Unlocking files after a virus. Encryption virus – what is it, why is it dangerous?

Today, computer and laptop users are increasingly faced with malware that replaces files with encrypted copies of them. Essentially, these are viruses. The XTBL ransomware is considered one of the most dangerous in this series. What is this pest, how does it get into the user’s computer, and is it possible to restore damaged information?

What is XTBL ransomware and how does it get into the computer?

If you find files on your computer or laptop with a long name and the extension .xtbl, then you can confidently say that a dangerous virus has entered your system - an XTBL ransomware. It affects all versions of Windows OS. It is almost impossible to decrypt such files on your own, because the program uses a hybrid mode in which selecting a key is simply impossible.

System directories are filled with infected files. Records are added to Windows registry, which automatically launch the virus every time the OS starts.

Almost all types of files are encrypted - graphic, text, archive, email, video, music, etc. It becomes impossible to work in Windows.

How does it work? An XTBL ransomware running on Windows first scans all logical drives. This includes cloud and network storage located on a computer. As a result, files are grouped by extension and then encrypted. Thus, all valuable information located in the user’s folders becomes inaccessible.

This is the picture the user will see instead of icons with the names of familiar files

Under the influence of the XTBL ransomware, the file extension changes. Now the user sees a blank sheet icon and a long title ending in .xtbl instead of an image or text in Word. In addition, a message appears on the desktop, a kind of instruction for restoring encrypted information, requiring you to pay for unlocking. This is nothing more than blackmail demanding ransom.

This message appears in the desktop window of your computer.

XTBL ransomware is usually distributed through email. The email contains attached files or documents infected with a virus. The scammer attracts the user with a colorful headline. Everything is done to ensure that the message, which says that you, for example, won a million, is open. Do not respond to such messages, otherwise there is a high risk that the virus will end up in your OS.

Is it possible to recover information?

You can try to decrypt the information using special utilities. However, there is no guarantee that you will be able to get rid of the virus and restore damaged files.

Currently, XTBL ransomware poses an undeniable threat to all computers running Windows. Even the recognized leaders in the fight against viruses - Dr.Web and Kaspersky Lab - do not have a 100% solution to this issue.

Removing a virus and restoring encrypted files

There are different methods and programs that allow you to work with XTBL encryption. Some remove the virus itself, others try to decrypt locked files or restore their previous copies.

Stopping a computer infection

If you are lucky enough to notice that files with the .xtbl extension begin to appear on your computer, then it is quite possible to interrupt the process of further infection.

Kaspersky Virus Removal Tool to remove XTBL ransomware

All such programs should be opened in an OS that has previously been launched in safe mode with the option to load network drivers. In this case, it is much easier to remove the virus, since a minimum number of system processes required to start Windows.

To download safe mode in Window XP, 7, during system startup, constantly press the F8 key and after the menu window appears, select the appropriate item. At using Windows 8, 10 you should restart the OS while holding the Shift key. During the startup process, a window will open where you can select the required secure boot option.

Selecting safe mode with loading network drivers

Kaspersky program Virus Removal The Tool perfectly recognizes XTBL ransomware and removes this type of virus. Run a computer scan by clicking the appropriate button after downloading the utility. Once the scan is complete, delete any malicious files found.

Running a computer scan for the presence of an XTBL ransomware in Windows OS and then removing the virus

Dr.Web CureIt!

The algorithm for checking and removing a virus is practically no different from the previous version. Use the utility to scan all logical drives. To do this, you just need to follow the commands of the program after launching it. At the end of the process, get rid of the infected files by clicking the “Decontaminate” button.

Neutralization malicious files after scanning Windows

Malwarebytes Anti-malware

The program will carry out a step-by-step check of your computer for the presence of malicious codes and destroy them.

1. Install and run the Anti-malware utility.
2. Select “Run scan” at the bottom of the window that opens.
3. Wait for the process to complete and check the checkboxes with infected files.
4. Delete the selection.

Removing malicious XTBL ransomware files detected during scanning

Online decryptor script from Dr.Web

On the official Dr.Web website in the support section there is a tab with a script for online file decryption. Please note that only those users who have this developer’s antivirus installed on their computers will be able to use the decryptor online.

