Kaspersky decryption. Recovering files after a ransomware virus. Using special utilities

About a week or two ago, another hack from modern virus makers appeared on the Internet, which encrypts all the user’s files. Once again I will consider the question of how to cure a computer after a ransomware virus encrypted000007 and recover encrypted files. In this case, nothing new or unique has appeared, just a modification of the previous version.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Description of the CRYPTED000007 ransomware virus

The CRYPTED000007 encryptor is no fundamentally different from its predecessors. It works almost exactly the same way. But still there are several nuances that distinguish it. I'll tell you about everything in order.

It arrives, like its analogues, by mail. Social engineering techniques are used to ensure that the user becomes interested in the letter and opens it. In my case, the letter talked about some kind of court and important information on the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.

In parallel with opening the document, file encryption starts. An information message from the Windows User Account Control system begins to constantly pop up.

If you agree with the proposal, then back up files in shadow copies of Windows will be deleted and recovery of information will be very difficult. It is obvious that you cannot agree with the proposal under any circumstances. In this encryptor, these requests pop up constantly, one after another and do not stop, forcing the user to agree and delete the backup copies. This is the main difference from previous modifications of encryptors. I have never encountered requests to delete shadow copies without stopping. Usually, after 5-10 offers they stopped.

I will immediately give a recommendation for the future. It is very common for people to disable User Account Control warnings. There is no need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is to not constantly work under account computer administrator, unless there is an objective need for it. In this case, the virus will not have the opportunity to do much harm. You will have a better chance of resisting him.

But even if you have always answered negatively to the ransomware’s requests, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files with the same content.

Your files have been encrypted. To decrypt ux, you need to send the code: 329D54752553ED978F94|0 to the email address [email protected]. Next you will receive all the necessary instructions. Attempts to decipher on your own will not lead to anything other than an irrevocable number of information. If you still want to try, then make backup copies of the files first, otherwise, in the event of a change, decryption will become impossible under any circumstances. If you have not received notification at the above address within 48 hours (only in this case!), use the contact form. This can be done in two ways: 1) Download and install Tor Browser via the link: https://www.torproject.org/download/download-easy.html.en In the Tor Browser address box, enter the address: http://cryptsen7fo43rr6.onion/ and press Enter. The page with the contact form will load. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6 .onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Mailing address may change. I also came across the following addresses:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you discover that your files are encrypted, immediately turn off your computer. This must be done to interrupt the encryption process as in local computer, and on network drives. An encryption virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information there, then it will take him considerable time. Sometimes, even in a couple of hours, the ransomware did not have time to encrypt everything on a network drive with a capacity of approximately 100 gigabytes.

Next you need to think carefully about how to act. If you need information on your computer at all costs and you don’t have backup copies, then it is better at this moment to contact specialists. Not necessarily for money to some companies. You just need someone who is good at information systems. It is necessary to assess the scale of the disaster, remove the virus, and collect all available information on the situation in order to understand how to proceed.

Incorrect actions at this stage can significantly complicate the process of decrypting or restoring files. In the worst case, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and has finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. Moreover, not only the file extension will be replaced, but also the file name, so you won’t know exactly what kind of files you had if you don’t remember. It will look something like this.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in your life. different folders. This was done specifically to confuse people and encourage them to pay for file decryption.

And if your network folders were encrypted and there are no full backups, then this can completely stop the work of the entire organization. It will take you a while to figure out what was ultimately lost in order to begin restoration.

How to treat your computer and remove CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most main question- how to disinfect a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I would like to immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to recover files at any cost, do not touch your computer, but immediately contact professionals. Below I will talk about them and provide a link to the site and describe how they work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from a computer, since the virus does not have the task of remaining on the computer at any cost. After completely encrypting the files, it is even more profitable for him to delete himself and disappear, so that it is more difficult to investigate the incident and decrypt the files.

It is difficult to describe how to manually remove a virus, although I have tried to do this before, but I see that most often it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Usually, viruses are sent by mail in waves, and each time there is a new modification that is not yet detected by antiviruses. Universal tools that check autostart and detect suspicious activity in system folders.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool- a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit.
3. If the first two utilities do not help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com.

Most likely, one of these products will clear your computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave an example of the removal method and you can see it there. Briefly, step by step, you need to act like this:

1. We look at the list of processes, after adding several additional columns to the task manager.
2. We find the virus process, open the folder in which it sits and delete it.
3. We clear the mention of the virus process by file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor comes up first when it comes to a ransomware virus. The first thing I recommend is to use the service https://www.nomoreransom.org. What if you are lucky and they have a decryptor for your version of the CRYPTED000007 encryptor. I’ll say right away that you don’t have many chances, but trying is not torture. On home page click Yes:

Then download a couple of encrypted files and click Go! Find out:

At the time of writing, there was no decryptor on the site.

