• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1911
  • Last Modified:

decrypt protect Randsomeware - files renamed to .html and encrypted

I am looking at this post mortem so I can't tell you what malware was removed.

What I can say is that it sounds similar to the ACCDFISA malware described here:
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

Files (pdf, jpg, doc, rtf, etc) are appended with new extension .html, new headers are added into the code itself (see below), and the file data is encrypted and commented out in the "html file".  I'd imagine the encryption occurs prior to the headers getting added, but that's of minor concern.  I am pretty sure the files are encrypted because file sizes seem accurate and of different lengths, and an RTF file was not plain text.

I have two questions:

1. does anyone have any ideas how to fix this
2. if not, could you at least be able to tell how the file was encrypted if an example file was given and some thoughts on how best (if possible) to decrypt the file

<html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='refresh' content='0; url=http://mblblock.in/i.php?uid={576EA00E-B0D5-8825-1FED-C864CA4E561E}' /><title>Index</title></head><body></body><!--


and ends with


--></html>


Thanks for any help that can be provided.
0
ReppertFactor
Asked:
ReppertFactor
1 Solution
 
dbaidemeCommented:
Could alternate data streams could have been used? You can check using the program from Microsoft.

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
0
 
ReppertFactorAuthor Commented:
here is an example file for review.
gettysburg-national-park-map.jpg.html
0
 
CorruptCoreyCommented:
I have the same issue here is an example "document"
Advent-Wreath-Blessing.doc.html
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Sudeep SharmaTechnical DesignerCommented:
Well as per this article, if you have not removed the original infections then there are chances that you could get the password to decrypt the files from Dr. Web forum. Please read the whole article and page here:

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/page-13#entry3001838

Sudeep
0
 
ReppertFactorAuthor Commented:
unfortunately per those instructions files names would have been appended with an email address, but that is not the case here.  They were renamed with a .html extension.  I think Dr. Webb uses that email address to parse the password.  If you feel I am misinterpreting that thread please let me know.
0
 
ReppertFactorAuthor Commented:
Unfortuantely from all of my testing, the files are not in password RAR format like the previous variations.  I've tried extracting the binary portion of the file and renaming it to .rar and it is unrecognized by WinRAR and 7-zip.  One of the previous variations made them self-extracting, so I took a risk and renamed it to .exe, with still no success.
0
 
ReppertFactorAuthor Commented:
Also the original infection was removed before it was realized the files were encrypted.
0
 
Sudeep SharmaTechnical DesignerCommented:
>>>Also the original infection was removed before it was realized the files were encrypted.

It is very much necessary to get those original files as it would help the Virus researchers and analyst to know what is used to encrypt the files and if they have the password or some hash saved on your system to encrypt it.

Further did you tried the tool like Recuva to check if it can recover any of those file in its original state. Though the chances are less they these ransomware uses programs like sdelete to delete the files that could not be recovered.

Recuva Download:
http://www.piriform.com/recuva

Sudeep
0
 
ReppertFactorAuthor Commented:
Hi,

I have an original version of a file via redownloading it, so yes I have at least one instance where we have a directly comparable file,

attached
gettysburg-national-park-map.jpg
0
 
ReppertFactorAuthor Commented:
The lastest documented variation actually uses sdelete to delete it's own temporary files, namely the files it stores the encryption password in.  So hopefully that's not the case here.
0
 
ReppertFactorAuthor Commented:
I found some interesting files in \Users\%user%\AppData\Roaming\Microsoft\Installer\{6B6C4C46-1B7E-4A41-9E70-ACFBB22B1D81}

namely 3 copies of Icon<8hexchar>.exe with creation dates appropriate to the infection time.  The exe's don't appear to do anything if you run them (on a snapshot'd virtual) but I expect they may play a role in the ransomeware's function.

 

http://www.mediafire.com/?c11so3ero5o9h4p
0
 
ReppertFactorAuthor Commented:
thanks for all your help, Fabian Wosar on the bleepingcomputer thread has solved the issue.

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-3

He provides a decryption tool that scans for encrypted html files.

"The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe"
0
 
ReppertFactorAuthor Commented:
The tool provided by the 3rd party is able to decrypt all affected files.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now