Cryptovirus advice

What is a cryptovirus?

Cryptoviruses are unwanted programs that lock your files.  Most of them try to take a ransom from you to unlock your data.  I make a distinction between these (cryptoviruses) and ransomware that locks your whole system, as the management for each is different.  If you can log into your computer, but certain data files (perhaps most) have been locked, then you have a cryptovirus.  Read on to learn more and get your data back.  If you have you whole system locked out, then you have ransomware, which I’ll discuss in a separate post.

If you want to read something more technical, complicated cryptovirology on Wikipedia.

What does a cryptovirus do?

Specifically, these programs encrypt your files.  They do this by converting the file format into an encrypted format; a different type of file.  The properties of this file type include: encryption, which means you can’t read it until you unencrypt it; and a password.  The writers of the program may try to sell you the password.

There is a solution if you understand what changing the file format means.

What to do if you have a cryptovirus?

Put more simply the files have just been renamed into the encrypted format.  Your computer understands the rename command to be a multi-step process.  When the computer is told to rename a file it does all of the following: create a copy with the new name and extension (including encrypting and locking in this case); then delete the old file.

Now you need to understand deletion.  This is essentially a command to remove the file from the index, but not actually delete it.  It would be like a library taking the book out of the catalogue, but not off the shelf.  You won’t see the file useless you know where and how to look.

The end result.  There are two files, your one which is hidden and the encrypted one you can see.  You need to do two things.  Recover your file and delete the encrypted one, but it is important to do things in that order.

Resources for recovering encrypted files

I have a separate post on undeleting files.

Warning about leaving the cryptovirus recovery too long

If your files are encrypted you should make this the first next thing you deal with.  The reason for this is that when the files was removed from the catalogue, it’s space was made available for other things and your computer may overwrite the data without question because it thinks there is now empty space there.  The longer you wait the more likely this is to happen and then your file will not be recoverable.

Posted in Viruses