“Sorry to bother you, but... your files are encrypted. To get the decryption key, urgently transfer a certain amount of money to your wallet... Otherwise, your data will be destroyed forever. You have 3 hours, time has gone.” And it's not a joke. An encryption virus is a more than real threat.

Today we’ll talk about what the ransomware malware that has spread in recent years is, what to do if infected, how to cure your computer and whether it’s even possible, and how to protect yourself from them.

We encrypt everything!

A ransomware virus (encryptor, cryptor) is a special type of malicious ransomware whose activity consists of encrypting the user’s files and then demanding a ransom for the decryption tool. The ransom amounts start somewhere from $200 and reach tens and hundreds of thousands of green pieces of paper.

Several years ago, only Windows-based computers were attacked by this class of malware. Today, their range has expanded to seemingly well-protected Linux, Mac and Android. In addition, the variety of encryptors is constantly growing - new products appear one after another, which have something to surprise the world. Thus, it arose due to the “crossing” of a classic encryption Trojan and a network worm (a malicious program that spreads across networks without the active participation of users).

After WannaCry, no less sophisticated Petya and Bad Rabbit appeared. And since the “encryption business” brings good income to its owners, you can be sure that they are not the last.

More and more encryptors, especially those that have been released in the last 3-5 years, use strong cryptographic algorithms that cannot be cracked either by brute force or other existing means. The only way to recover data is to use the original key, which the attackers offer to buy. However, even transferring the required amount to them does not guarantee receipt of the key. Criminals are in no hurry to reveal their secrets and lose potential profits. And what is the point for them to keep their promises if they already have the money?

Paths of distribution of encrypting viruses

The main way malware gets onto the computers of private users and organizations is email, or more precisely, files and links attached to emails.

An example of such a letter intended for “corporate clients”:

• “Repay your loan debt immediately.”
• “The claim has been filed in court.”
• “Pay the fine/fee/tax.”
• “Additional charge of utility bills.”
• “Oh, is that you in the photo?”
• “Lena asked me to urgently give this to you,” etc.

Agree, only a knowledgeable user would treat such a letter with caution. Most people, without hesitation, will open the attachment and launch the malicious program themselves. By the way, despite the cries of the antivirus.

The following are also actively used to distribute ransomware:

• Social networks (mailing from the accounts of friends and strangers).
• Malicious and infected web resources.
• Banner advertising.
• Mailing via messengers from hacked accounts.
• Vareznik sites and distributors of keygens and cracks.
• Adult sites.
• Application and content stores.

Encryption viruses are often carried by other malicious programs, in particular, advertising demonstrators and backdoor Trojans. The latter, using vulnerabilities in the system and software, help the criminal gain remote access to the infected device. The launch of the encryptor in such cases does not always coincide in time with potentially dangerous user actions. As long as the backdoor remains in the system, an attacker can penetrate the device at any time and initiate encryption.

To infect the computers of organizations (after all, more can be extracted from them than from home users), especially sophisticated methods are being developed. For example, the Petya Trojan penetrated devices through the update module of the MEDoc tax accounting program.

Encryptors with the functions of network worms, as already mentioned, spread across networks, including the Internet, through protocol vulnerabilities. And you can become infected with them without doing absolutely anything. Users of Windows operating systems that are rarely updated are at greatest risk because updates close known loopholes.

Some malware, such as WannaCry, exploit 0-day vulnerabilities, that is, those that system developers are not yet aware of. Unfortunately, it is impossible to fully resist infection in this way, but the likelihood that you will be among the victims does not even reach 1%. Why? Yes, because malware cannot infect all vulnerable machines at once. And while it is planning new victims, system developers manage to release a life-saving update.

How ransomware behaves on an infected computer

The encryption process, as a rule, begins unnoticed, and when its signs become obvious, it is too late to save the data: by that time, the malware has encrypted everything it can reach. Sometimes a user may notice that the extension of files in an open folder has changed.

The unreasonable appearance of a new and sometimes a second extension on files, after which they stop opening, absolutely indicates the consequences of an encryptor attack. By the way, it is usually possible to identify the malware by the extension that damaged objects receive.

An example of what the extensions of encrypted files can be:. xtbl, .kraken, .cesar, .da_vinci_code, .codercsu@gmail_com, .crypted000007, .no_more_ransom, .decoder GlobeImposter v2, .ukrain, .rn, etc.

There are a lot of options, and new ones will appear tomorrow, so there’s no point in listing everything. To determine the type of infection, it is enough to feed several extensions to the search engine.