Perhaps you will have better luck. You can also see the list of decryptors for download on a separate page - https://www.nomoreransom.org/decryption-tools.html. Maybe there's something useful there. When the virus is completely fresh, there is little chance of this happening, but over time, something may appear. There are examples when decryptors for some modifications of encryptors appeared on the network. And these examples are on the specified page.

I don’t know where else you can find a decoder. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encryptors. Only the authors of the virus can have a full-fledged decryptor.

How to decrypt and recover files after the CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

First, let's check if we have enabled shadow copies. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I spoke in more detail about this request at the beginning of the story, when I talked about the work of the virus.

To easily restore files from shadow copies, I suggest using a free program for this - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the upper left corner, you can select a backup copy if you have several of them. Check different copies for availability necessary files. Compare by dates, where more latest version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, clicked right click mouse, selected Export and indicated the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be more old version, than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using recovery tools deleted files. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launching the graphical version of the program executes the file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external HDD for this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here; what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Filecoder.ED encryptor

Popular antiviruses detect the ransomware CRYPTED000007 as Filecoder.ED and then there may be some other designation. I looked through the major antivirus forums and didn't see anything useful there. Unfortunately, as usual, antivirus software turned out to be unprepared for the invasion of a new wave of ransomware. Here is a post from the Kaspersky forum.

Antiviruses traditionally miss new modifications of ransomware Trojans. Nevertheless, I recommend using them. If you are lucky and receive a ransomware email not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. It turns out a new version ransomware, antiviruses do not respond to it. As soon as a certain amount of material for research on a new virus accumulates, antivirus software releases an update and begins to respond to it.

I don’t understand what prevents antiviruses from responding immediately to any encryption process in the system. Perhaps there is some technical nuance on this topic that does not allow us to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and offer to stop the process.

Where to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here is an approximate scheme of work:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are opened and sign the certificate of delivery/acceptance of completed work.
4. Payment is made solely upon successful decryption results.

I'll be honest, I don't know how they do it, but you don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against the CRYPTED000007 virus

How to protect yourself from ransomware and avoid material and moral damage? There are some simple and effective tips:

1. Backup! Backup of all important data. And not just a backup, but a backup to which there is no constant access. Otherwise, the virus can infect both your documents and backup copies.
2. Licensed antivirus. Although they do not provide a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the encryptor, but after 3-4 days they begin to respond. This increases your chances of avoiding infection if you were not included in the first wave of distribution of a new modification of the ransomware.
3. Do not open suspicious attachments in mail. There is nothing to comment here. All ransomware known to me reached users via email. Moreover, every time new tricks are invented to deceive the victim.
4. Do not thoughtlessly open links sent to you from your friends via social media or messengers. This is also how viruses sometimes spread.
5. Turn on windows display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will be .exe, .vbs, .src. In your everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I have already written before in every article about the ransomware virus. In the meantime, I say goodbye. I would be glad to receive useful comments on the article and the CRYPTED000007 ransomware virus in general.

Video about file decryption and recovery

Here is an example of a previous modification of the virus, but the video is completely relevant for CRYPTED000007.

If it appears on your computer text message, which says that your files are encrypted, then do not rush to panic. What are the symptoms of file encryption? The usual extension changes to *.vault, *.xtbl, * [email protected] _XO101, etc. The files cannot be opened - a key is required, which can be purchased by sending a letter to the address specified in the message.

Where did you get the encrypted files from?

The computer caught a virus that blocked access to information. Antivirus programs often miss them because the program is usually based on some harmless free encryption utility. You will remove the virus itself quickly enough, but serious problems may arise with decrypting the information.

Technical support from Kaspersky Lab, Dr.Web and other well-known companies developing anti-virus software, in response to user requests to decrypt data, reports that it is impossible to do this in an acceptable time. There are several programs that can pick up the code, but they can only work with previously studied viruses. If you encounter a new modification, then the chances of restoring access to information are extremely low.

How does a ransomware virus get onto a computer?

In 90% of cases, users activate the virus on their computer themselves, opening unknown letters. Then a message is sent to e-mail with a provocative subject - “Subpoena”, “Loan debt”, “Notification from the tax office”, etc. Inside the fake letter there is an attachment, after downloading which the ransomware gets onto the computer and begins to gradually block access to the files.

