a very strong encryption method.
I recommend to anyone who suffered from this virus:
1. Using the built-in search windows find all files containing the .perfect extension, copy them to external media.
2. Copy the same file CONTACT.txt
3. Put this external carrier "on the shelf."
4. Wait for the appearance of the decoder utility.
What NOT to do:
No need to get involved with intruders. This is stupid. In more than 50% of cases, after “payment” in about 5000r., You will not get ANYTHING. No money, no descrambler.
In fairness it should be noted that on the Internet there are those "lucky ones" who, for "loot", received their files back by decrypting. But, to trust these people is not worth it. If I were a virus writer, the first thing that I did was - duck, it spread information like “I paid and a descrambler was sent to me !!!”.
Behind these "lucky ones" there may be all the same intruders.
Well ... we wish good luck to the rest of the antivirus companies in creating a utility for decrypting files after viruses of the Trojan.Encoder group.
Special thanks for the work done to create utilities-decoders for comrade v.martyanov from the Doctor Web forum.
Source: https://habr.com/ru/post/206830/
All Articles