Other symptoms that indirectly indicate the beginning of encryption:

• Command line windows appear on the screen for a split second. Most often, this is a normal phenomenon when installing system and program updates, but it is better not to leave it unattended.
• UAC requests to launch some program that you did not intend to open.
• A sudden reboot of the computer followed by simulating the operation of the system disk check utility (other variations are possible). During the “verification”, the encryption process occurs.

After the malicious operation is successfully completed, a message appears on the screen with a ransom demand and various threats.

Ransomware encrypts a significant portion of user files: photos, music, videos, text documents, archives, mail, databases, files with program extensions, etc. However, they do not touch operating system objects, because attackers do not need the infected computer to stop working. work. Some viruses replace boot records of disks and partitions.

After encryption, all shadow copies and recovery points are typically deleted from the system.

How to cure a computer from ransomware

Removing malware from an infected system is easy—almost all antivirus programs can handle most of them without difficulty. But! It is naive to believe that getting rid of the culprit will solve the problem: whether you remove the virus or not, the files will still remain encrypted. In addition, in some cases this will complicate their subsequent decryption, if possible.

Correct procedure when starting encryption

• Once you notice signs of encryption, Immediately turn off the computer's power by pressing and holding the buttonPower for 3-4 seconds. This will save at least some of the files.
• Create a boot disk or flash drive with an antivirus program on another computer. For example, Kaspersky Rescue Disk 18, DrWeb LiveDisk ESET NOD32 LiveCD etc.
• Boot the infected machine from this disk and scan the system. Remove any viruses found and keep them in quarantine (in case they are needed for decryption). Only after that you can boot your computer from your hard drive.
• Try to recover encrypted files from shadow copies using system tools or using third-party .

What to do if the files are already encrypted

• Don't lose hope. The websites of antivirus product developers contain free decryption utilities for different types of malware. In particular, utilities from Avast And Kaspersky Lab.
• Having determined the encoder type, download the appropriate utility, definitely do it copies damaged files and try to decipher them. If successful, decipher the rest.

If the files are not decrypted

If none of the utilities help, it is likely that you have suffered from a virus for which there is no cure yet.

What can you do in this case:

• If you use a paid antivirus product, contact its support team. Send several copies of the damaged files to the laboratory and wait for a response. If technically possible, they will help you.

By the way, Dr.Web is one of the few laboratories that helps not only its users, but all those affected. You can send a request to decrypt the file on this page.

• If it turns out that the files are hopelessly damaged, but they are of great value to you, you can only hope and wait that a rescue remedy will someday be found. The best thing you can do is to leave the system and files as is, that is, completely shut down and not use the hard drive. Deleting malware files, reinstalling the operating system, and even updating it can deprive you and this chance, since when generating encryption/decryption keys, unique system identifiers and copies of the virus are often used.

Paying the ransom is not an option, since the likelihood that you will receive the key is close to zero. And there is no point in financing a criminal business.

How to protect yourself from this type of malware

I would not like to repeat advice that each of the readers has heard hundreds of times. Yes, installing a good antivirus, not clicking suspicious links and blablabla is important. However, as life has shown, a magic pill that will give you a 100% guarantee of security does not exist today.

The only effective method of protection against ransomware of this kind is data backup to other physical media, including cloud services. Backup, backup, backup...

The number of viruses in their usual sense is becoming less and less, and the reason for this is free antiviruses that work well and protect users’ computers. At the same time, not everyone cares about the security of their data, and they risk becoming infected not only with malware, but also with standard viruses, among which the most common continues to be the Trojan. It can manifest itself in many ways, but one of the most dangerous is file encryption. If a virus has encrypted files on your computer, it is not guaranteed that you will be able to get the data back, but there are some effective methods, and they will be discussed below.

Encryption virus: what it is and how it works

On the Internet you can find hundreds of varieties of viruses that encrypt files. Their actions lead to one consequence - the user’s data on the computer receives an unknown format that cannot be opened using standard programs. Here are just some of the formats into which data on a computer can be encrypted as a result of viruses: .locked, .xtbl, .kraken, .cbf, .oshit and many others. In some cases, the e-mail address of the virus creators is written directly into the file extension.

Among the most common viruses that encrypt files are Trojan-Ransom.Win32.Aura And Trojan-Ransom.Win32.Rakhni. They come in many forms, and the virus may not even be called Trojan (for example, CryptoLocker), but their actions are practically the same. New versions of encryption viruses are regularly released to make it more difficult for the creators of antivirus applications to deal with new formats.

If an encrypting virus has penetrated a computer, it will certainly manifest itself not only by blocking files, but also by offering the user to unlock them for a monetary fee. A banner may appear on the screen telling you where you need to transfer money to unlock the files. When such a banner does not appear, you should look for a “letter” from the virus developers on your desktop; in most cases, such a file is called ReadMe.txt.

