Ransomware has become increasingly popular among hackers. Such viruses block access to files on the computer and demand a ransom for the decryption code. However, there are 4 free programs that will give you the opportunity to recover their files and not to get hooked on hackers.
There are four free tools for removing ransomware and decrypt files: Alcatraz Locker, CrySiS, Globe and NoobCrypt. These tools can help you to remove the virus the Trojan and unlock files. Utilities are constantly updated with the development of these types of threats.
Alcatraz Locker – a ransomware that was first discovered in mid-November 2016. Files locked by it, have extension .Alcatraz. When they are encrypted, you receive this message, which is located in the file ransomed.html on the desktop of the infected computer.
Virus-the extortioner Locker Alcatraz
Unlike most types shipovalnikov program Alcatraz is not of the specified list of file extensions to which it is directed. In other words, the program encrypts all that can. To prevent damage to the operating system, Alcatraz Locker only encrypts the files in the folder %PROFILES% (usually C: Users).
Ransomware encrypts files using the built-in Windows API functions-interface encryption).
According to the message of shipovalnikov, the only way to recover your data is to pay 0,3283 btcond (about $ 1 100 at the time of writing). By the way, the existence of the 30-day limit, referred to in the message demanding money is another illusion: to decrypt their documents at any time, even after 30 days.
The program CrySiS (also known as JohnyCryptor and Virus-Encode) is known from September 2015. Uses strong encryption algorithms AES and RSA. Also, the peculiarity lies in the fact that it contains the list of file extensions whose content should not be blocked.
Locked files are as follows: .id .
Although the ID and email address changed quite often, there are only three different names of extensions that are still used today: .xtbl, .lock and .CrySiS.
As a result, the names of encrypted files might look like this:
Once locked, these files, the ransomware displays a message below which describes the method return access encrypted data.
The ransom message files from CrySiS
This program, which has been around since August 2016 written in Delphi and is usually Packed UPX. Some variants are also packaged using Nullsoft installer.
Unpacked binary program is a global interface settings, in which the author of the blackmailer can make some changes in its characteristics.
Since attackers can modify the program, we are faced with many different options for creating encrypted files with various extensions.
The virus locks the files using RC4 or BlowFish. When the ransomware is configured to encrypt the file names, it executes it using the same algorithm that was used against the file itself. Then the name is encrypted using its own implementation of Base64 encoding.
Usually, the ransomware creates a file called “Read Me Please.hta” or “How to restore files.hta” that appears after a user logs in to the system.
NoobCrypt that I opened in the summer of 2016, is written in C# and uses the encryption algorithm AES256. The program needs to remember a graphical interface that is displayed after blocking access to the files.
This screen with the ransom demand – a strange mix of messages. For example, it requires to pay a certain amount in New Zealand dollars (NZD) but the money offered to transfer to the address in the Bitcoin system. At the same time, the text proudly States that the program “was created in Romania.” A strange combination.
The Program NoobCrypt
To decrypt files, the program offers NoobCrypt “unlock code” that must be bought. On Twitter I have published a free key to delete all known versions of the program NoobCrypt. However, to determine which one to use, had to manually. Thanks to the tool for decrypting you will not have to guess what code you want to apply.
Author: Jakub Křoustek
More news on the events from the world of technology, gadgets, artificial intelligence, and space, see Techno