ransomware

I have a Windows 2003 server that had RDP enabled, and wouldnt you know it.
Infected with ransomware.

Of course I booted off rescue disk and was able to clean the infections and get rid of the screener, however I am left with all these !! email to decrpyt files and cant open them, extract them, or get the orginal...

Anyone have any luck in properly extracting the good data?

Also it appeared that the system re-infected itself, so I am recleaning the server.


NO Backups --- : (
LVL 5
IndyrbAsked:
Who is Participating?
 
Sudeep SharmaTechnical DesignerCommented:
Did you tried the password generating tool available here?

http://www.bleepingcomputer.com/forums/topic446111.html/page__st__30

Direct link:
http://tmp.emsisoft.com/fw/ACCDFISA/ACCDFISA_Unlock.rar

You would need to provide the reference ID provided by Malware to the utility.

Sudeep
0
 
Scott ThompsonComputer Technician / OwnerCommented:
What rescue disk did you use?  When you are running an offline scanner, these can take care of files that are infected, but do not touch the registry, where there could be 'convert' operations set to run with the computer boots into Windows.

Younghv wrote a wonderful article; I would suggest reading it.
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html

My suggestion is to follow what he suggests.  Most likely you have a rootkit infection, which is why it keeps coming back.  TDSSKiller is great at removing these rootkit infections.
http://support.kaspersky.com/faq/?qid=208283363

What is this infection doing and/or causing on the computer in question?

As for your other question about !! email to decrpyt files, I'm not too familiar with this issue.  Could you give more detail as to what you are trying to accomplish?  I will see if I can help you out, or at least it will give someone else on here the ability to help you further.
0
 
IndyrbAuthor Commented:
I ran TDDSkiller and used the Kaspersky rescue disk..

Here is the ransomware (look for variant 4)


http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
younghvCommented:
Thanks pc_s - I appreciate the comments.

@Indyrb - Please describe any messages or 'pop-ups' on the screen.

What you have sounds very much like the "ACCDFISA" scamware, which actually does encrypt your files.

IF this is what you have, please review the solution created by MS-MVP Lawrence Abrams here:
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

If that doesn't help, please post back with some more details/symptoms of what you're seeing. Attach the log files of any security applications you've run and there may be some clues in there.
0
 
younghvCommented:
(I'd rather be lucky than good!)

It looks as though that is what you're fighting. Please review the steps in the link above. It will not be an easy process, but it is definitely fixable.
0
 
IndyrbAuthor Commented:
YEa, I already saw that link, and while the symptoms and etc are the same... It is a different variant, and batch files and etc are not applicable. This is more along the lines of variant 4.. maybe a new variant.

Symptoms are the same though
Change of IP address
Can get to desktop
Ransomware screener is shown asking for money
Tons of infections

Ran rescue disk and found a ton of patite.b viruses
Also detected malware.
However all the well known file extensions on the server, have been name with !! email to decrypt xxxxxxx @xxxx.gmail.com
During the scan it finds all these files and says password protected.

Once the rescue disk finished, I logged into the server and was able to run additional scans
remove entries from registry
remove offending programs fro C:\programData

Left with all the orginal files password protected as described above.
BAtch files and etc, dont work with this varaint... also password in RAR is not static as described in the article, its random generated.

In the mist of allo this, it appears the system re-infected itself, so I must not of got everything.
0
 
Scott ThompsonComputer Technician / OwnerCommented:
This may sound somewhat stupid, but would it be possible for you to get your files back by using Shadow Copy (assuming that it is enabled)?
0
 
IndyrbAuthor Commented:
It was turned off by ransomware.
0
 
jvanderwydenCommented:
I have the exact same issue.  Last week I received a call from the one person we have that does data entry for us using RDP/Terminal services from a remote location.   When I attempt to restart the server in safe mode I get a blue screen that comes up asking for a password.  I use the administrator password I have used for all the server for the last 10 years and I rejects it.  I am getting ready to pull the hard drives, and put new drives in their place, and re-install the Server 2003 R2.  

Can you tell me about this rescue disk your booting with.  Is it a floppy drive, or a DVD/CD optical drive?  

-John
0
 
IndyrbAuthor Commented:
We had the same issue, where the administrator password was changed. Also there was an account named admihistrator and the guest account was re-enabled and added to the Schema and domain admins group.  Luckly we had a backdoor account that we were able to log into the server with... It had elevated permissions, so I could reset the passwords,

Here is the rescue disk I used.
Burn Iso to disk and boot of disk
Run scans from here.
But like they mentioned before, once you clean the infections from boot disk.
Rerun scans from the OS too, to get lingering objects.

My only remaining issue, is as follows:
(1) reinfection
(2) encrypted\password files

I need to be able to recover these files, so any help with decrpyting them would be helpful.
0
 
IndyrbAuthor Commented:
0
 
Sudeep SharmaTechnical DesignerCommented:
Could you please upload the encrypted file to some filesharing site, from where we could download it and analyze it?

Also send some sample infected file to site like Virustotal.com, analyze it there and post the link to the result here.

Thanks,
Sudeep
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.