This time we checked how complex anti-virus protection tools cope with ransomware Trojans. To do this, a selection of ransomware was made and even a separate program was written that imitates the actions of an unknown encrypting Trojan. Its signature is definitely not in the databases of any participant in today's testing. Let's see what they can do!
WARNING
The article is written for research purposes. All information in it is for informational purposes only. All samples are obtained from open sources and sent to virus analysts.
Old remedies for new threats
Classical antiviruses do little to protect against Trojans that encrypt files and demand a ransom for their decryption. Technically, such ransomware consists entirely or almost entirely of legitimate components, each of which does not perform any malicious actions on its own. The malware simply combines them into a chain, leading to a disastrous result - the user is deprived of the opportunity to work with his files until he decrypts them.
IN Lately many specialized utilities have appeared to protect against ransomware trojans. They either try to perform non-signature analysis (that is, identify new versions of ransomware by their behavior, file reputation, and other indirect signs), or simply prohibit any programs from making changes necessary for the actions of ransomware.
We have seen that such utilities are practically useless. Even the most stringent restrictions set in them (under which it is no longer possible to work normally) do not provide a reliable barrier against ransomware Trojans. These programs prevent some infections, but this only creates a false sense of security for the user. He becomes more careless and becomes a victim of ransomware even faster.
The main problem in the fight against classic ransomware trojans is that all their actions are performed only with user files and do not affect system components. The user cannot be prevented from changing and deleting their files. There are very few obvious distinguishing features in the behavior of high-quality ransomware representatives, or they are completely absent. A network connection now runs most programs (at least for checking for updates), and encryption features are built into even text editors.
It turns out that there are no obvious signs left for preventive protection tools to help distinguish the next encrypting Trojan from a legitimate program. If the Trojan signature is not in the databases, the chance that the antivirus will detect it is very small. The heuristic module reacts only to rough modifications of known ransomware, and the behavioral analyzer usually does not detect any suspicious activity at all.
Backups backups are different!
Today, thousands of computers are infected with ransomware daily and, as a rule, by the hands of the users themselves. Anti-virus companies accept applications for decrypting files (free of charge from their clients), but their analysts are not omnipotent either. Sometimes it is possible to collect too little data for successful decryption, or the Trojan algorithm itself contains errors that make it impossible to restore files in their original form. Now applications for decryption are processed from two days to six months, and during this time many of them simply lose their relevance. It remains to look for additional means of protection, not relying on a virus scanner.
For a long time, backup copies were universal protection against any virus attacks. In the event of a new malware infection, it was possible to simply restore everything from the backup, overwriting the encrypted files with their original versions and reverting any unwanted changes. However, modern ransomware trojans have learned to detect and corrupt backups too. If they are configured automatic creation, then the backup storage is connected and writable. An advanced Trojan scans all local, external and network drives, determines the directory with backups and encrypts them or deletes them with free space overwritten.
Making backups manually is too tedious and unreliable. It is difficult to perform such an operation on a daily basis, and over a longer period a lot of relevant data will accumulate, which will be nowhere to be restored. How to be?
Today, most developers offer, in addition to classic antiviruses, comprehensive security solutions. Now, in addition to the firewall, IDS and other well-known components, they contain a new one - a secure backup storage. Unlike a regular directory with backups, only the antivirus itself has access to it and is controlled by its driver. External management of the directory is completely disabled - even an administrator cannot open or delete it through the file manager. Let's see how good this approach is.
Test Methodology
For our experiments, we made clones of a virtual machine with clean Windows 10 and the latest patches. Each of them had its own antivirus installed. Immediately after updating the databases, we checked the reaction of the antivirus to the test set and our simulator program. The test set included 15 samples. Of these, 14 were various modifications of well-known ransomware Trojans, and the fifteenth was a downloader Trojan that downloaded another ransomware from a remote site.