Read the instructions, fill out everything required and click the “Submit” button

RectorDecryptor decryption utility from Kaspersky Lab

Kaspersky Lab also decrypts files. On the official website you can download the RectorDecryptor.exe utility for versions Windows Vista, 7, 8, by following the menu links “Support - Treatment and decryption of files - RectorDecryptor - How to decrypt files.” Run the program, perform a scan, and then delete encrypted files by selecting the appropriate option.

Scanning and decrypting files infected with XTBL ransomware

Restoring encrypted files from a backup

Starting from Windows versions 7, you can try to restore files from backups.

ShadowExplorer to recover encrypted files

The program is a portable version, it can be downloaded from any media.

QPhotoRec

The program is specially created to recover damaged and deleted files. Using built-in algorithms, the utility finds and returns all lost information to its original state.

QPhotoRec is free.

Unfortunately, there is only English version QPhotoRec, but understanding the settings is not difficult at all, the interface is intuitive.

1. Launch the program.
2. Mark the logical drives with encrypted information.
3. Click the File Formats button and OK.
4. Using the Browse button located at the bottom of the open window, select the location to save the files and start the recovery procedure by clicking Search.

QPhotoRec recovers files deleted by XTBL ransomware and replaced with its own copies

How to decrypt files - video

What not to do

1. Never take actions that you are not completely sure of. Better invite a specialist from service center or take the computer there yourself.
2. Don't open Email messages from unknown senders.
3. Under no circumstances should you follow the lead of blackmailers by agreeing to transfer money to them. This will most likely not give any results.
4. Do not manually rename the extensions of encrypted files and do not rush to reinstall Windows. It may be possible to find a solution that will correct the situation.

Prevention

Try to install reliable protection against penetration of XTBL ransomware and similar ransomware viruses onto your computer. Such programs include:

• Malwarebytes Anti-Ransomware;
• BitDefender Anti-Ransomware;
• WinAntiRansom;
• CryptoPrevent.

Despite the fact that they are all English-language, working with such utilities is quite simple. Launch the program and select the protection level in the settings.

Launching the program and selecting the protection level

If you have encountered a ransomware virus that encrypts files on your computer, then, of course, you should not despair right away. Try using the suggested methods for restoring damaged information. Often this gives a positive result. Do not use unverified programs from unknown developers to remove XTBL ransomware. After all, this can only worsen the situation. If possible, install one of the programs on your PC that prevents the virus from working, and carry out regular scheduled Windows scan for the presence of malicious processes.

Kaspersky Anti-Ransomware Tool for Business is designed to protect Windows PCs from ransomware.

There is a class of Trojan programs designed to extort money from victims. They are called ransomware (ransomware in English). Ransomware, which has become widespread in recent years, also belongs to this class.

Threats emanating from these programs are aimed at blocking the operation of a computer or encrypting data stored on a disk and blocking access to certain files. After this, the attackers demand payment to undo the changes made by such a program on someone else’s computer. This entails serious losses, mainly in a corporate environment.

The free Kaspersky Anti-Ransomware program is compatible with other antiviruses and can be a tool additional protection from ransomware Trojans and ransomware. And to keep your computer completely safe, this is a free application.

Features of the new Kaspersky antivirus:

• Free
• Detects ransomware at the level of premium business solutions.
• Technologies used antivirus protection: file antivirus and “Activity Monitor”
• Compatible with third party antiviruses
• Supports common operating systems: Windows from 7 to 10 (including Anniversary Update)
• Identification reports are sent by email to the administrator

Restrictions

Kaspersky's Anti-Ransomware Tool uses different threat detection methods to protect computers. Antivirus identifies malicious applications, analyzing the information contained in anti-virus databases. To detect the characteristic behavior of ransomware, this tool uses two innovative technologies: “Activity Monitoring” and Kaspersky Security Network.

Kaspersky Security Network allows you to respond faster to unknown threats, while Activity Monitor is able to block dangerous system changes and roll them back.

Users participating in the Kaspersky Security Network enable Kaspersky Lab to quickly collect data on new sources of threats and create solutions to neutralize them. Kaspersky Security Network is a cloud network, participation in which includes sending statistics that this antivirus collects on every PC it runs on.

When a threat is detected, the Anti-Ransomware Tool automatically blocks it and adds it to the list of blocked applications (referred to as Blocked Applications in the interface). However, before blocking, the ransomware program can manage to carry out some actions in the operating system (for example, change files or create new ones, or make changes in the registry). To roll back all actions of the malicious program, Anti-Ransomware saves the activity history of all applications.

