NO_MORE_RANSOM - how to decrypt the encrypted files?

At the end of 2016, the world was attacked by a very non-trivial Trojan virus that encrypted user documents and multimedia content, called NO_MORE_RANSOM. How to decrypt files after the impact of this threat will be further considered. However, once you warn all users who have been attacked, there is no uniform methodology. This is due to the use of one of the most advanced encryption algorithms, and the degree of virus penetration into the computer system or even to the local network (although initially it was not designed for network impact).

What kind of virus is NO_MORE_RANSOM and how does it work?

In general, the virus itself is attributed to a class of Trojans such as I Love You that penetrate the computer system and encrypt the user's files (usually multimedia). However, if the progenitor differed only in encryption, then this virus took a lot from a once-sensational threat named DA_VINCI_COD, combining the functions of the extortionist in itself.

After infection, most files of audio, video, graphics or office documents are assigned a long name with the NO_MORE_RANSOM extension, which contains a complex password.

When you try to open them, a message appears on the screen indicating that the files are encrypted, and you need to pay a certain amount to decrypt it.

How does the threat penetrate the system?

Let's leave the question of how to decrypt files of any of the above types after the exposure of NO_MORE_RANSOM, but turn to the technology of virus penetration into the computer system. Unfortunately, however corny it may sound, an old proven method is used: an e-mail address receives a letter with an attachment, which, when opened, the user receives a malicious code trigger.

The originality, as we see, this method is not different. However, the message can be disguised as meaningless text. Or, on the contrary, for example, if it is a question of large companies, - under change of conditions of any contract. It is clear that the rank-and-file clerk opens the attachment, and then receives a lamentable result. One of the brightest outbreaks was the encryption of the databases of the popular 1C package. And this is serious business.

NO_MORE_RANSOM: how to decode documents?

But nevertheless it is necessary to address to the main question. Surely everyone is interested in how to decrypt files. The virus NO_MORE_RANSOM has its own sequence of actions. If the user attempts to decrypt immediately after infection, it can still be done somehow. If the threat has settled in the system firmly, alas, without the help of specialists here is indispensable. But they often are powerless.

If the threat was detected in a timely manner, the only way is to contact the anti-virus companies support services (not all documents have been encrypted yet), send a couple of files that are not accessible for opening, and on the basis of analysis of originals stored on removable media, try to restore already infected documents Copying to the same flash drive everything that is still available for opening (although there is also no guarantee that the virus did not penetrate such documents). After that, to be true, the carrier must be checked at least by an anti-virus scanner (you never know what).

Algorithm

Separately, it should be said that the virus uses RSA-3072 algorithm for encryption, which, unlike the previously used RSA-2048 technology, is so complex that the selection of the required password, even if the whole contingent of anti-virus laboratories , Can take months and years. Thus, the question of how to decrypt NO_MORE_RANSOM will require quite a lot of time. But what if you need to restore information immediately? First of all, remove the virus itself.

Can I delete the virus and how?

Actually, it is not difficult to do this. Judging by the impudence of the creators of the virus, the threat in the computer system is not masked. On the contrary, it is even advantageous for it to "get out" after the end of the actions.

Nevertheless, at first, going on about the virus, it still should be neutralized. First of all it is necessary to use portable protective utilities like KVRT, Malwarebytes, Dr.Sc. Web CureIt! And the like. Please note: the programs used for checking must be portable type without fail (without installing to the hard disk with the optimal startup from removable media). If a threat is detected, it should be removed immediately.

If this is not the case, you must first go to Task Manager and complete all the processes associated with the virus, sorting out the services by name (usually a Runtime Broker process).

After removing the task, you need to call the system registry editor (regedit in the "Run" menu) and set the search by the name "Client Server Runtime System" (without the quotes), then use the "Find further ..." navigation menu to delete all found items. Next, you need to reboot the computer and believe in the "Task Manager", whether there is a search process.

In principle, the question of how to decipher NO_MORE_RANSOM virus at the infection stage can be solved by this method. The probability of its neutralization, of course, is not great, but there is a chance.

How to decrypt files encrypted NO_MORE_RANSOM: backups

But there is one more technique that few people know or even guess about. The fact is that the operating system itself constantly creates its own shadow backups (for example, in case of recovery), or the user intentionally creates such images. As practice shows, it is on such copies that the virus does not work (in its structure it is simply not provided, although it is not excluded).

Thus, the problem of how to decrypt NO_MORE_RANSOM is reduced to using them. However, it is not recommended to use standard Windows tools for this (and many users will not have access to hidden copies at all). Therefore, you need to use the utility ShadowExplorer (it is portable).

To restore, you just need to launch the executable file of the program, sort the information by dates or sections, select the desired copy (file, folder or the entire system) and use the export line from the PCM menu. Then, simply select the directory where the current copy will be saved, and then use the standard recovery process.

Third-party utilities

Of course, to the problem of how to decipher NO_MORE_RANSOM, many laboratories offer their own solutions. For example, Kaspersky Lab recommends using its own software product Kaspersky Decryptor, presented in two versions - Rakhini and Rector.

No less interesting look and similar developments like the decoder NO_MORE_RANSOM from Dr. Web. But here it is immediately necessary to take into account that the use of such programs is justified only in case of rapid detection of a threat, as long as all files are not infected. If the virus is firmly established in the system (when encrypted files can not be compared with their unencrypted originals), such applications may be useless.

As a result

Actually, the conclusion suggests only one: to fight this virus is necessary only at the stage of infection, when only the first files are encrypted. In general, it is best not to open attachments to e-mail messages received from questionable sources (this applies only to customers installed directly on the computer - Outlook, Oulook Express, etc.). In addition, if a company employee has at his disposal a list of addresses of clients and partners, opening the "left" messages becomes completely impractical, since the majority in the hiring process signs agreements on the non-disclosure of trade secrets and cybersecurity.