July 29, 2014
Written in Delphi, Trojan.Encoder.293 programs are, in fact, later modifications of Trojan.Encoder.102 malware and have a lot in common with their predecessors. These Trojans perform two-tier file encryption using XOR and RSA ciphers. Once files stored on the hard drive of the compromised machine have been encrypted, the Trojan demands a ransom for their decryption. It is also noteworthy that the criminals behind this Trojan use different contact email addresses.
Now Doctor Web can decrypt data compromised by Trojan.Encoder.293 programs, if the ransom demand or the file name extensions of the encrypted files include the email addresses Support@casinomtgox.com or firstname.lastname@example.org (in most cases, decryption is possible). If the malware is still present on the hard drive, security researchers can create a decryption utility for the files affected by the Trojan.Encoder.293 modifications.
If your files have been compromised by the malware, follow these steps:
- Contact the police;
- Never attempt to solve the problem by reinstalling the operating system;
- Do not delete any files from the hard drive(s);
- Do not try to restore the encrypted data on your own;
- Contact Doctor Web's technical support. When filing a request, select “Cure request”;
- Attach a file encrypted by the Trojan to the ticket;
- Wait for a response from a virus analyst. Due to the large volume of requests, it may take some time to receive a response.
Please note that the decryption service is only available to users who have purchased commercial licenses for Doctor Web anti-viruses.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.