Kaspersky Anti-Ransomware places files that were created malware, to your storage. They can be restored from there by Kaspersky Lab employees. If you need to restore files from storage, you can get advice on the developer forum.

About a week or two ago, another hack from modern virus makers appeared on the Internet, which encrypts all the user’s files. Once again I will consider the question of how to cure a computer after a ransomware virus encrypted000007 and recover encrypted files. In this case, nothing new or unique has appeared, just a modification of the previous version.

Guaranteed decryption of files after a ransomware virus - dr-shifro.ru. Details of the work and the scheme of interaction with the customer are below in my article or on the website in the “Work Procedure” section.

Description of the CRYPTED000007 ransomware virus

The CRYPTED000007 encryptor is no fundamentally different from its predecessors. It works almost exactly the same way. But still there are several nuances that distinguish it. I'll tell you about everything in order.

It arrives, like its analogues, by mail. Social engineering techniques are used to ensure that the user becomes interested in the letter and opens it. In my case, the letter talked about some kind of court and important information on the case in the attachment. After launching the attachment, the user opens a Word document with an extract from the Moscow Arbitration Court.

In parallel with opening the document, file encryption starts. An information message from the Windows User Account Control system begins to constantly pop up.

If you agree with the proposal, then backups files in shadow copies of Windows will be deleted and recovery of information will be very difficult. It is obvious that you cannot agree with the proposal under any circumstances. In this encryptor, these requests pop up constantly, one after another and do not stop, forcing the user to agree and delete the backup copies. This is the main difference from previous modifications of encryptors. I have never encountered requests to delete shadow copies without stopping. Usually, after 5-10 offers they stopped.

I will immediately give a recommendation for the future. It is very common for people to disable User Account Control alerts. There is no need to do this. This mechanism can really help in resisting viruses. The second obvious piece of advice is to not constantly work under account computer administrator, unless there is an objective need for it. In this case, the virus will not have the opportunity to do much harm. You will have a better chance of resisting him.

But even if you have always answered negatively to the ransomware’s requests, all your data is already encrypted. After the encryption process is completed, you will see a picture on your desktop.

At the same time, there will be many text files with the same content.

Your files have been encrypted. To decrypt ux, you need to send the code: 329D54752553ED978F94|0 to the email address [email protected]. Next you will receive all the necessary instructions. Attempts to decipher on your own will not lead to anything other than an irrevocable number of information. If you still want to try, then make backup copies of the files first, otherwise, in the event of a change, decryption will become impossible under any circumstances. If you have not received notification at the above address within 48 hours (only in this case!), use the contact form. This can be done in two ways: 1) Download and install Tor Browser using the link: https://www.torproject.org/download/download-easy.html.en In the address space Tor Browser enter the address: http://cryptsen7fo43rr6.onion/ and press Enter. The page with the contact form will load. 2) In any browser, go to one of the addresses: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 329D54752553ED978F94|0 to e-mail address [email protected]. Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http:/ /cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Postal address may change. I also came across the following addresses:

• [email protected]
• [email protected]

Addresses are constantly updated, so they can be completely different.

As soon as you discover that your files are encrypted, immediately turn off your computer. This must be done to interrupt the encryption process as in local computer, and on network drives. A ransomware virus can encrypt all information it can reach, including on network drives. But if there is a large amount of information there, then it will take him considerable time. Sometimes even in a couple of hours the cryptographer did not have time to encrypt everything on network drive approximately 100 gigabytes.

Next you need to think carefully about how to act. If you need information on your computer at any cost and you do not have backup copies, then it is better at this moment to turn to specialists. Not necessarily for money to some companies. You just need someone who is good at information systems. It is necessary to assess the scale of the disaster, remove the virus, and collect all available information on the situation in order to understand how to proceed.

Incorrect actions at this stage can significantly complicate the process of decrypting or restoring files. In the worst case, they can make it impossible. So take your time, be careful and consistent.

How the CRYPTED000007 ransomware virus encrypts files

After the virus has been launched and has finished its activity, all useful files will be encrypted, renamed from extension.crypted000007. Moreover, not only the file extension will be replaced, but also the file name, so you won’t know exactly what kind of files you had if you don’t remember. It will look something like this.