All samples had a .tst extension regardless of the actual file format. A program specially written for these tests with the uncomplicated name EncryptFiles imitated the typical behavior of an encryptor trojan. When run with default settings, it immediately encrypted the contents of files from the My Documents directory without any questions. For clarity, we saved the echo messages in the program and placed a couple of text files in the OEM-866 encoding in the directory with the current user's documents in order to immediately display their contents directly in the console. One file contained quotes from the Strugatskys' works (plain unformatted text), and the other file contained lens parameters in the form of a table (formatted text).
After installing and updating each antivirus, ransomware samples were copied to the Downloads directory from a network folder connected in Read-Only mode. Then the copied files were additionally scanned by the antivirus (forced scan on demand) in the default settings. The remaining samples after checking were assigned their real extension, after which they were launched. If there was no infection of the system, then the reaction of the anti-virus to the simulator program was checked. In case of successful encryption of files, we tried to restore their original versions using antivirus tools and logged the result.
Kaspersky Total Security
In one of the test virtual machines, we installed Kaspersky Total Security, which promised “protection against ransomware to prevent malware from corrupting files.” KTS recognized almost all threats when trying to copy ransomware samples from a network folder.
Only one file out of fifteen got into the "Downloads" directory - nd75150946.tst - this is just Trojan.Downloader, and it has long been known. Upon its additional verification at the request of KTS, the file was again considered safe. Forty-five virus scanners on VirusTotal disagreed.
We opened this pattern with a Hex editor to determine its true extension. The familiar heading 50 4B 03 04 and the name of another file inside - obviously, we have a ZIP archive. There was a suspicious file inside the archive: its icon corresponded to a PDF document, and the extension was .scr - a screen saver, that is, it is an executable code.
When trying to run a file with the .scr extension from the archive, KTS blocked its automatically unpacked copy in the user's temporary directory. Based on the results of cloud analysis through the KSN network, he identified this file as an unknown malicious object and suggested deleting it with a reboot. In this case, it was an extra precaution, since the Trojan was not given control and could be deleted in any way, like a normal file.
It is noteworthy that Kaspersky Total Security does not learn from its mistakes. When the archive was re-scanned, it was again found to be clean, although the file unpacked from it had just triggered a trigger based on the analysis results in KSN.
At the beginning of the next stage of testing, we checked the initial state of the My Documents directory and displayed the contents of a couple of text files from it to the console.
After that, we opened the "Backup and Restore" module and backed up these documents to the Backup folder right on the system partition. In a real situation, you should choose a different location (for example, an external drive), but for our test it does not matter. In any case, access to this folder is controlled by means of KTS, and Trojans cannot interact with it through the standard file system driver.
Using standard tools, even an administrator can only view the properties of this folder. When you try to enter it, the KTS backup manager automatically starts and asks you to enter a password if it was set earlier.
The backup manager itself is made very clear by Kaspersky. You can choose standard directories, specify your own or exclude individual files. The number of files of each type is immediately displayed in the window on the left, and their size - in the properties on the right.
In addition to writing backups to local and removable drives, KTS supports sending them to Dropbox. Using cloud storage is especially convenient if malware prevents the computer from starting up and connecting external media.
KTS ignored our simulator program. She quietly encrypted the files, turning their contents into gibberish. The denial of access to the My Videos, My Pictures, and My Music subdirectories is a bug in the program itself that does not affect its ability to encrypt files in %USERPROFILE%Documents in any way.
If in our program the decryption function is executed simply when it is launched with the /decrypt key, then for Trojans it is not always launched even after the ransom demands are met. The only fast enough option for recovering encrypted files in this case is to overwrite them from a previously created backup. In just a few clicks, we selectively restored one of the encrypted files to its original location. Similarly, you can restore one or more entire directories.
Dr.Web Security Space
Like KTS, Dr.Web SS detected 14 out of 15 samples already when trying to copy them to the Downloads directory.