Depending on the developers of the virus, prices for file decryption may vary. At the same time, it is far from a fact that when you send money to the creators of the virus, they will send back an unlocking method. In most cases, the money goes “nowhere”, and the computer user does not receive a decryption method.

Once a virus has appeared on your computer and you see a code on the screen that needs to be sent to a specific address in order to receive a decryptor, you should not do this. First of all, copy this code onto a piece of paper, since the newly created file may also be encrypted. After this, you can hide information from the developers of the virus and try to find on the Internet a way to get rid of the file encryptor in your particular case. Below we present the main programs that allow you to remove a virus and decrypt files, but they cannot be called universal, and the creators of anti-virus software regularly expand the list of solutions.

Getting rid of a file encrypting virus is quite simple using free versions of antivirus programs. 3 free programs cope well with file encrypting viruses:

• Malwarebytes Antimalware;
• Dr.Web Cure It ;
• Kaspersky Internet Security.

The apps mentioned above are completely free or have trial versions. We recommend using a solution from Dr.Web or Kespersky after you scan your system with Malwarebytes Antimalware. Let us remind you once again that it is not recommended to install 2 or more antiviruses on your computer at the same time, so before installing each new solution, you must remove the previous one.

As we noted above, the ideal solution to the problem in this situation would be to select instructions that allow you to deal specifically with your problem. Such instructions are most often posted on the websites of antivirus developers. Below we present several current antivirus utilities that can cope with various types of Trojans and other types of encryptors.

The above is only a small part of the antivirus utilities that allow you to decrypt infected files. It is worth noting that if you simply try to get the data back, it will, on the contrary, be lost forever - you should not do this.

Today, computer and laptop users are increasingly faced with malware that replaces files with encrypted copies of them. Essentially, these are viruses. The XTBL ransomware is considered one of the most dangerous in this series. What is this pest, how does it get into the user’s computer, and is it possible to restore damaged information?

What is XTBL ransomware and how does it get into the computer?

If you find files on your computer or laptop with a long name and the extension .xtbl, then you can confidently say that a dangerous virus has entered your system - an XTBL ransomware.

It affects all versions of Windows OS. It is almost impossible to decrypt such files on your own, because the program uses a hybrid mode in which selecting a key is simply impossible.

System directories are filled with infected files. Entries are added to the Windows registry that automatically launch the virus every time the OS starts.

Almost all types of files are encrypted - graphic, text, archive, email, video, music, etc. It becomes impossible to work in Windows.

How does it work? An XTBL ransomware running on Windows first scans all logical drives. This includes cloud and network storage located on a computer. As a result, files are grouped by extension and then encrypted. Thus, all valuable information located in the user’s folders becomes inaccessible.

Under the influence of the XTBL ransomware, the file extension changes. Now the user sees a blank sheet icon and a long title ending in .xtbl instead of an image or text in Word. In addition, a message appears on the desktop, a kind of instruction for restoring encrypted information, requiring you to pay for unlocking. This is nothing more than blackmail demanding ransom.

This message appears in the desktop window of your computer.

XTBL ransomware is usually distributed via email. The email contains attached files or documents infected with a virus. The scammer attracts the user with a colorful headline. Everything is done to ensure that the message, which says that you, for example, won a million, is open. Do not respond to such messages, otherwise there is a high risk that the virus will end up in your OS.

Is it possible to recover information?

You can try to decrypt the information using special utilities. However, there is no guarantee that you will be able to get rid of the virus and restore damaged files.

Currently, XTBL ransomware poses an undeniable threat to all computers running Windows OS. Even the recognized leaders in the fight against viruses - Dr.Web and Kaspersky Lab - do not have a 100% solution to this issue.

Removing a virus and restoring encrypted files

There are different methods and programs that allow you to work with XTBL encryption. Some remove the virus itself, others try to decrypt locked files or restore their previous copies.

Stopping a computer infection

If you are lucky enough to notice that files with the .xtbl extension begin to appear on your computer, then it is quite possible to interrupt the process of further infection.

Kaspersky Virus Removal Tool to remove XTBL ransomware

All such programs should be opened in an OS that has previously been launched in safe mode with the option to load network drivers.

In this case, it is much easier to remove the virus, since the minimum number of system processes required to start Windows is connected.

To load safe mode in Window XP, 7 during system startup, constantly press the F8 key and after the menu window appears, select the appropriate item. When using Windows 8, 10, you should restart the OS while holding the Shift key. During the startup process, a window will open where you can select the required secure boot option.