In such a situation, it will be difficult to assess the scale of the tragedy, since you will not be able to fully remember what you had in different folders. This was done specifically to confuse people and encourage them to pay for file decryption.

And if your network folders were encrypted and there are no full backups, then this can completely stop the work of the entire organization. It will take you a while to figure out what was ultimately lost in order to begin restoration.

How to treat your computer and remove CRYPTED000007 ransomware

The CRYPTED000007 virus is already on your computer. The first and most important question is how to disinfect a computer and how to remove a virus from it in order to prevent further encryption if it has not yet been completed. I would like to immediately draw your attention to the fact that after you yourself begin to perform some actions with your computer, the chances of decrypting the data decrease. If you need to restore files at any cost, do not touch your computer, but immediately contact professionals. Below I will talk about them and provide a link to the site and describe how they work.

In the meantime, we will continue to independently treat the computer and remove the virus. Traditionally, ransomware is easily removed from a computer, since the virus does not have the task of remaining on the computer at any cost. After completely encrypting the files, it is even more profitable for him to delete himself and disappear, making it more difficult to investigate the incident and decrypt the files.

It is difficult to describe how to manually remove a virus, although I have tried to do this before, but I see that most often it is pointless. File names and virus placement paths are constantly changing. What I saw is no longer relevant in a week or two. Typically, viruses are sent via goes to the mail in waves and each time there is a new modification that is not yet detected by antiviruses. They help universal remedies, which check autorun and detect suspicious activity in system folders.

To remove the CRYPTED000007 virus, you can use the following programs:

1. Kaspersky Virus Removal Tool- a utility from Kaspersky http://www.kaspersky.ru/antivirus-removal-tool.
2. Dr.Web CureIt! - a similar product from other web http://free.drweb.ru/cureit.
3. If the first two utilities do not help, try MALWAREBYTES 3.0 - https://ru.malwarebytes.com.

Most likely, one of these products will clear your computer of the CRYPTED000007 ransomware. If it suddenly happens that they do not help, try removing the virus manually. I gave an example of the removal method and you can see it there. Briefly, step by step, you need to act like this:

1. We look at the list of processes, after adding several additional columns to the task manager.
2. We find the virus process, open the folder in which it sits and delete it.
3. We clear the mention of the virus process by file name in the registry.
4. We reboot and make sure that the CRYPTED000007 virus is not in the list of running processes.

Where to download the decryptor CRYPTED000007

The question of a simple and reliable decryptor arises first of all when it comes to a ransomware virus. The first thing I recommend is to use the service https://www.nomoreransom.org. What if you are lucky and they have a decryptor for your version of the CRYPTED000007 encryptor. I’ll say right away that you don’t have many chances, but trying is not torture. On home page click Yes:

Then download a couple of encrypted files and click Go! Find out:

At the time of writing, there was no decryptor on the site.

Perhaps you will have better luck. You can also see the list of decryptors for download on a separate page - https://www.nomoreransom.org/decryption-tools.html. Maybe there's something useful there. When the virus is completely fresh, there is little chance of this happening, but over time, something may appear. There are examples when decryptors for some modifications of encryptors appeared on the Internet. And these examples are on the specified page.

I don’t know where else you can find a decoder. It is unlikely that it will actually exist, taking into account the peculiarities of the work of modern encryptors. Only the authors of the virus can have a full-fledged decryptor.

How to decrypt and recover files after the CRYPTED000007 virus

What to do when the CRYPTED000007 virus has encrypted your files? The technical implementation of encryption does not allow decrypting files without a key or a decryptor, which only the author of the encryptor has. Maybe there is some other way to get it, but I don't have that information. We can only try to recover files using improvised methods. These include:

• Tool shadow copies windows.
• Deleted data recovery programs

First, let's check if we have shadow copies enabled. This tool works by default in Windows 7 and higher, unless you manually disable it. To check, open the computer properties and go to the system protection section.

If during infection you did not confirm the UAC request to delete files in shadow copies, then some data should remain there. I spoke in more detail about this request at the beginning of the story, when I talked about the work of the virus.

To easily restore files from shadow copies, I suggest using free program for this purpose - ShadowExplorer. Download the archive, unpack the program and run it.

The latest copy of files and the root of drive C will open. In the upper left corner, you can select a backup copy if you have several of them. Check different copies for availability necessary files. Compare by date for the most recent version. In my example below, I found 2 files on my desktop from three months ago when they were last edited.

