The first encryption ransomware appeared in

2006-2007.

Since January 2009, the number of ransomware versions has increased by about

1900%!

Currently, Trojan.Encoder programs (Cryptolockers) are one of the most dangerous threats for users. This Trojan family includes several thousand modifications.

Since mid-April 2013, Doctor Web's virus laboratory has received more than 40 000 decryption requests to restore files affected by Trojan encoders, and now receives over 4 000 requests a month.

In November, 2015 the number of requests submitted to Doctor Web’s technical support service for decryption from the Trojan.Encoder malware family reached 60% of the total number of requests made. And the vast majority of requests are from users of other anti-viruses.

Trojan.Encoder programs (Cryptolockers) use dozens of different encryption algorithms of users’ files.

For example, it will take

107902838054224993544152335601 years

to simple search a key to restore files compromised by Trojan.Encoder.741.

Dr.Web statistics show that the probability of restoring files compromised by encryption ransomware doesn't exceed 10%.

That means that most of user data has been lost for good!

Here are some examples of decryption certainty value estimation by Doctor Web's security experts.

TrojanAlternative namesCertainty value of decryption
BAT.EncoderTrojan.FileCrypt.C
BAT/Filecoder.B
Trojan-Ransom.BAT.Scatter.s
20-30%
Trojan.Encoder.94Trojan-Ransom.Win32.Xorist
Trojan:Win32/Bumat!rts
Win32/Filecoder.Q
90%
Trojan.Encoder.29390-100%*
Trojan.Encoder.398Gen:Trojan.Heur.DP.oKW@aaMh5tg;
TR/Dldr.Delphi.Gen
58%
Trojan.Encoder.556Trojan-Ransom.Win32.Agent.iby,
Gen:Variant.Kates.2
3-5%
Trojan.Encoder.74121%
Trojan.Encoder.567Win32/Filecoder.CQ,
Gen:Trojan.Heur.OH3@tb9fsadcg
10-20%
Trojan.Encoder.686CTB-LockerDecryption is impossible
at the moment
Trojan.Encoder.858
Trojan.Encoder.2843(*.vault)90%
Trojan.Encoder.266759%
Trojan.Encoder 395380%
Linux.Encoder.1, Linux.Encoder.2, Linux.Encoder.3100%
Mac.Trojan.KeRanger.2100%

* - if the Trojan program file is available

User feedback on forums indicates that files compromised by some Trojan versions can be decrypted only by Doctor Web's security experts.

Since May 2014, Doctor Web’s experts have carried out a major research work to design routines for recovery of data affected by Trojan.Encoder.398.

Currently Doctor Web is the only company whose experts are able to recover compromised files with a probability of 90%.

News about this event was published in November, 2014.

Today criminals demand up to 1500 bit coins for decryption.

1bit coin is equal to 272 euros or 330 dollars.

A demanded ransom can reach 49,500 dollars.

Even if you pay your attacker a ransom, there is no guarantee that you’ll get your data back.

Things can even get rather peculiar. In one situation, a user paid a ransom to their attackers, but their attackers could not decipher the files encrypted by their own Trojan.Encoder (Cryptolocker), and advised the user to seek help… from Doctor Web's technical support service!

Decryption is available free of charge for users of commercial Dr.Web licenses.

In over 90%
of the incidents users launch encryption Trojans on their own computers themselves.

Dr.Web Security Space (version 9+) comes with a simple solution to the problem of data security—the “Data Loss Prevention” feature.

And, even if a Trojan gets to your files, you will be able to restore them on your own without having to request support from Doctor Web.

Unlike common backup programs, Dr.Web creates and protects backup storage from intruders.

Stay informed about encryption ransomware!

#drweb

Forewarned is forearmed. Download and study the course DWCERT-070-6 Protection from encryption ransomware for Windows PCs and file servers. This course contains detailed information and simple instructions on how to configure the Dr.Web components that are responsible for preventing Trojans from encrypting user files. The materials also contain detailed information about the data loss prevention feature that is available in Dr.Web Security Space.

Step-by-step instructions accompanied by screenshots will help the reader avoid the risks associated with encryption ransomware.

Download the course

If you are out of luck and your files have been encrypted by the Trojan, and Dr.Web was installed on your PC when it got infected, contact Doctor Web’s technical support service to decrypt them:

  • Do not use the infected computer until you receive instructions from Doctor Web's technicians, even if you need it for your business.
  • Do not attempt to reinstall the operating system!
  • Do not attempt to remove any files or programs from the disk!
  • If you have started a virus scan, do not take any irreversible actions including curing/removing the malware. Consult Doctor Web's specialists before you do anything with the found viruses/Trojans, or at least keep back-up copies of all the discovered malware; they may be necessary to determine the key to decrypting the data.

Visit Legal sеction to learn how to submit a request to Doctor Web’s support service

We strongly recommend that you file a report with the police in case of infection.

Thank you for taking the time to familiarise yourself with these materials.