However, unlike KTS, it still detected Trojan.Downloader in the remaining sample after changing its extension to ZIP and running a forced scan.
Most Dr.Web SS settings are disabled by default. To activate it, you must first click on the lock icon and enter a password, if one has been set.
Backups are created in Dr.Web SS using the Data Loss Prevention tool. Settings available are minimal. You can select standard custom directories for backup or specify your own, set one of the selected limits on the size of copies, specify the location of backups, and set up a backup schedule. Uploading to cloud storages is not supported by Dr.Web SS, so you have to limit yourself to local drives.
Protection of the directory with backups in Dr.Web SS is more aggressive than in KTS. The administrator cannot even view its properties through the explorer.
We made backup copies of the documents and proceeded to the second part of the test.
The Dr.Web SS imitator did not recognize it and did not interfere with its operation in any way. In a fraction of a second, all files were encrypted.
By running Data Loss Prevention again, we restored the original files. However, they did not survive at all where they expected.
When specifying the target folder "My Documents", a subdirectory is automatically created in it with the current date and time as the name. The saved files are already unpacked from the backup into it, and with the restoration of all relative paths. This results in an extremely awkward long path that could easily exceed the common 255-character limit.
Norton Security Premium
Remembering Norton Ghost, which became the backup standard back in the nineties, it was easy to predict the appearance of such functionality in Symantec antivirus. It is surprising that two decades passed before this obvious solution became in demand. There would be no happiness, but misfortune helped.
When trying to copy the ransomware samples directory, NSP detected and quarantined 12 out of 15 threats.
All three remaining files are recognized as malicious when analyzed by VirusTotal, including two of them by Symantec antivirus. It's just that the default settings are made so that NSP does not check some files when copying. Performing a forced scan... and NSP finds two more trojans in the same directory.
Like previous antiviruses, NSP leaves the Trojan downloader in a renamed ZIP archive. When trying to run the .scr file from the NSP archive, it blocks the launch of the unpacked copy of the Trojan from the current user's temporary directory. In this case, the archive itself is not processed in any way.
The archive is considered clean even if it is rescanned immediately after a Trojan unpacked from it was detected. The inscription looks especially funny: “If, in your opinion, there are still threats, click here.” When you click on it, the databases are updated (or not, if they are already fresh).
Surprisingly, some of the older ransomware samples are still being detected by NSP only by the heuristic analyzer and cloud-based inspection tools. It seems that Symantec virologists are too lazy to keep the databases up to date. Their antivirus just blocks everything suspicious and waits for the user's reaction.
The second stage of testing was traditional. We backed up files from the My Documents directory and then tried to encrypt them.
The backup manager in NSP first pleased with its logic. It uses the classic “What? Where? When? ”, familiar from pre-Soviet times. However, in the modern version it is overshadowed by excessive abstractness. Instead of directly listing objects with full paths and files by extensions, their virtual location and conditional grouping by types are used. It remains to be seen which files NSP considers to be related to financial information and which ones it simply puts in the "Other" section.
Additional settings are possible (for example, using the link "Add or exclude files and folders"), but it is very difficult to make them. For the sake of a couple of files (each less than a kilobyte), you still have to back up half a directory tree and all sorts of rubbish like desktop.ini , and the backup wizard suggests perpetuating this on a CD-R. It seems that the 21st century has not come for everyone.
On the other hand, NSP users are provided with 25 GB of backups in the cloud. To upload backups there, just select "Secure Network Storage" as the destination.
Having created a local backup, we launched a program that mimics the actions of a Trojan encryptor. NSP did not interfere with her in any way and allowed her to encrypt the files.
Restoring them from a backup was faster and more convenient than in Dr.Web SS. It was enough to confirm the overwriting, and the files in their original form immediately ended up in their original places.
K7 Ultimate Security
Previously, this product from the Indian company K7 Computing was called Antivirus Plus. With the names of this developer and now there is a little confusion. For example, the K7 Total Security distribution does not have backup tools. That's why we tested the Ultimate version - the only one capable of making a backup.