The Kaspersky Virus Removal Tool program perfectly recognizes XTBL ransomware and removes this type of virus. Run a computer scan by clicking the appropriate button after downloading the utility. Once the scan is complete, delete any malicious files found.

Running a computer scan for the presence of an XTBL ransomware in Windows OS and then removing the virus

Dr.Web CureIt!

The algorithm for checking and removing a virus is practically no different from the previous version. Use the utility to scan all logical drives. To do this, you just need to follow the commands of the program after launching it. At the end of the process, get rid of the infected files by clicking the “Decontaminate” button.

Neutralize malicious files after scanning Windows

Malwarebytes Anti-malware

The program will carry out a step-by-step check of your computer for the presence of malicious codes and destroy them.

1. Install and run the Anti-malware utility.
2. Select “Run scan” at the bottom of the window that opens.
3. Wait for the process to complete and check the checkboxes with infected files.
4. Delete the selection.

Removing malicious XTBL ransomware files detected during scanning

Online decryptor script from Dr.Web

On the official Dr.Web website in the support section there is a tab with a script for online file decryption. Please note that only those users who have this developer’s antivirus installed on their computers will be able to use the decryptor online.

Read the instructions, fill out everything required and click the “Submit” button

RectorDecryptor decryption utility from Kaspersky Lab

Kaspersky Lab also decrypts files. On the official website you can download the RectorDecryptor.exe utility for versions of Windows Vista, 7, 8 by following the menu links “Support - File disinfection and decryption - RectorDecryptor - How to decrypt files”. Run the program, perform a scan, and then delete encrypted files by selecting the appropriate option.

Scanning and decrypting files infected with XTBL ransomware

Restoring encrypted files from a backup

Starting with Windows 7, you can try to restore files from backups.

ShadowExplorer to recover encrypted files

The program is a portable version, it can be downloaded from any media.

QPhotoRec

The program is specially created to recover damaged and deleted files. Using built-in algorithms, the utility finds and returns all lost information to its original state.

QPhotoRec is free.

Unfortunately, there is only an English version of QPhotoRec, but understanding the settings is not difficult at all, the interface is intuitive.

1. Launch the program.
2. Mark the logical drives with encrypted information.
3. Click the File Formats button and OK.
4. Using the Browse button located at the bottom of the open window, select the location to save the files and start the recovery procedure by clicking Search.

QPhotoRec recovers files deleted by XTBL ransomware and replaced with its own copies

How to decrypt files - video

What not to do

1. Never take actions that you are not completely sure of. It’s better to invite a specialist from the service center or take the computer there yourself.
2. Do not open Email messages from unknown senders.
3. Under no circumstances should you follow the lead of blackmailers by agreeing to transfer money to them. This will most likely not give any results.
4. Do not manually rename the extensions of encrypted files and do not rush to reinstall Windows. It may be possible to find a solution that will correct the situation.

Prevention

Try to install reliable protection against penetration of XTBL ransomware and similar ransomware viruses onto your computer.

• Such programs include:
• Malwarebytes Anti-Ransomware;
• BitDefender Anti-Ransomware;
• WinAntiRansom;

CryptoPrevent.

Despite the fact that they are all English-language, working with such utilities is quite simple. Launch the program and select the protection level in the settings.

Launching the program and selecting the protection level

If you have encountered a ransomware virus that encrypts files on your computer, then, of course, you should not despair right away. Try using the suggested methods for restoring damaged information. Often this gives a positive result. Do not use unverified programs from unknown developers to remove XTBL ransomware. After all, this can only worsen the situation. If possible, install one of the programs on your PC that prevents the virus from running, and conduct regular routine scans of Windows for malicious processes.

Fighting new virus threats - ransomware

In this topic we will tell you how you can return data encrypted by a virus; for this we will use two decryptors, from Kaspersky and Doctor Web antiviruses, these are the most effective methods for returning encrypted information.

1. Download utilities for decrypting files from the links: Kaspersky and Dr.WEB

Or decryptors for a specific type of encrypted files that are .

2. First, we will try to decrypt the files using a program from Kaspersky:

2.1. Launch the Kaspersky decryptor program, if it asks for some actions, for example permission to launch, we launch it, if it asks to update, we update it, this will increase the chances of returning encrypted data

2.2. In the program window that appears for decrypting files, we see several buttons. Configure advanced settings and start scanning.

2.3. If necessary, select additional options and indicate where to search for encrypted files and, if necessary, delete after decryption. I do not recommend choosing this option, files are not always decrypted correctly!

