ransomware
I have a Windows 2003 server that had RDP enabled, and wouldnt you know it.
Infected with ransomware.
Of course I booted off rescue disk and was able to clean the infections and get rid of the screener, however I am left with all these !! email to decrpyt files and cant open them, extract them, or get the orginal...
Anyone have any luck in properly extracting the good data?
Also it appeared that the system re-infected itself, so I am recleaning the server.
NO Backups --- : (
Infected with ransomware.
Of course I booted off rescue disk and was able to clean the infections and get rid of the screener, however I am left with all these !! email to decrpyt files and cant open them, extract them, or get the orginal...
Anyone have any luck in properly extracting the good data?
Also it appeared that the system re-infected itself, so I am recleaning the server.
NO Backups --- : (
ASKER
I ran TDDSkiller and used the Kaspersky rescue disk..
Here is the ransomware (look for variant 4)
http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/
Here is the ransomware (look for variant 4)
http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/
Thanks pc_s - I appreciate the comments.
@Indyrb - Please describe any messages or 'pop-ups' on the screen.
What you have sounds very much like the "ACCDFISA" scamware, which actually does encrypt your files.
IF this is what you have, please review the solution created by MS-MVP Lawrence Abrams here:
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program
If that doesn't help, please post back with some more details/symptoms of what you're seeing. Attach the log files of any security applications you've run and there may be some clues in there.
@Indyrb - Please describe any messages or 'pop-ups' on the screen.
What you have sounds very much like the "ACCDFISA" scamware, which actually does encrypt your files.
IF this is what you have, please review the solution created by MS-MVP Lawrence Abrams here:
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program
If that doesn't help, please post back with some more details/symptoms of what you're seeing. Attach the log files of any security applications you've run and there may be some clues in there.
(I'd rather be lucky than good!)
It looks as though that is what you're fighting. Please review the steps in the link above. It will not be an easy process, but it is definitely fixable.
It looks as though that is what you're fighting. Please review the steps in the link above. It will not be an easy process, but it is definitely fixable.
ASKER
YEa, I already saw that link, and while the symptoms and etc are the same... It is a different variant, and batch files and etc are not applicable. This is more along the lines of variant 4.. maybe a new variant.
Symptoms are the same though
Change of IP address
Can get to desktop
Ransomware screener is shown asking for money
Tons of infections
Ran rescue disk and found a ton of patite.b viruses
Also detected malware.
However all the well known file extensions on the server, have been name with !! email to decrypt xxxxxxx @xxxx.gmail.com
During the scan it finds all these files and says password protected.
Once the rescue disk finished, I logged into the server and was able to run additional scans
remove entries from registry
remove offending programs fro C:\programData
Left with all the orginal files password protected as described above.
BAtch files and etc, dont work with this varaint... also password in RAR is not static as described in the article, its random generated.
In the mist of allo this, it appears the system re-infected itself, so I must not of got everything.
Symptoms are the same though
Change of IP address
Can get to desktop
Ransomware screener is shown asking for money
Tons of infections
Ran rescue disk and found a ton of patite.b viruses
Also detected malware.
However all the well known file extensions on the server, have been name with !! email to decrypt xxxxxxx @xxxx.gmail.com
During the scan it finds all these files and says password protected.
Once the rescue disk finished, I logged into the server and was able to run additional scans
remove entries from registry
remove offending programs fro C:\programData
Left with all the orginal files password protected as described above.
BAtch files and etc, dont work with this varaint... also password in RAR is not static as described in the article, its random generated.
In the mist of allo this, it appears the system re-infected itself, so I must not of got everything.
This may sound somewhat stupid, but would it be possible for you to get your files back by using Shadow Copy (assuming that it is enabled)?
ASKER
It was turned off by ransomware.
I have the exact same issue. Last week I received a call from the one person we have that does data entry for us using RDP/Terminal services from a remote location. When I attempt to restart the server in safe mode I get a blue screen that comes up asking for a password. I use the administrator password I have used for all the server for the last 10 years and I rejects it. I am getting ready to pull the hard drives, and put new drives in their place, and re-install the Server 2003 R2.
Can you tell me about this rescue disk your booting with. Is it a floppy drive, or a DVD/CD optical drive?
-John
Can you tell me about this rescue disk your booting with. Is it a floppy drive, or a DVD/CD optical drive?
-John
ASKER
We had the same issue, where the administrator password was changed. Also there was an account named admihistrator and the guest account was re-enabled and added to the Schema and domain admins group. Luckly we had a backdoor account that we were able to log into the server with... It had elevated permissions, so I could reset the passwords,
Here is the rescue disk I used.
Burn Iso to disk and boot of disk
Run scans from here.
But like they mentioned before, once you clean the infections from boot disk.
Rerun scans from the OS too, to get lingering objects.
My only remaining issue, is as follows:
(1) reinfection
(2) encrypted\password files
I need to be able to recover these files, so any help with decrpyting them would be helpful.
Here is the rescue disk I used.
Burn Iso to disk and boot of disk
Run scans from here.
But like they mentioned before, once you clean the infections from boot disk.
Rerun scans from the OS too, to get lingering objects.
My only remaining issue, is as follows:
(1) reinfection
(2) encrypted\password files
I need to be able to recover these files, so any help with decrpyting them would be helpful.
Could you please upload the encrypted file to some filesharing site, from where we could download it and analyze it?
Also send some sample infected file to site like Virustotal.com, analyze it there and post the link to the result here.
Thanks,
Sudeep
Also send some sample infected file to site like Virustotal.com, analyze it there and post the link to the result here.
Thanks,
Sudeep
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Younghv wrote a wonderful article; I would suggest reading it.
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
My suggestion is to follow what he suggests. Most likely you have a rootkit infection, which is why it keeps coming back. TDSSKiller is great at removing these rootkit infections.
http://support.kaspersky.com/faq/?qid=208283363
What is this infection doing and/or causing on the computer in question?
As for your other question about !! email to decrpyt files, I'm not too familiar with this issue. Could you give more detail as to what you are trying to accomplish? I will see if I can help you out, or at least it will give someone else on here the ability to help you further.