Unlike antiviruses known in Russia, this development was a dark horse in our tests. The phrase "Indian code" is considered a curse among programmers, and we did not expect much from it. As tests have shown - in vain.
K7 Ultimate Security is the first antivirus that immediately detected all 15 threats from our selection. It didn't even allow the samples to be copied to the Downloads directory and would have deleted them directly on the network folder if it hadn't been mounted in Read-Only mode.
The design of the program is camouflage-steel. Apparently, the developers are fond of playing tanks or are simply trying to evoke associations with something reliable in this way. Backup options in K7 are set in much the same way as in NSP. Overall, though, the K7's interface is less cluttered and it's easier to get to the finer details.
K7 did not react to the launch of the simulator program and encryption of files. As always, I had to restore the originals from a backup.
Conveniently, when restoring, you can select individual files and write them to their original location. Answering in the affirmative to the request to overwrite the existing file, we restored lenses.txt in a couple of clicks in its original place.
As part of this test, there is nothing more to add about the work of K7. Success is success.
conclusions
Despite the good test results, the overall conclusions were disappointing. Even full versions Popular paid antiviruses skip some variants of ransomware in their default settings. Custom on-demand scanning also does not guarantee the security of scanned files. With the help of primitive tricks (like changing the extension), well-known Trojan modifications also avoid detection. New malware is almost always checked for the absence of detection before being released into the wild.
Do not rely on a behavioral analyzer, cloud verification, file reputation characteristics, and other non-signature analysis tools. There is some sense from these methods, but very small. Even our primitive simulator program with zero reputation and without digital signature not blocked by any antivirus. Like many ransomware Trojans, it contains a lot of flaws, but this does not prevent it from encrypting files without hindrance immediately upon launch.
Automatic backup of user files is not a consequence of progress, but a necessary measure. It can be quite effective only with constant protection of the backup storage by means of the antivirus itself. However, it will be effective exactly until the antivirus is unloaded from memory or uninstalled at all. Therefore, it is always worth making additional copies on some rarely connected media or uploading them to the cloud. Of course, if you trust the cloud provider enough.
Today, many have already experienced the results of the actions of cybercriminals, whose main weapon is encryption viruses. The main goal is to extort money from users with their help. Tens of thousands of hryvnias can be demanded for unlocking personal files, and millions from business owners (for example, for a blocked 1C database).
We hope that our advice will help to secure your database as much as possible.
Antivirus protection
Of course, the main means of protection is an antivirus. Be sure to monitor the relevance of the anti-virus program, because virus databases are automatically (without user intervention) updated several times a day. You need to regularly monitor the emergence of new reliable anti-virus programs, and add them to your products.
One such program is the ESET LiveGrid® cloud service, which blocks a virus before it enters the antivirus database. The ESET system immediately analyzes a suspicious program and determines the degree of its danger; if a virus is suspected, the program's processes are blocked.
You can also use the free AVG antivirus, it is of course slightly inferior to ESET but has a good degree of protection against viruses, and for complete protection you can also buy a license for AVG
At the beginning of 2017, experts from MRG Effitas tested 16 popular antivirus products for use by home users on the Microsoft Windows 10 operating system, 64-bit. Antivirus reliability tests used 386 different malware samples, including 172 trojans, 51 backdoors, 67 banking malware, 69 ransomware, and 27 potentially dangerous and adware.
Here are the test results
According to this diagram, you can determine the best free antivirus of 2017 as well as the best paid antivirus, and which one you already install to protect yourself on a computer or laptop is up to you.
If your choice fell on a paid antivirus, and you settled on NOD32, then you can definitely check if the ESET LiveGrid® function is enabled, you can do this: ESET NOD32 - Advanced settings - Utilities - ESET LiveGrid® - Enable the ESET LiveGrid® reputation system.