2.4. We launch the scan and wait for our virus-encrypted data to be decrypted.

3. If the first method did not work. Let's try to decrypt files using a program from Dr. WEB

3.1. After you have downloaded the decryption application, put it, for example, in the root of the "C:" drive., so the file "te102decrypt.exe" should be available at "c:\te102decrypt.exe"

3.2. Now go to the command line(Start-Search-Type “CMD” without quotes-run by pressing Enter)

3.3. To start decrypting files write the command "c:\te102decrypt.exe -k 86 -e (encryptor code)". The ransomware code is an extension added to the end of the file, for example " [email protected] _45jhj" - write without quotes and parentheses, observing spaces. You should get something like c:\te102decrypt.exe -k 86 -e [email protected] _45jhj

3.4. Press Enter and wait for the files to be decrypted that have been encrypted, in some cases several copies of the decrypted files are created, you try to run them, save the copy of the decrypted file that opens normally, the rest can be deleted.

Download other file decryptors:

Attention: Be sure to save a copy of the encrypted files on an external drive or another PC. The decryptors presented below may not decrypt files, but only corrupt them!

It is best to run the decryptor on a virtual machine or on a specially prepared computer, having first downloaded several files onto them.

The decryptors presented below work as follows: For example, your files are encrypted with the amba encryptor and the files look like “Agreement.doc.amba” or “Account.xls.amba”, then download the decryptor for amba files and just run it, it will find all files with this extension and decrypt it, but I repeat, protect yourself and first make a copy of the encrypted files, otherwise you may lose your incorrectly decrypted data forever!

If you do not want to take risks, then send several files to us, after contacting us using the feedback form, we will launch the decryptor on a specially prepared computer, isolated from the Internet.

The presented files were checked with the latest version of Kaspersky antivirus and with the latest database updates.

If a text message appears on your computer saying that your files are encrypted, then do not rush to panic. What are the symptoms of file encryption? The usual extension changes to *.vault, *.xtbl, * [email protected] _XO101, etc. The files cannot be opened - a key is required, which can be purchased by sending a letter to the address specified in the message.

Where did you get the encrypted files from?

The computer caught a virus that blocked access to information. Antivirus programs often miss them because the program is usually based on some harmless free encryption utility. You will remove the virus itself quickly enough, but serious problems may arise with decrypting the information.

Technical support from Kaspersky Lab, Dr.Web and other well-known companies developing anti-virus software, in response to user requests to decrypt data, reports that it is impossible to do this in an acceptable time. There are several programs that can pick up the code, but they can only work with previously studied viruses. If you encounter a new modification, then the chances of restoring access to information are extremely low.

How does a ransomware virus get onto a computer?

In 90% of cases, users themselves activate the virus on their computer, opening unknown letters. Then a message is sent to e-mail with a provocative subject - “Subpoena”, “Loan debt”, “Notification from the tax office”, etc. Inside the fake letter there is an attachment, after downloading which the ransomware gets onto the computer and begins to gradually block access to the files.

Encryption does not happen instantly, so users have time to remove the virus before all information is encrypted. You can destroy a malicious script using the cleaning utilities Dr.Web CureIt, Kaspersky Internet Security and Malwarebytes Antimalware.

File recovery methods

If system protection has been enabled on your computer, then even after the effect of a ransomware virus there is a chance to return files to their normal state using shadow copies of files. Ransomware usually tries to remove them, but sometimes they fail to do so due to lack of administrator rights.

Restoring a previous version:

In order for previous versions to be saved, you need to enable system protection.

Important: system protection must be enabled before the ransomware appears, after which it will no longer help.

1. Open Computer properties.
2. From the menu on the left, select System Protection.
   
3. Select drive C and click "Configure".
4. Choose to restore settings and previous versions of files. Apply the changes by clicking "Ok".

If you took these steps before the file-encrypting virus appeared, then after cleaning your computer from malicious code, you will have a good chance of recovering your information.

Using special utilities

Kaspersky Lab has prepared several utilities to help open encrypted files after removing the virus. The first decryptor you should try is Kaspersky RectorDecryptor.

1. Download the program from the official Kaspersky Lab website.
2. Then run the utility and click “Start scan”. Specify the path to any encrypted file.

If the malicious program has not changed the extension of the files, then to decrypt them you need to collect them in a separate folder. If the utility is RectorDecryptor, download two more programs from the official Kaspersky website - XoristDecryptor and RakhniDecryptor.

The latest utility from Kaspersky Lab is called Ransomware Decryptor. It helps decrypt files after the CoinVault virus, which is not yet very widespread on the RuNet, but may soon replace other Trojans.