Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Files affected by new Trojan.Encoder.293 can be decrypted

July 29, 2014

The encryption Trojan known as Trojan.Encoder.293 came into the spotlight back in September 2013. Ever since then, new modifications of the program, featuring different design and encryption algorithms, have been emerging with persistent regularity. Doctor Web's security researchers are pleased to inform users that files that have been compromised by two Trojan.Encoder.293 modifications and were previously considered unrecoverable can now be restored to their original state.

Written in Delphi, Trojan.Encoder.293 programs are, in fact, later modifications of Trojan.Encoder.102 malware and have a lot in common with their predecessors. These Trojans perform two-tier file encryption using XOR and RSA ciphers. Once files stored on the hard drive of the compromised machine have been encrypted, the Trojan demands a ransom for their decryption. It is also noteworthy that the criminals behind this Trojan use different contact email addresses.

Now Doctor Web can decrypt data compromised by Trojan.Encoder.293 programs, if the ransom demand or the file name extensions of the encrypted files include the email addresses Support@casinomtgox.com or contact@casinomtgox.com (in most cases, decryption is possible). If the malware is still present on the hard drive, security researchers can create a decryption utility for the files affected by the Trojan.Encoder.293 modifications.

If your files have been compromised by the malware, follow these steps:

  • Contact the police;
  • Never attempt to solve the problem by reinstalling the operating system;
  • Do not delete any files from the hard drive(s);
  • Do not try to restore the encrypted data on your own;
  • Contact Doctor Web's technical support. When filing a request, select “Cure request”;
  • Attach a file encrypted by the Trojan to the ticket;
  • Wait for a response from a virus analyst. Due to the large volume of requests, it may take some time to receive a response.

Please note that the decryption service is only available to users who have purchased commercial licenses for Doctor Web anti-viruses.

Use Data Loss Prevention to protect your files from  encryption ransomware

Only available in Dr.Web Security Space 9 and 10
More about encryption ransomware What should
I do if…
Configuration presentations tutorial Free decryption

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040