Attackers always hope that users have not had time to install Latest updates, and they will be able to exploit vulnerabilities in software. First of all, this concerns the Windows operating system, so you need to check and activate automatic OS updates (Start - Control Panel - Windows Update - Settings - Choose how to download and install updates).
If you do not use the encryption service that is provided in Windows, it is better to disable it, because some ransomware modifications use this function for their own purposes. To disable it, follow these steps: Start - Control Panel - Administrative Tools - Services - Encrypted File System (EFS) and reboot the system.
But if you have already used encryption to protect any files or folders, then you need to uncheck the corresponding checkboxes (RMB - Properties - Attributes - Advanced - Encrypt contents to protect data). If this is not done, then after disabling the encryption service, you will lose access to this information. Finding out which files have been encrypted is easy - they are highlighted in green.
Limited use of programs
To increase the level of security, you can block the launch of programs that do not meet the specified requirements. Such settings, by default, are set for Windows and Program Files.
Set up local group policy it is possible like this:
Click Run and enter the command: gpedit.msc("Start - Run (Win + R) - secpol.msc")
Choose:
- "Computer Configuration"
- "Windows Configuration"
- "Security Options"
- "Software Restriction Policies" right-click and click
After that, you need to create a rule that prohibits the launch of programs from any places other than those allowed.
We go to the "Additional rules" section and press the right button. In the window that appears, click on the item "Create a rule for the path"
In the path field, put an asterisk "*", i.e. any path and select the security level: Forbidden.
And so we will continue to work in the "Software Restriction Policy" and right-click on the item "Application" and select "Properties".
You can leave these settings as they are by default or enable applying to everything without exceptions, and you can also switch the option to apply a limited policy to everyone except local administrators (if you have user and administrator accounts on your computer).
And in the "Assigned file types" item, select the extension of which file types will be banned from starting. This window lists extensions that are blocked when they try to run.
It's better to add an extension .js - javascript.
An effective setup will take some time, but the result is worth it.
You can set up a ban on the launch of certain programs and files at your discretion, depending on the task and goals.
After that, the rules need to be run, and in order to do this, go to "Security Levels" and press the right mouse button on "Forbidden". In the window that appears, click "Default" and our rules are applied.
We advise you not to work with an administrator account. This will reduce damage in case of accidental infection (Enable administrator account - Set password - Deprive the current user of administrative rights - Add users to the group).
To work with administrator rights in Windows, there is a special tool - "User Account Control", which itself will ask for a password to perform operations. Checking the settings: Start - Control Panel - Accounts users - Change User Account Control settings - Default - Notify me only when I try to make changes to my computer
System Restore Checkpoints
Unfortunately, there are times when viruses overcome all levels of protection. Therefore, you should be able to return to the previous state of the system. You can configure the automatic creation of checkpoints as follows: My computer - RMB - Properties - System protection - Protection settings.
Usually, by default, protection is enabled only for the system drive, but the ransomware can corrupt the contents of all partitions. To restore files standard means or the Shadow Explorer program, you must enable protection for all drives. Checkpoints take up some amount of memory, but they will save data in case of infection.
Ransomware viruses are a well-known type of threat. They appeared at about the same time as SMS banners, and sat down tightly with the latter, in the top ranking of ransomware viruses.
The monetization model of the ransomware virus is simple: it blocks part of the information or the user's computer entirely, and in order to regain access to data, it requires sending SMS, electronic money, or replenishing the balance of the mobile number through the terminal.
In the case of a virus that encrypts files, everything is obvious - in order to decrypt files, you need to pay a certain amount. Moreover, over the past few years, these viruses have changed the approach to their victims. If earlier they were distributed according to classical schemes through warez, porn sites, spoofing issuance and mass spam mailings, while infecting the computers of ordinary users, now mailing letters is addressed, manually, from mailboxes on "normal" domains - mail.ru, gmail etc. And they try to infect legal entities, where databases and contracts fall under the ciphers.
