Author Topic: RansomeWare zipped all Files on Server with double password  (Read 19466 times)

0 Members and 1 Guest are viewing this topic.

Geariod

  • Guest
RansomeWare zipped all Files on Server with double password
« on: March 04, 2013, 01:56:31 PM »
A Clients Server was running AVAST Email Server Security latest version and Malwarebytes update and scanning every night
last Sunday server was attached by a drive by ransomeware virus Anti-Child Porn Spam Protection. This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files. The hackers then require you to send them a Moneypak, PaySafeCard, or Ukash card for values ranging from $500 - 1,000 USD in order to get the password for your files.

Now all users data files are zipped looking like the access  this file
"customer.mdb(!! to decrypt email id 1795229374 to uksechelp@gmail.com !!).exe "
know how to decrypt these files !!!!
 >:(

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: RansomeWare zipped all Files on Server with double password
« Reply #1 on: March 04, 2013, 02:06:42 PM »
malware removers are notified, it may take hours before they arrive so be patient

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: RansomeWare zipped all Files on Server with double password
« Reply #2 on: March 04, 2013, 03:13:33 PM »
Hi are you able to access the server in safe mode ?   What is the OS for this system, and is it 32 or 64 bit

PCSBournemouth

  • Guest
Re: RansomeWare zipped all Files on Server with double password
« Reply #3 on: March 05, 2013, 09:20:37 AM »
Hi

I had the same thing last Sunday

Server was hijacked and all data appears to be encrypted using RAR and AES encryption.

Take a look here

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection/

It seems the variant I have is newer than what is listed.

Geariod

  • Guest
Re: RansomeWare zipped all Files on Server with double password
« Reply #4 on: March 09, 2013, 11:48:22 AM »
End Result had to use a pe disk to access server drives and saved all encrypted data to an external drive and wipe server was running sbs2003 now running as file server 2008
got back 60% data from password protected nas drive but the other all other data is still encrypted!!!!!!!!!!!!!!!!!! with damm password

Offline davexnet

  • Poster
  • *
  • Posts: 540
Re: RansomeWare zipped all Files on Server with double password
« Reply #5 on: March 09, 2013, 02:25:32 PM »
Sorry to hear about your lost files.  I read a little on the net about this malware; apparently the attacker
logs onto the target computers manually through Remote Desktop.  Once on, they can disable any active
A/V and plant their malware directly.  A couple of points were made, the files cannot be decrypted without the
passwords.  Some businesses have been paying the ransom.  Secondly, it was advised to change the port of
Remote Desktop, since the initial attack appears to be a scan for open RDP ports  (port 3389) -
after which they get logon credentials through brute force.

Can anybody at Avast comment on this attack, and possible prevention methods?

AMD FX-4300 4GB DDR3
avast free 2279 (Windows XP), MBAM free

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: RansomeWare zipped all Files on Server with double password
« Reply #6 on: March 09, 2013, 02:32:33 PM »
Quote
Can anybody at Avast comment on this attack, and possible prevention methods?
avast added several lockscreen and ransome signatures yesterday, but new versions are released every day

Quote
Win32:Ransom-AFS [Trj], Win32:Ransom-AFT [Trj], Win32:Ransom-AFU [Trj]

virus update history  http://www.avast.com/en-no/virus-update-history

Essexboy can help if you answer/follow his advice...





« Last Edit: March 09, 2013, 02:34:30 PM by Pondus »

Offline davexnet

  • Poster
  • *
  • Posts: 540
Re: RansomeWare zipped all Files on Server with double password
« Reply #7 on: March 09, 2013, 03:52:55 PM »
I haven't been attacked myself, this malware seems to target businesses.
This is a case where prevention is everything, once the attacker gets access to the target system
the AV is disabled, your files are encrypted, and you're locked out when you next try and log in.

The AV may help with the locked out situation, and clear up any residual malware, but the damage has
been done.  You've lost your files, and in some cases, the backup too.  I read about a medical
group that lost their patient medical and billing records.  The backups, which were accessible through the
target computer were also deleted!

AMD FX-4300 4GB DDR3
avast free 2279 (Windows XP), MBAM free

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: RansomeWare zipped all Files on Server with double password
« Reply #8 on: March 09, 2013, 05:49:56 PM »
Hi there,i am really sorry but you got attacked but a very nasty ransomware.This malware is very aggresive,unlike the previous versions of this malware,it uses so many 3rd party dll's that it is almost impossible to get your files back w/o paying.
This video is a POSSIBLE solution http://www.youtube.com/watch?v=2LBStddWA2w .I never tried it but it's worth watching,it might solve your problem.You can find more info here http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/.I think Fabian from Emsisoft made a decrypt tool,but i can't find it atm.If you search you will find it though.Sorry for not providing much help,but i really can't now.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Geariod

  • Guest
Re: RansomeWare zipped all Files on Server with double password
« Reply #9 on: March 30, 2013, 09:49:49 AM »
 :o So Far no one has been able to break the passwords on the files which were encrypted by the Ransomeware ???

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: RansomeWare zipped all Files on Server with double password
« Reply #10 on: March 30, 2013, 10:15:13 AM »
:o So Far no one has been able to break the passwords on the files which were encrypted by the Ransomeware ???
you still have not replyed to essexboys questions

Geariod

  • Guest
Re: RansomeWare zipped all Files on Server with double password
« Reply #11 on: May 31, 2013, 11:19:25 AM »
well Months later we still cannot unlock data files safe mode / normal mode did not work or data was on a second hard drive the c:\ was not accessable and our backup drive was a mapped drive to a Nas Bax and our backups were screwed also . so server is now wiped and company is running but i still would like to unencrypt the files :-[

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: RansomeWare zipped all Files on Server with double password
« Reply #12 on: May 31, 2013, 02:29:46 PM »
There is still no progress on decrypting the files, normally Kaspersky is quite good at this, but they are still stumped

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: RansomeWare zipped all Files on Server with double password
« Reply #13 on: May 31, 2013, 02:34:19 PM »
Rogueamp did a video on this. (I think) He also had a tool that could help decrypt the files.
Video: http://www.youtube.com/watch?v=kMmHZ8FOfcY

This is cmoing from an unproffesional IT guy. So this information may not even be relavent. If it is Great, but again, don't take this advice seriously until someone like essex says it has merrit to it.

And just a word to the Avast Team. Pass this on: Your Product is GREAT! I also love that you guys promote other AV's such as Kaspersky. One of the desicions on why I chose Avast over something like Kaspersky. Keep it up!
« Last Edit: May 31, 2013, 02:35:50 PM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: RansomeWare zipped all Files on Server with double password
« Reply #14 on: May 31, 2013, 04:17:38 PM »
It could be worth a try, although how effective it is I am not sure.  The results appear to be mixed from my research, but nothing ventured nothing gained 

 Decryption instructions
4. Download the decryption tool from http://tmp.emsisoft.com/fw/decrypt_mb...
5. Open a command prompt window and navigate to the directory with the decrypt_mblblock.exe file
6. Run it with however many drives you have mounted (e.g.: decrypt_mblblock.exe C:\ D:\ E:\)
7. You can also add options to delete the encrypted files (/del) or to not pause the window (/np)