Recovering from ransomware

Ransomware is a malicious computer virus that locks up your system and demands a ransom to unlock your files. There are basically two different types. First, PC-Locker, which locks the entire machine, and Data-Locker, which encrypts certain data but allows the machine to run. The main purpose is to extort money from the user, which is usually paid in a cryptocurrency such as Bitcoin.

Identification and decoding

First of all, you will need to know the name of the ransomware that infected you. It’s easier than it seems. Just search for Malwarehunterteam and download the ransom note. It will detect the surname and often walk you through the transcription. If you get a last name that matches the note, the files can be decrypted using Teslacrypt 4.0. First you need to set the encryption key. Selecting the extension attached to the encrypted files will allow the device to automatically install the master key. When in doubt, just choose <як арыгінал>.

Data recovery

If that doesn’t work, you’ll need to try to recover the data yourself. Often the system may be too damaged to recover much. Success will depend on a number of variables such as operating system, partitioning, file overwrite priority, disk space handling, etc.). Recuva is probably one of the best tools available, but it’s best to use it on an external hard drive rather than installing it on your own OS drive. Once installed, simply run a deep scan and hopefully the files you’re looking for will be recovered.

New Encrypted Ransomware Targeting Linux Systems

Known as Linux.Encoder.1, the malware targets personal and business websites and demands a payment of around $500 in bitcoins to decrypt files.

A vulnerability in the Magento CMS was discovered by attackers who quickly took advantage of the situation. While a patch for the critical vulnerability has been released for Magento, it’s too late for those webmasters who woke up to find a message that included the dreaded message:

“Your private files are encrypted! The encryption was done using a unique public key… to decrypt the files you need to get the private key… you need to pay 1 Bitcoin (~420 USD)”

It is also believed that other content management systems may have been attacked, with the number of victims currently unknown.

How malware affects

The malware infiltrates by running as an administrator. All home directories and associated website files are encrypted using 128-bit AES encryption. That alone would be enough to cause a lot of damage, but the malware goes further by scanning the entire directory structure and encrypting various files of various types. Every directory it goes into and causes damage through encryption, a text file is dumped into that is the first thing an administrator sees when logging in.

There are certain elements that malware looks for and these are:

  • Installing Apache

  • Nginx settings

  • MySQL installations that reside in the target systems tree

It also appears from the reports that magazine directories are not immune to attack, nor is the content of individual web pages. The last places it hits – and perhaps the most critical – include:

  • Windows executable files

  • Document files

  • Program libraries

  • Javascript

  • Active Server Pages (.asp) files.

The end result is that the system is held to ransom, and businesses know that if they can’t decrypt the files themselves, they either have to give in and pay the claim, or suffer major business disruption for an unknown period of time.

Exposed requirements

In each encrypted directory, the attackers drop a text file called README_FOR_DECRYPT.txt. The payment request is made with the only method of decryption through a hidden site through a gateway.

If the affected person or company decides to pay, the malware is programmed to begin decrypting all files and then begins to compensate for the damage. It seems to decrypt everything in the same order of encryption and it deletes all the encrypted files as well as the ransom note itself as a goodbye.

Contact the experts

This new ransomware will require the services of a data recovery specialist. Make sure you inform them of any steps you have taken to recover the data yourself. This can be important and will undoubtedly affect the success rate.