Your browser is obsolete!

The page may not load correctly.

Encrypt everything

Закодировать всё

Other issues in this category (24)
  • add to favourites
    Add to Bookmarks

Encryption ransomware is lying low

Read: 30111 Comments: 4 Rating: 10

Friday, July 27, 2018

It looks like encryption ransomware has been relatively quiet recently.

An opinion expressed by a PC-curing service centre employee
during an online training session for Doctor Web's partners

People often ask us how we deal with encryption ransomware.

Alas, lately its makers have started factoring in remarks security researchers make about the shortcomings of their malware creations. Moreover, virus makers even mock the researchers by thanking them for their assistance.

GandCrab’s authors like to make references to various researchers, companies and websites. This time they thanked professor Daniel J. Bernstein, who invented the Salsa20 cipher.

@hashbreaker Daniel J. Bernstein let's dance salsa <3

But things aren't really that bad! Here is a recent example from our technical support tracker.

My home NAS was compromised. Of course, just like many other people probably do, I also kept my work-related files in the storage. The files are important for several of our departments, not just mine.

For some reason, Trojan.Encoder.25389 chose to target data in the network-attached storage, which is why the user wasn't able to discover its malicious activities promptly. This clever move enabled the malware to encrypt really important data (storages are usually used to store valuable information).

The user turned out to be tech-savvy; he immediately attached the Trojan file, the ransom demand, and three encrypted samples to his request. Luckily, we are able to decrypt files that have been compromised by this ransomware species. The user thanked us:

To say that your program has helped me not only as a user but also as a legal organisation is a gross understatement.

It's really nice!

By the way, Trojan.Encoder.25389 is a successor to Trojan.Encoder.94, about which we published a review in 2012. To us, Trojan.Encoder.94 stands out among ransomware programs because its neutralisation became an international effort: one organisation that contacted Doctor Web to exchange experience in disarming the ransomware was the Slovenian CERT (Computer Emergency Response Team).

The Anti-virus Times recommends

  1. If you don't use a certain system component, disable it.
  2. Back up your data under a different user account (not the one you usually use).
  3. Don't forget to back up your data: more often than not encrypted files can't be recovered.
  4. Encryption ransomware is still out there! And Dr.Web is here with you, as always.☺


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.