I was able to recover these files. To do this, I selected them, right-clicked, selected Export and specified the folder where to restore them.

You can restore folders immediately using the same principle. If you had shadow copies working and did not delete them, you have a good chance of recovering all, or almost all, files encrypted by the virus. Perhaps some of them will be more old version, than we would like, but nevertheless, it is better than nothing.

If for some reason you do not have shadow copies of your files, your only chance to get at least something from the encrypted files is to restore them using recovery tools deleted files. To do this, I suggest using the free program Photorec.

Launch the program and select the disk on which you will restore files. Launch graphic version program executes file qphotorec_win.exe. You must select a folder where the found files will be placed. It is better if this folder is not located on the same drive where we are searching. Connect a flash drive or external hard disk for this.

The search process will take a long time. At the end you will see statistics. Now you can go to the previously specified folder and see what is found there. There will most likely be a lot of files and most of them will either be damaged or they will be some kind of system and useless files. But nevertheless, some useful files can be found in this list. There are no guarantees here, what you find is what you will find. Images are usually restored best.

If the result does not satisfy you, then there are also programs for recovering deleted files. Below is a list of programs that I usually use when I need to recover the maximum number of files:

• R.saver
• Starus File Recovery
• JPEG Recovery Pro
• Active File Recovery Professional

These programs are not free, so I will not provide links. If you really want, you can find them yourself on the Internet.

The entire file recovery process is shown in detail in the video at the very end of the article.

Kaspersky, eset nod32 and others in the fight against the Filecoder.ED encryptor

Popular antiviruses detect the ransomware CRYPTED000007 as Filecoder.ED and then there may be some other designation. I looked through the major antivirus forums and didn't see anything useful there. Unfortunately, as usual, antivirus software turned out to be unprepared for the invasion of a new wave of ransomware. Here is a post from the Kaspersky forum.

Antiviruses traditionally miss new modifications of ransomware Trojans. Nevertheless, I recommend using them. If you are lucky and receive a ransomware email not in the first wave of infections, but a little later, there is a chance that the antivirus will help you. They all work one step behind the attackers. A new version of ransomware is released, but antiviruses do not respond to it. As soon as a certain amount of material for research on a new virus accumulates, antivirus software releases an update and begins to respond to it.

I don’t understand what prevents antiviruses from responding immediately to any encryption process in the system. Perhaps there is some technical nuance on this topic that does not allow us to adequately respond and prevent encryption of user files. It seems to me that it would be possible to at least display a warning about the fact that someone is encrypting your files, and offer to stop the process.

Where to go for guaranteed decryption

I had the opportunity to meet one company that actually decrypts data after the work of various encryption viruses, including CRYPTED000007. Their address is http://www.dr-shifro.ru. Payment only after full decryption and your verification. Here approximate diagram works:

1. A company specialist comes to your office or home and signs an agreement with you, which sets out the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are opened and sign the certificate of delivery/acceptance of completed work.
4. Payment is made solely upon successful decryption results.

I'll be honest, I don't know how they do it, but you don't risk anything. Payment only after demonstration of the decoder's operation. Please write a review about your experience with this company.

Methods of protection against the CRYPTED000007 virus

How to protect yourself from ransomware and avoid material and moral damage? There are some simple and effective tips:

1. Backup! Backup of all important data. And not just a backup, but a backup to which there is no constant access. Otherwise, the virus can infect both your documents and backup copies.
2. Licensed antivirus. Although they do not provide a 100% guarantee, they increase the chances of avoiding encryption. They are most often not ready for new versions of the encryptor, but after 3-4 days they begin to respond. This increases your chances of avoiding infection if you were not included in the first wave of distribution of a new modification of the ransomware.
3. Do not open suspicious attachments in mail. There is nothing to comment here. All ransomware known to me reached users via email. Moreover, every time new tricks are invented to deceive the victim.
4. Do not thoughtlessly open links sent to you from your friends via social media or messengers. This is also how viruses sometimes spread.
5. Turn on windows display file extensions. How to do this is easy to find on the Internet. This will allow you to notice the file extension on the virus. Most often it will be .exe, .vbs, .src. In your everyday work with documents, you are unlikely to come across such file extensions.

