Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Savepanda@india.com Ransomware

Posted on 2016-08-29
9
Medium Priority
?
141 Views
Last Modified: 2016-09-20
I have a server currently impacted with the Savepanda@india.com ransomware virus, but am having no luck at all removing the encryption.  I believe I have taken care of the effected PC, but still have a network location full of files that I'm in desperate need of unlocking.  I have followed countless tutorials including using Kaspersky Shade Decryptor to try to remove the encryption, but the app says the encryption doesn't match any of those in the database.  Any assistance would be gratefully appreciated, as we are currently dead in the water.  Long story short, recovery from a backup is not possible, nor is Volume Shadow Copy.
0
Comment
Question by:Kyle Witter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 64

Accepted Solution

by:
btan earned 1200 total points (awarded by participants)
ID: 41775752
better to use ID ransomware (https://id-ransomware.malwarehunterteam.com/) or Crypto Sheriff (https://www.nomoreransom.org/crypto-sheriff.php) to identify the ransomware so as to facilitate any available decryptor tool for it.

Likely it belong to the XTBL/CrySiS ransomware which is what I supposed you use the Shade decryptor and there is also no guarantee it works for variation of the ransom family. In fact there is another tool from McAfee too has a "Shade Ransomware Decryptor Tool". http://www.mcafee.com/us/downloads/free-tools/shadedecrypt.aspx

Good to confirm the type. I do suggest the clean build instead of scanning though you can go into the manual removal of the traces of the ransomware as shared in http://sensorstechforum.com/savepandaindia-com-virus-remove-restore-xtbl-files/ 

As a whole if there is no backup and the decryptor does not readily work, it is quite tough to get back those list of files..even forensic will be challenge as the malware will have securely wipe those files..
0
 
LVL 88

Expert Comment

by:rindi
ID: 41775934
Delete the files on the server, then restore them from your backups.
0
 
LVL 1

Author Comment

by:Kyle Witter
ID: 41776298
btan,

Thank you for the valueable information.  I'm working through the McAfee software now.. The ransom letter on this particular version does not show a key
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 
LVL 88

Expert Comment

by:rindi
ID: 41776318
Don't waste your time with non existing keys and decryption tools. Just do the restore from your backups and you'll be fine. That's one of the reasons you have backups for.
0
 
LVL 1

Author Comment

by:Kyle Witter
ID: 41776326
As previously mentioned, there are no backups of this device.
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 400 total points (awarded by participants)
ID: 41776364
Then consider the data lost and start fresh. After all, it can't have been important data if there was no backup.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1200 total points (awarded by participants)
ID: 41776483
If you check the guide of the tool, it stated need to to get the private key file
1. Run the command with the User ID:
>shadedecrypt.exe -u F7AB2CA6D04AC4DA110C
You will receive a URL output to the console. Copy this URL into a browser and download the linked text
file. If you get a message such as "404 file not found" or " Cannot find file", then we have been
unable to locate the private key that encrypted the files.
So if that is missing the decryptor tool will not work for McAfee and also Kapersky. This variant may have already evolved to close up the gap and misses in the earlier version. Looks like there are no other means and you just have to move on then ...
http://www.mcafee.com/us/resources/misc/guides/shadedecrypt-readme.pdf
0
 
LVL 30

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 400 total points (awarded by participants)
ID: 41780947
Generally if there is nothing on nomoreransom.org, then you are out of luck. Backups (versioning only) will help you in the future,  but for now those files may be lost.  Make a backup,  in case a key/ decryptor is made available in the future., then rebuild.
0
 
LVL 64

Expert Comment

by:btan
ID: 41806190
As advised.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question