Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ransomware

Posted on 2012-09-13
12
Medium Priority
?
1,650 Views
Last Modified: 2013-11-22
I have a Windows 2003 server that had RDP enabled, and wouldnt you know it.
Infected with ransomware.

Of course I booted off rescue disk and was able to clean the infections and get rid of the screener, however I am left with all these !! email to decrpyt files and cant open them, extract them, or get the orginal...

Anyone have any luck in properly extracting the good data?

Also it appeared that the system re-infected itself, so I am recleaning the server.


NO Backups --- : (
0
Comment
Question by:Indyrb
  • 5
  • 2
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38397117
What rescue disk did you use?  When you are running an offline scanner, these can take care of files that are infected, but do not touch the registry, where there could be 'convert' operations set to run with the computer boots into Windows.

Younghv wrote a wonderful article; I would suggest reading it.
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html

My suggestion is to follow what he suggests.  Most likely you have a rootkit infection, which is why it keeps coming back.  TDSSKiller is great at removing these rootkit infections.
http://support.kaspersky.com/faq/?qid=208283363

What is this infection doing and/or causing on the computer in question?

As for your other question about !! email to decrpyt files, I'm not too familiar with this issue.  Could you give more detail as to what you are trying to accomplish?  I will see if I can help you out, or at least it will give someone else on here the ability to help you further.
0
 
LVL 5

Author Comment

by:Indyrb
ID: 38397165
I ran TDDSkiller and used the Kaspersky rescue disk..

Here is the ransomware (look for variant 4)


http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/
0
 
LVL 38

Expert Comment

by:younghv
ID: 38397172
Thanks pc_s - I appreciate the comments.

@Indyrb - Please describe any messages or 'pop-ups' on the screen.

What you have sounds very much like the "ACCDFISA" scamware, which actually does encrypt your files.

IF this is what you have, please review the solution created by MS-MVP Lawrence Abrams here:
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

If that doesn't help, please post back with some more details/symptoms of what you're seeing. Attach the log files of any security applications you've run and there may be some clues in there.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 38

Expert Comment

by:younghv
ID: 38397180
(I'd rather be lucky than good!)

It looks as though that is what you're fighting. Please review the steps in the link above. It will not be an easy process, but it is definitely fixable.
0
 
LVL 5

Author Comment

by:Indyrb
ID: 38399201
YEa, I already saw that link, and while the symptoms and etc are the same... It is a different variant, and batch files and etc are not applicable. This is more along the lines of variant 4.. maybe a new variant.

Symptoms are the same though
Change of IP address
Can get to desktop
Ransomware screener is shown asking for money
Tons of infections

Ran rescue disk and found a ton of patite.b viruses
Also detected malware.
However all the well known file extensions on the server, have been name with !! email to decrypt xxxxxxx @xxxx.gmail.com
During the scan it finds all these files and says password protected.

Once the rescue disk finished, I logged into the server and was able to run additional scans
remove entries from registry
remove offending programs fro C:\programData

Left with all the orginal files password protected as described above.
BAtch files and etc, dont work with this varaint... also password in RAR is not static as described in the article, its random generated.

In the mist of allo this, it appears the system re-infected itself, so I must not of got everything.
0
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38400741
This may sound somewhat stupid, but would it be possible for you to get your files back by using Shadow Copy (assuming that it is enabled)?
0
 
LVL 5

Author Comment

by:Indyrb
ID: 38405643
It was turned off by ransomware.
0
 

Expert Comment

by:jvanderwyden
ID: 38406400
I have the exact same issue.  Last week I received a call from the one person we have that does data entry for us using RDP/Terminal services from a remote location.   When I attempt to restart the server in safe mode I get a blue screen that comes up asking for a password.  I use the administrator password I have used for all the server for the last 10 years and I rejects it.  I am getting ready to pull the hard drives, and put new drives in their place, and re-install the Server 2003 R2.  

Can you tell me about this rescue disk your booting with.  Is it a floppy drive, or a DVD/CD optical drive?  

-John
0
 
LVL 5

Author Comment

by:Indyrb
ID: 38406649
We had the same issue, where the administrator password was changed. Also there was an account named admihistrator and the guest account was re-enabled and added to the Schema and domain admins group.  Luckly we had a backdoor account that we were able to log into the server with... It had elevated permissions, so I could reset the passwords,

Here is the rescue disk I used.
Burn Iso to disk and boot of disk
Run scans from here.
But like they mentioned before, once you clean the infections from boot disk.
Rerun scans from the OS too, to get lingering objects.

My only remaining issue, is as follows:
(1) reinfection
(2) encrypted\password files

I need to be able to recover these files, so any help with decrpyting them would be helpful.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38414369
Could you please upload the encrypted file to some filesharing site, from where we could download it and analyze it?

Also send some sample infected file to site like Virustotal.com, analyze it there and post the link to the result here.

Thanks,
Sudeep
0
 
LVL 30

Accepted Solution

by:
Sudeep Sharma earned 2000 total points
ID: 38414403
Did you tried the password generating tool available here?

http://www.bleepingcomputer.com/forums/topic446111.html/page__st__30

Direct link:
http://tmp.emsisoft.com/fw/ACCDFISA/ACCDFISA_Unlock.rar

You would need to provide the reference ID provided by Malware to the utility.

Sudeep
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question