Virus. Cbf (virus-encryptor): decrypt. The .cbf extension

Since 2014, several new versions of the newest cryptographic viruses, similar to their ancestor - the virus called I Love You, have appeared on the web. Unfortunately, the CBF-virus encryptor can be decrypted even by the available methods offered by the leading anti-virus software developers, software is not possible today. However, there are some recommendations on how to restore encrypted information.

CBF virus: single berries field

To date, there are at least three known extortion viruses. This is a CBF virus , as well as XTBL and VAULT viruses. They behave almost identically, suggesting, after encrypting important files and documents, to pay for obtaining a code that would be able to decrypt the data (as a rule, after the message appears on the monitor, a letter comes demanding payment for decryption services).

Alas, naive users rush to pay n-th amount or even send examples of infected files to attackers. But if you understand, this information for many companies is confidential, and when sent becomes public.

What is fraught with the penetration of the virus into a computer system or network?

The virus itself in most cases penetrates the system through emails received by e-mail, less often - when visiting dubious pages on the Web.

Not everyone can notice the appearance of a threat, even the most powerful antivirus package. Moreover, at the earliest stage it is not even detected by portable utilities like Dr. Web Cure It !. Because the virus is self-replicating, over time it captures the entire system with its tentacles.

With the first symptoms, an excessive load on the CPU, as well as unauthorized use of RAM, can immediately appear. In this case, for example, when you enter the same "Task Manager" you can see a process called Build.exe. By the way, in the main administrative directory or the current user's folder, a x86 program files partition is created, in which there is a folder called RarLab containing the desired file Build.exe, checkdata.dif and winrar.tmp. In addition, the Build file appears on the Desktop. Then, in a browser used for surfing the World Wide Web, images may appear that contain porn or links to erotic content sites.

Next is infection. Typically, the files of office applications like Microsoft Excel, Access and Word are renamed. Also, problems can arise with databases of the .db and .dbf formats (most often "1C: Accounting." The main extension adds .cbf, but it is not possible to read (open) such files, because the CBF encryptor itself decrypts infected objects Can not (simply can not). How to act in this case?

CBF-virus-encryptor: how to remove and whether it is worth doing?

First, it is necessary to clearly understand that here it is necessary to act as correctly as possible. If the virus is detected by some software, it can not be deleted! You must put the threat in quarantine, which is present in almost all applications of this type.

Deletion or cleaning will only lead to the fact that the main executable elements disappear, but the encrypted information will still be unreadable. But from the quarantine it will be possible to send the file for review to the online laboratory of the manufacturer of the installed antivirus in the system. But this does not always work either.

What should we do in the simplest case?

So, the .cbf file extension has already been assigned to the files. Depending on the validity period, there may be several situations: either the files are simply encrypted, or the logon to Windows is blocked (even the "Desktop" is not available).

We'll talk at once: there can be no talk of money transfers. To begin with, it is better to look for databases on the Internet from another computer that contain most of the known codes for unlocking access (you can use at least the Unlocker section on the official Web site of Dr. Web). True, it is not a fact that such codes will work. I'll have to treat the system myself.

System Restore

CBF-virus decrypt (more accurately, the effects of its impact on files), somehow the standard way does not work, because it uses the algorithm of 1024-bit encryption. If anyone does not know, today the 256-bit AES system is relevant. You can try to restore the original data by accessing Windows Restore.

If logging on is possible, you can find this section in the Control Panel and roll back from the pre-infection checkpoint. If the Windows login is blocked by a message with the requirement to transfer money, you can try repeatedly to restart the computer terminal or laptop. Do this until the system "ripens" for recovery in automatic mode. Naturally, you can try to use a recovery disk, try to perform actions with the command line and completely overwrite the boot sectors, although there is little chance of success. This works only in the early stages, when the CBF virus-cryptographer just penetrated the system or network.

Restoring legacy files

If the rollback of the system does not help, you should take advantage of the special features of restoring old versions of files that are embedded in the Windows OS itself.

To do this, you need to go through the "Explorer" to the properties of the selected disk or partition and use the tab of previous versions of the files. After such actions, again, you will need to select a control point, then open and copy the necessary files to another location. This method in many cases is more effective.

Using decoders

If you consider the methods offered by anti-virus software developers, you can try to remove the extension of the CBF virus using special decryption applications (but only official, rather than user-defined developments like decoders of incomprehensible origin).

However, it should immediately be noted that they work only if there is an installed official version of the anti-virus scanner with the appropriate license key. Otherwise, you can only do harm. The virus will simply retire, after which it will not even be possible to contact the attackers. Here you will have to re-install the entire system.

What is not worth doing in any case?

As it is already clear, CBF-virus-encryptor decrypt files, they also infected, can not. Separately, it is worth paying attention to the actions that are not recommended categorically. We note the most important points:

• The use of decoders with the installed "cracked" version of the antivirus;
• Rename infected files to change the extension;
• Clearing the cache and history of the browser before sending suspicious files to the anti-virus software developer;
• Re-installing the operating system without formatting the disks or logical partitions;
• Sending money and files for decoding to unknown or suspicious sources, for example, to mail addresses like iizomer@aol.com with some other postscript.

In general, it is necessary to clearly understand that the CBF-encrypting virus can not be decrypted on its own. It is better to contact the official sites of anti-virus laboratories like Kaspersky, where in a special section you can leave problem files for analysis, or send a quarantine file directly from the program.

However (it is claimed by all developers) it is better to attach the original to the infected file, if there is one, say, as a copy on some removable media. In this case, the decryption will become much easier, although it's far from the fact that the files the user needs will be restored.

As a rule, and this is confirmed by the majority of user reviews, the service support usually remains silent for a very long time, and if it decrypts the data, it concerns single files. And what to do with arrays in tens or hundreds of gigabytes? Such a volume, even with the help of special "cloud" services, to send, and even more to restore, simply unrealistic. But let's hope that developers will still find a means of treating infected files and a way of countering the penetration of threats of this type into computer systems and networks.