Recovery after Ransomware

Ransomware is a computer malicious virus that locks your system and requires a ransom to unlock your files. There are essentially two different types. First PC-Locker, which locks the whole machine and Data-Locker, which encrypts specific data but allows the machine to work. The main purpose is to persuade the user of money, usually paid in cryptocurrency such as bitcoin.

Identification and decryption

You will first need to know the last name of the ransomware that infected you. It’s easier than it looks. Just search for malwarehunterteam and upload the ransom note. It will find the last name and often guide you through the decryption. Once you have the last name corresponding to the note, the files can be decrypted using Teslacrypt 4.0. You must first set the encryption key. Selecting the extension added to the encrypted files will allow the tool to set the master key automatically. If in doubt, just choose <като оригинал>.

Data recovery

If that doesn’t work, you’ll need to try to recover the data yourself. Often, however, the system can be too damaged to recover much. Success will depend on a number of variables such as operating system, partitioning, priority when overwriting files, disk space processing, etc.). Recuva is probably one of the best tools available, but it’s best to use it on an external hard drive instead of installing it on your own OS device. Once installed, just run a deep scan and hopefully the files you are looking for will be recovered.

New encryption Ransomware aimed at Linux systems

Known as the Linux.Encoder.1 malware, personal and business websites are under attack and require a bitcoin payment of about $ 500 to decrypt files.

A vulnerability in Magento CMS was discovered by attackers who quickly took advantage of the situation. Although a critical vulnerability fix has already been issued for Magento, it is too late for those webmasters who have woken up to find the message that includes a freezing message:

“Your personal files are encrypted! Encryption is done using a unique public key … to decrypt files, you must obtain the private key … you must pay 1 bitcoin (~ 420 USD) “

It is also believed that attacks could be carried out against other content management systems, making the number of those currently affected unknown.

How malware strikes

Malware runs at administrator levels. All home directories, as well as related files on websites, are affected by the damage caused by 128-bit AES crypto. That alone would be enough to cause major damage, but the malware goes further, as it then scans the entire directory structure and encrypts different files of different types. Each directory it enters and causes encryption damage is a text file in which the administrator sees the first thing he enters.

There are certain elements that malware searches for and these are:

  • Apache installation

  • Nginx installations

  • MySQL is installed, which are located in the structure of the target systems

The reports also show that journal directories are not immune to the attack, as is the content of individual web pages. The last places it hits – and perhaps the most critical – include:

  • Windows executables

  • Document files

  • Program libraries

  • Javascript

  • Active server (.asp) file pages

The end result is that the system holds a ransom, with companies knowing that if they can’t decrypt the files themselves, then they must either give in and pay for the request, or have serious business disruptions for an unknown period of time.

Requests made

In each encrypted directory, malware attackers run a text file called README_FOR_DECRYPT.txt. The request for payment is made, and the only way to decrypt is through a hidden site through a gateway.

If the affected person or business decides to pay, the malware is programmed to start decrypting all the files and then start reversing the damage. It seems to decrypt everything in the same encryption order, and the separation is that it deletes all encrypted files, as well as the ransom note itself.

Contact specialists

This new ransomware will require the services of a data recovery specialist. Make sure you inform them of all the steps you have taken to recover the data yourself. This can be important and will undoubtedly affect success.