Encryption does not happen instantly, so users have time to remove the virus before all information is encrypted. You can destroy a malicious script using the cleaning utilities Dr.Web CureIt, Kaspersky Internet Security and Malwarebytes Antimalware.

File recovery methods

If system protection has been enabled on your computer, then even after the action of a ransomware virus there is a chance to return files to their normal state using shadow copies of files. Ransomware usually tries to remove them, but sometimes they fail to do so due to lack of administrator rights.

Restoring a previous version:

In order for previous versions to be saved, you need to enable system protection.

Important: system protection must be enabled before the ransomware appears, after which it will no longer help.

1. Open Computer properties.
2. From the menu on the left, select System Protection.
   
3. Select drive C and click "Configure".
4. Select restore settings and previous versions files. Apply the changes by clicking "Ok".

If you took these steps before a file-encrypting virus appeared, then after cleaning your computer malicious code you will have a good chance of recovering your information.

Using special utilities

Kaspersky Lab has prepared several utilities to help open encrypted files after removing the virus. The first decryptor you should try is Kaspersky RectorDecryptor.

1. Download the program from the official Kaspersky Lab website.
2. Then run the utility and click “Start scan”. Specify the path to any encrypted file.

If the malicious program has not changed the extension of the files, then to decrypt them you need to collect them in a separate folder. If the utility is RectorDecryptor, download two more programs from the official Kaspersky website - XoristDecryptor and RakhniDecryptor.

The latest utility from Kaspersky Lab is called Ransomware Decryptor. It helps decrypt files after the CoinVault virus, which is not yet very widespread on the RuNet, but may soon replace other Trojans.

This text may save you somewhere $300 . This is approximately what the average ransom Trojan will demand as a ransom. And he will take your personal photos, documents and other files from the infected computer “hostage”.

It is very easy to pick up such an infection. To do this, it is not at all necessary to spend hours surfing dubious porn sites or opening all the files in a row from the Spam folder. Even if you don't do anything wrong online, you're still at risk. How? Read on.

What are ransomware viruses?

These are malicious programs that demand a ransom to restore the functionality of a computer or smartphone. They are divided into two types.

The first group of these programs encrypts files so that they cannot be used until they are decrypted. And they demand money for decryption. Such ransomware is called cryptographers(cryptor, crypto ransomware) - and they are the most dangerous.

Another group of malware - blockers(blocker) - simply blocks the normal operation of a computer or smartphone. They are usually easier to cure.

How much money do ransomware require as ransom?

It varies, but $300 is the amount that the average ransom Trojan will demand as ransom. There are “modest” extortionists for whom $30 is enough. And it happens that the amount is measured in tens of thousands of dollars. A large ransom is usually demanded from companies and other wealthy clients - they are often infected purposefully, in “manual mode”.

Is it possible to decrypt infected files without paying a ransom?

Sometimes yes, but not always. Most modern encryptors use strong cryptographic algorithms. This means that deciphering can be done for many years without success.

Sometimes attackers make mistakes in implementing encryption, or law enforcement agencies manage to seize the criminals’ servers with cryptographic keys. In this case, experts are able to create a decryption utility.

How is the ransom paid?

Usually using cryptocurrency - bitcoins. This is such a cunning electronic cash that cannot be faked. The transaction history is visible to everyone, but it is very difficult to track who is the owner of the wallet. This is precisely why attackers prefer Bitcoin. Less chance of being caught by the police.

Some extortionists use anonymous Internet wallets or even payments to a number mobile phone. The most extravagant method in our memory was when the attackers accepted the ransom exclusively using iTunes cards with a face value of $50.

How can ransomware get onto my computer?

The most common way is through email. Extortionists usually pretend to be some kind of useful investment - an urgent invoice for payment, an interesting article or a free program. By opening such an attachment, you launch malware onto your computer.

You can get ransomware just by browsing the Internet, without even opening any files. Ransomware uses errors in the code to seize control of the system operating system, browser or some other program installed on your computer. Therefore, it is very important not to forget to install software and operating system updates (by the way, this task can be entrusted to Kaspersky Internet Security or Kaspersky Total Security - latest versions can do this automatically).

Some ransomware can spread using a local network. Once such a Trojan gets onto one computer, it will try to infect all other machines in your home network or local network organizations. But this is a completely exotic option.

Of course, there are more trivial infection scenarios. I downloaded the torrent, launched the file... and that’s it, we arrived.

What files should you be wary of?

