November 10, 2015
The malicious program has a rather interesting operating routine. First, it adds an encrypted dynamic-link library (.DLL) to the Windows system registry and then injects a small piece of code into explorer.exe. The code loads the file from the registry into the memory, decrypts it, and transfers control to this file.
The list of files to be encrypted is also stored in the system registry. For every file, Trojan.Encoder.2843 generates a unique key consisting of uppercase Latin letters. Files are encrypted with Blowfish ECB, and a session key is encrypted with RSA using CryptoAPI. Each encrypted file is appended with the .vault extension.
Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware. If you have fallen victim to Trojan.Encoder.2843, follow the guidance below:
- Notify the police.
- Do not, under any circumstances, attempt to solve the problem by reinstalling, “optimizing” or “cleaning” the operating system using some utility.
- Do not delete any files from your computer.
- Do not try to restore the encrypted data by yourself.
- Contact Doctor Web technical support (free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).
- Attach a file encrypted by the Trojan to the request ticket.
- Wait for a response from technical support. Due to a large number of requests, it may take some time.
Once again we would like to point out that free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. Doctor Web cannot guarantee that all your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.