Those. Attacks have evolved from quantity to quality. At one of the firms, the author had a chance to encounter a .hardended cryptographer who came in the mail with a resume. The infection occurred immediately after the opening of the file by personnel officers, the company was just looking for personnel and the file did not raise any suspicions. It was a docx with AdobeReader.exe embedded in it :)
The most interesting thing is that none of the heuristic and proactive sensors of Kaspersky Anti-Virus worked. Another day or 2 after infection, the virus was not detected by dr.web and nod32
So what to do with such threats? Is antivirus useless?
Signature-only antiviruses are running out of time.
G Data Total Protection 2015 — best defense from ransomware
with built-in backup module. Click and buy.
For all those affected by the action ransomware - promotional code with a discount for the purchase of G DATA - GDTP2015. Just enter this promo code at checkout.
Ransomware viruses have once again proved the failure of antivirus programs. SMS banners, at one time, freely “merged” users into the temp folder and simply launched on the entire desktop and intercepted pressing all service combinations from the keyboard.
The anti-virus program worked great at that time :) Kaspersky, as in normal mode, displayed its inscription “Protected by Kaspersky LAB”.
Banner is not a cunning malware like rootkits, but a simple program that changes 2 keys in the registry and intercepts keyboard input.
Viruses that encrypt files have reached a new level of fraud. This is again a regular program that is not embedded in the operating system code, does not replace system files, and does not read areas of RAM of other programs.
It simply runs for a short time, generates a public and private key, encrypts the files, and sends the private key to the attacker. A bunch of encrypted data and a file with hackers' contacts are left on the victim's computer for further payment.
Reasonable to think: And why then do you need an antivirus if it is able to find only malicious programs known to it?
Indeed, an antivirus program is necessary - it will protect against all known threats. However, many new types of malicious code are too tough for her. To protect yourself from ransomware viruses, you need to take measures; antivirus alone is not enough here. And I will say right away: “If your files are already encrypted, you are in. It's not easy to get them back."
:
Don't Forget Your Antivirus
Backup of important information systems and data Each service has its own dedicated server.
Backup important data.
:
What to do with the virus itself?
Independent actions with encrypted files
Experience communicating with antivirus technical support, what to expect?
Contacting the police
Take care of the precautions in the future (see the previous section).
If all else fails, maybe it's worth paying?
If you have not yet become a victim of a ransomware virus:
*The presence of anti-virus software on the computer with the latest updates.
Let's put it bluntly: "Antiviruses are terrible at dealing with new types of ransomware, but they are excellent at fighting known threats." So the presence of an antivirus on the workstation is necessary. If there are already victims, at least you will avoid the epidemic. Which antivirus to choose is up to you.
From experience, Kaspersky “eats” more memory and processor time, and for laptop hard drives with a speed of 5200, this is a disaster (often with sector read delays of 500 ms ..) Nod32 is fast, but catches little. You can buy GDATA antivirus - the best option.
*Backup of important information systems and data. Each service has its own server.
Therefore, it is very important to transfer all services (1C, taxpayer, specific workstations) and any software on which the life of the company depends, to a separate server, even better - a terminal one. Better yet, place each service on your own server (physical or virtual - decide for yourself).
Do not store the 1c database in the public domain, on the network. Many people do this, but it is wrong.
If work with 1s is organized over a network with shared read / write access for all employees, take 1s to a terminal server, let users work with it via RDP.
If there are few users, and there is not enough money for a server OS, you can use regular Windows XP as a terminal server (subject to the removal of restrictions on the number of simultaneous connections, i.e. you need to patch). Although, with the same success, you can install an unlicensed version windows server. Fortunately, Microsoft allows you to use it, but buy and activate it later :)
The work of users from 1s through RDP, on the one hand, will reduce the load on the network and speed up the work of 1s, on the other hand, it will prevent databases from becoming infected.