The second category of increased danger is MS Office documents (DOC, DOCX, XLS, XLSX, PPT and the like). The danger in them is represented by built-in programs written using MS Office macros. If, when opening an office file, you are asked to allow macro commands, think twice about whether to do so.

Shortcut files (LNK extension) are also dangerous. Windows can display them with any icon, which, combined with a “safe”-looking name, can lull your guard.

Important point: Windows by default hides extensions of file types known to the system. So, if you come across a file named Important_info.txt, do not rush to click on it, relying on the security of the text content: “txt” may be part of the name, and the file extension may be completely different.

If you don't click on anything and don't go through Internet trash heaps, you won't get infected?

I have a Mac. There are no ransomware for them?

Eat. For example, Mac users were successfully attacked by the KeRanger ransomware Trojan, which managed to wedge itself into the official build of the popular Transmission torrent client.

How can I cure my computer if I get ransomware?

Helps against Trojan blockers free program Kaspersky Windows Unlocker .

Encryptors are more difficult to fight. First you need to eliminate the infection - for this it is best to use an antivirus. If there is no paid one, you can download a free one trial version with a limited duration, this will be enough for treatment.

The next stage is restoring encrypted files.

If you have a backup, the easiest way is to restore files from it.

If there is no backup, you can try to decrypt the files using special utilities- decryptors. All free decryptors created by Kaspersky Lab can be found on the website.

Other antivirus companies also produce decryptors. Just do not download such programs from dubious sites - you can easily catch another infection. If there is no suitable utility, then it remains the only way- pay the scammers and receive a decryption key from them. But we do not recommend doing this.

Why shouldn't you pay the ransom?

Firstly, there are no guarantees that the files will be returned to you - you cannot take cybercriminals at their word. For example, Ranscam ransomware, in principle, does not imply the ability to restore files - it immediately deletes them irrevocably, and then demands a ransom, supposedly for restoration, which is no longer possible.

Secondly, you should not support a criminal business.

I found the required decryptor, but it doesn't help. What to do?

Virus writers quickly respond to the emergence of decryption utilities by releasing new versions of malware. It's such a constant game of cat and mouse. So, alas, there are no guarantees here either. But we don’t sleep and constantly update our utilities. Visit this site periodically and perhaps we will find a treatment for you.

How to stop ransomware infection if you notice the threat in time?

In theory, you can turn off your computer in time, remove the hard drive from it, insert it into another computer, and use an antivirus to get rid of the ransomware. But in practice, it is very difficult or even impossible to notice the appearance of an encryptor in time - they practically do not show themselves until they encrypt all the files they are interested in, and only then display a page with a ransom demand.

And if I make backups, am I safe?

Most likely, yes, but they still do not provide 100% protection. Imagine the situation: you have configured your grandmother's computer to create automatic backups every three days. A ransomware penetrated the computer and encrypted everything, but the grandmother did not understand his formidable demands. A week later you arrive and... there are only encrypted files in the backups. Nevertheless, making backups is still very important and necessary, but you shouldn’t limit yourself to this.

Is antivirus enough to prevent infection?

In most cases, yes, although antiviruses vary. Anti-virus solutions of Kaspersky Lab, according to independent tests (and only independent tests from large reputable institutions should, in principle, be trusted ), protect better than most others. However, no antivirus is capable of blocking all threats 100%.

This largely depends on the novelty of the malware. If its signatures have not yet been added to anti-virus databases, then you can catch such a Trojan only by analyzing its actions on the fly. If he tries to do harm, then we immediately block him.

In our products, this is done by a module called “Activity Monitoring” (System Watcher). If, for example, it notices an attempt to massively encrypt files, it blocks the dangerous process and rolls back the changes made to the files. Under no circumstances should you disable this component.

In addition to this, Kaspersky Total Security allows you to automate backup files. Even if something suddenly goes wrong at all not so, you will be able to restore important data from backups.

Is there anything I can configure on my computer to protect myself from the ransomware virus?

a) First, be sure to install an antivirus. But we already talked about this.

b) You can disable the execution of scripts in browsers, since they are often used by attackers. You can read more about how to better configure Chrome and Firefox browsers on our blog.

c) Enable showing file extensions in Windows Explorer.

d) Windows usually marks dangerous VBS and JS script files with an icon text document, which confuses inexperienced users. The problem can be resolved by making Notepad the default application for the VBS and JS extensions.

e) You can enable the “Mode” function in the antivirus safe programs"(Trusted Applications Mode), which prohibits the installation and execution of any programs that are not included in the “white list”. It is not enabled by default as it requires some time to configure. But this is a really useful thing, especially if the computer users are not the most advanced and there is a risk that they will accidentally launch something wrong.