I tried to supplement what I have already written before in every article about the ransomware virus. In the meantime, I say goodbye. I would be glad to receive useful comments on the article and the CRYPTED000007 ransomware virus in general.

Video about file decryption and recovery

Here is an example of a previous modification of the virus, but the video is completely relevant for CRYPTED000007.

Encrypting ransomware viruses have recently become one of the main threats and every day we learn about new attacks, new ransomware viruses or their versions and, unfortunately, about victims from whom cybercriminals demand a ransom to regain access to encrypted data. That's why Kaspersky Lab The System Watcher component of the latest products includes a special subsystem for combating encrypting malware, Kaspersky Cryptomalware Countermeasures Subsystem. Thanks to a set of unique technologies, in Latvia and in the world among users of the latest Kaspersky products who correctly used the opportunities provided by the products, There are practically no victims of encrypting ransomware attacks! And this is not magic or a conspiracy, as even experts sometimes say, seeing how, unlike users of other antiviruses, fans of Kaspersky products remain unharmed in attacks by encrypting ransomware viruses. These are simply technologies invented and implemented by Kaspersky Lab developers!

Which products include System Watcher and Kaspersky Cryptomalware Countermeasures Subsystem?

Specific technologies to combat encrypting ransomware viruses are included in the current versions of the following operating room products: Windows systems or their component for Windows.

Small Business Products:
Enterprise security products:

* All products 30-day free full-featured trial available with local technical support. To try and install as well.

How does System Watcher and Kaspersky Cryptomalware Countermeasures Subsystem work?

Kaspersky Lab processes an average of 315,000 new malware samples every day. With such a large influx of new malware, antivirus companies are often forced to protect users from malware attacks that are not yet known to them. In a real-world analogy, this would be the same as identifying a criminal before his fingerprints, photograph and other data are obtained. How to do this? Observing and analyzing behavior. This is exactly what the component built into the latest Kaspersky Lab products does, continuously monitoring the computer system, called System Watcher.

System Watcher monitors processes occurring in the system and detects malicious actions using Behavior Stream Signatures (BSS) and thus allows you to identify and stop completely new and unknown malicious programs based on their behavior. But that's not all. Until it becomes clear that a program is malicious, it may have time to do something. Therefore, another feature of System Watcher is the ability to roll back changes to the system made by malicious programs.

In order to roll back changes made by a new encrypting malware, Kaspersky Lab specialists added to the System Watcher component a subsystem for combating encrypting viruses, Kaspersky Cryptomalware Countermeasures Subsystem, which creates backup copies of files if they are opened suspicious program, and subsequently, if necessary, restores them from saved copies. Thus, even if the encrypting virus is new, that is, the antivirus does not have its “fingerprints”, and it is not identified by other mechanisms, System Watcher detects it by its behavior and, using the already mentioned subsystem, returns computer system with the state that was before the malware attack.

Recognizing an unknown encrypting malware by its behavior, stopping its operation and rolling back the changes it has made (replacing encrypted files with unencrypted copies) can be seen in the demo video below.

Here it is necessary to clarify that for each specific user, situations where it is necessary to use Kaspersky Cryptomalware Countermeasures Subsystem can occur extremely rarely, since information about each incident with an unknown malicious program reaches the Kaspersky Security Network cloud in a matter of seconds and other users of Kaspersky solutions from this moment are already protected against the new threat by an early detection system. This means that any further attempt to infect the computers of Kaspersky users will be blocked by the earlier signature. It is the action of such unique mechanisms that explains the fact that in Latvia there were practically no casualties among users of the latest Kaspersky products, since it works like a global immune system for all 400 million Kaspersky users around the world!

More information about System Watcher and Kaspersky Cryptomalware Countermeasures Subsystem at English can be found in the PDF documents:

What else do you need to know about System Watcher and Kaspersky Cryptomalware Countermeasures Subsystem?

System Watcher and along with it automatically Kaspersky Cryptomalware Countermeasures Subsystem are enabled by default in accordance with the manufacturer’s initial settings. After installing the products, the user does not need to perform any additional actions to use the technologies described above.

It should be especially noted that System Watcher is not included in the Kaspersky Anti-Virus product for Windows Workstation 6.0 (released 2007), which is still occasionally used. Users of this product are encouraged to take advantage of the free upgrade to more new Kaspersky Endpoint Security for Windows. Legal users can download and install latest versions products for free, for example, from the " " section of this site.