It is not safe to store database files on a shared network, and if there are no other prospects, take care of backup (see the next section.)
*Backup important data.
If you have not yet made backups (backup) - you are a dunce, forgive me. Well, or say hello to your system administrator. Backups save not only from viruses, but also from negligent employees, hackers, and finally “falling down” hard drives.
How and what to back up - you can read in a separate article about. GDATA antivirus, for example, has a backup module in two versions - total protection and endpoint security for organizations ( you can buy GDATA total protection).
If you find encrypted files on your computer:
*What to do with the virus itself?
Turn off your computer and contact computer service + support for your antivirus. If you are lucky, the body of the virus has not yet been removed and it can be used to decrypt files. If you are not lucky (as is often the case), the virus, after data encryption, sends the private key to the attackers and all its traces are deleted. This is done so that it is not possible to determine how and by what algorithm they are encrypted.
If you still have an email with an infected file, do not delete it. Submit to the antivirus lab for popular products. And don't open it again.
*Independent actions with encrypted files
What can be done:
Contact antivirus support, get instructions and, possibly, a decryptor for your virus.
Write a statement to the police.
Search the Internet for the experience of other users who have already encountered this trouble.
Take measures to decrypt files after copying them to a separate folder.
If you have Windows 7 or 8, you can restore previous versions of files (right-click on the folder with files). Again, don't forget to copy them beforehand.
What not to do:
Reinstall Windows
Delete encrypted files, rename them and change the extension. The file name is very important when decrypting in the future
*Experience communicating with antivirus technical support, what to expect?
When one of our clients caught a .hardended crypto-virus, which was not yet in the anti-virus databases, requests were sent to dr.web and Kaspersky.
We liked the technical support in dr.web, the feedback appeared immediately and even gave advice. And after a few days they honestly said that they couldn’t do anything and dropped detailed instructions how to send a request through the competent authorities.
In Kaspersky, on the contrary, the bot first answered, then the bot reported that installing an antivirus with the latest databases would solve my problem (I remind you that the problem is hundreds of encrypted files). A week later, the status of my request changed to “sent to the anti-virus laboratory”, and when the author modestly asked about the fate of the request a couple of days later, Kaspersky representatives replied that we would not receive a response from the laboratory yet, they say, we are waiting.
After some time, I received a message that my request was closed with a proposal to evaluate the quality of the service (all this while waiting for a response from the laboratory) .. “Fuck you!” thought the author.
NOD32, by the way, began to catch this virus on the 3rd day after its appearance.
The principle is that you are on your own with your encrypted files. Laboratories of major antivirus brands will help you only if if you have a key for the corresponding anti-virus product and if in crypto-virus has a vulnerability. If the attackers encrypted the file with several algorithms at once and more than once, you will most likely have to pay.
The choice of antivirus is yours, do not neglect it.
*Contact the police
If you have become a victim of a crypto-virus, and you have suffered any damage, even in the form of encrypted personal information, you can contact the police. Application instructions, etc. There is .
*If all else fails, is it worth paying?
Given the relative inactivity of antiviruses in relation to ransomware, it is sometimes easier to pay attackers. For hardended files, for example, the authors of the virus ask around 10 thousand rubles.
For other threats (gpcode, etc.), the price tag can range from 2 thousand rubles. Most often, this amount is lower than the losses that a lack of data can cause and lower than the amount that craftsmen can ask you for manually decrypting files.
In summary, the best protection against ransomware viruses is backing up important data from users' servers and workstations.
How to proceed is up to you. Good luck.
Users who read this entry usually read:
In contact with
Hello dear friends and readers. Ruslan Miftakhov is in touch, the author of this blog, who does not know.
In this article, I would like to discuss the sensational topic of a virus attack around the world, which began on Friday, May 12 this year. Also give some tips on how to protect yourself from the ransomware virus and save your important data on your computer.