Video

Kaspersky Anti-Ransomware Tool for Business is designed to protect Windows PCs from ransomware.

There is a class Trojan programs designed to extort money from victims. They are called ransomware (ransomware in English). Ransomware, which has become widespread in recent years, also belongs to this class.

Threats emanating from these programs are aimed at blocking the operation of the computer or encrypting data stored on the disk and blocking access to certain files. After this, the attackers demand payment to undo the changes made by such a program on someone else’s computer. This entails serious losses, mainly in a corporate environment.

The free Kaspersky Anti-Ransomware program is compatible with other antiviruses and can be a tool for additional protection against ransomware Trojans and ransomware. And to save the computer in complete safety Worth it - it's a free app.

Features of the new Kaspersky antivirus:

• Free
• Detects ransomware at the level of premium business solutions.
• Antivirus protection technologies used: file antivirus and "Activity Monitoring"
• Compatible with third-party antiviruses
• Supports common operating systems: Windows from 7 to 10 (including Anniversary Update)
• Identification reports are sent by email to the administrator

Restrictions

Anti-Ransomware Tool from Kaspersky uses different threat detection methods to protect computers. The antivirus identifies malicious applications by analyzing the information contained in antivirus databases. To detect the characteristic behavior of ransomware, this tool uses two innovative technologies: “Activity Monitoring” and Kaspersky Security Network.

Kaspersky Security Network allows you to respond faster to unknown threats, while Activity Monitor is able to block dangerous system changes and roll them back.

Users participating in the Kaspersky Security Network enable Kaspersky Lab to quickly collect data on new sources of threats and create solutions to neutralize them. Kaspersky Security Network - cloud network, participation in which includes sending statistics that this antivirus collects on each PC on which it runs.

When a threat is detected, the Anti-Ransomware Tool automatically blocks it and adds it to the list of blocked applications (referred to as Blocked Applications in the interface). However, before blocking, the ransomware program can manage to carry out some actions in the operating system (for example, change files or create new ones, or make changes in the registry). To roll back all actions of the malicious program, Anti-Ransomware saves the activity history of all applications.

Kaspersky Anti-Ransomware antivirus places files that were created by malware in its storage. They can be restored from there by Kaspersky Lab employees. If you need to restore files from storage, you can get advice on the developer forum.

If the system is infected with malware from the Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom families. Win32.CryptXXX, all files on the computer will be encrypted as follows:

• When Trojan-Ransom.Win32.Rannoh is infected, the names and extensions will change according to the pattern locked-<оригинальное_имя>.<4 произвольных буквы>.
• When Trojan-Ransom.Win32.Cryakl is infected, a label (CRYPTENDBLACKDC) is added to the end of the file contents.
• When infected with Trojan-Ransom.Win32.AutoIt, the extension changes according to the template<оригинальное_имя>@<почтовый_домен>_.<набор_символов>.
  For example, [email protected] _.RZWDTDIC.
• When infected with Trojan-Ransom.Win32.CryptXXX, the extension changes according to patterns<оригинальное_имя>.crypt,<оригинальное_имя>.crypz and<оригинальное_имя>.cryp1.

The RannohDecryptor utility is designed to decrypt files after infection with Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan- Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1, 2 and 3.

How to cure the system

To cure an infected system:

1. Download the RannohDecryptor.zip file.
2. Run RannohDecryptor.exe on the infected machine.
3. In the main window, click Start checking.

1. Specify the path to the encrypted and unencrypted file.
   If the file is encrypted by Trojan-Ransom.Win32.CryptXXX, specify the files itself big size. Decryption will only be available for files of equal or smaller size.
2. Wait until the end of the search and decryption of encrypted files.
3. Restart your computer if required.
4. after locked-<оригинальное_имя>.<4 произвольных буквы>To delete a copy of encrypted files after successful decryption, select .

If the file was encrypted by Trojan-Ransom.Win32.Cryakl, the utility will save the file in its old location with the extension .decryptedKLR.original_extension. If you have chosen Delete encrypted files after successful decryption, the transcribed file will be saved by the utility with the original name.

1. By default, the utility displays the work report in the root system disk(the disk on which the OS is installed).

   The report name is as follows: UtilityName.Version_Date_Time_log.txt

   For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

On a system infected with Trojan-Ransom.Win32.CryptXXX, the utility scans a limited number of file formats. If a user selects a file affected by CryptXXX v2, restoring the key may take a long time. In this case, the utility displays a warning.