If you read my blog, then you know that I am a computer repairer. This is more of a hobby than a job. So, as far as I remember, blocker viruses were common until 2013.
When the system booted up, a message popped up with any threatening inscription, sometimes with porn pictures. I even have a few photos of such blockers left. Here is one of them.
Several clients confessed to me that they paid money to scammers, and as a result they called the master to remove this virus. One even paid 500 rubles three times in different terminals, thinking that the unlock code would probably be printed in the other. As a result, she called me and I removed this virus in 5-10 minutes.
Somewhere in 2013, I first encountered a ransomware virus in our city when applications of this kind, like wannacry, began to arrive. For example, here is a virus called Ebola, which I took a picture of as a keepsake.
Of course, the virus itself was not difficult to remove from the computer, but the encrypted data could not be decrypted, only a suitable decoder could help here.
The principle of the virus
The virus is mainly spread through email. A letter arrives with a subject from the Ministry of Internal Affairs of Russia, or a court decision or from the tax authorities, in general, they play on the user's curiosity so that he opens the letter. And in that letter there is a file attached, the same ransomware virus.
After penetrating the PC, the virus begins to encrypt all photos, videos, documents. There are files on the computer, but they can not be opened. This is such a misfortune, and in order to decrypt these scammers, they ask for 15-20 thousand rubles for this.
Of course, if the files have their own value and there are no copies, the user makes a deal with scammers. I have not heard such cases, no one likes to say that he became a victim of scammers.
They even called the administration to one house, where I observed such a picture.
According to the accountant, he received an email with a subject from the administration. Having opened it, in the attached files there was supposedly an important document that needs to be opened and read. Well, then you yourself understand everything, by opening this file, the virus starts and encrypts everything that does not get on the computer.
And this is all before the tax audit, is it a coincidence, or was there a reason;)
Why do people pay scammers?
Subtle psychology plays here, in the case of the blocker virus, obscene pictures came out with the inscription that you climbed obscene sites and stored photos with child pornography, and this article is punishable by law such and such. Someone believed in this nonsense and paid, and someone simply did not want his relatives to see it and pay, hoping that the blocker would disappear after payment. Yeah naive.
In the case of the wanna cry virus, the scammers expect the encrypted files to be very necessary and important to the user and he will pay. But here the amount is no longer 500-1000 rubles, as in the first case. And probably the scammers are targeting bigger game.
Think for yourself which average user will pay $ 500 for a lost family photo video archive or for term paper or thesis.
Here, rather, the goal is large companies and state corporations, which happened with Megafon, Beeline and a number of others. Do you think they will pay 500 bucks to restore their base?
They will pay if there is no copy of course. If there is a copy, there are no questions, everything is demolished and a backup copy is put anew. They will lose 2, 3 hours, but everything will work as it did.
How to avoid ransomware
- The first thing you need is to do important data. I recommend having at least three copies on different media. Copy to a flash drive, to an external HDD, keep a copy in the Mail cloud, Yandex disk or other cloud storage services.
- Update manually regularly operating system. Even if Windows has not been updated, nod32 antivirus will detect and block WannaCry and its modifications.
- Being vigilant and not opening suspicious emails, this of course requires experience in order to feel which letters should not be opened.
- Be sure to have an antivirus with a valid license with a constantly updated database. I recommend Eset Nod 32 Smart Security antivirus.
To purchase an antivirus at a discount, click on the button below.
After payment in a way convenient for you, to your specified email address you will receive a license key and a link to download the antivirus.
These points, if you follow, then you are not afraid of any virus, even a cryptographer. And you will sing like in the cartoon "Three Little Pigs": we are not afraid of a gray wolf, a terrible wolf, an old wolf :)
Well, that's all, I warned you, but I warned you, so what? That's right - armed.
Share this article so that your friends, acquaintances and relatives do not fall into the clutches of scammers.
Sincerely, Ruslan Miftakhov
