Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 147
  • Last Modified:

Savepanda@india.com Ransomware

I have a server currently impacted with the Savepanda@india.com ransomware virus, but am having no luck at all removing the encryption.  I believe I have taken care of the effected PC, but still have a network location full of files that I'm in desperate need of unlocking.  I have followed countless tutorials including using Kaspersky Shade Decryptor to try to remove the encryption, but the app says the encryption doesn't match any of those in the database.  Any assistance would be gratefully appreciated, as we are currently dead in the water.  Long story short, recovery from a backup is not possible, nor is Volume Shadow Copy.
0
Kyle Witter
Asked:
Kyle Witter
  • 3
  • 3
  • 2
  • +1
4 Solutions
 
btanExec ConsultantCommented:
better to use ID ransomware (https://id-ransomware.malwarehunterteam.com/) or Crypto Sheriff (https://www.nomoreransom.org/crypto-sheriff.php) to identify the ransomware so as to facilitate any available decryptor tool for it.

Likely it belong to the XTBL/CrySiS ransomware which is what I supposed you use the Shade decryptor and there is also no guarantee it works for variation of the ransom family. In fact there is another tool from McAfee too has a "Shade Ransomware Decryptor Tool". http://www.mcafee.com/us/downloads/free-tools/shadedecrypt.aspx

Good to confirm the type. I do suggest the clean build instead of scanning though you can go into the manual removal of the traces of the ransomware as shared in http://sensorstechforum.com/savepandaindia-com-virus-remove-restore-xtbl-files/ 

As a whole if there is no backup and the decryptor does not readily work, it is quite tough to get back those list of files..even forensic will be challenge as the malware will have securely wipe those files..
0
 
rindiCommented:
Delete the files on the server, then restore them from your backups.
0
 
Kyle WitterAuthor Commented:
btan,

Thank you for the valueable information.  I'm working through the McAfee software now.. The ransom letter on this particular version does not show a key
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
rindiCommented:
Don't waste your time with non existing keys and decryption tools. Just do the restore from your backups and you'll be fine. That's one of the reasons you have backups for.
0
 
Kyle WitterAuthor Commented:
As previously mentioned, there are no backups of this device.
0
 
rindiCommented:
Then consider the data lost and start fresh. After all, it can't have been important data if there was no backup.
0
 
btanExec ConsultantCommented:
If you check the guide of the tool, it stated need to to get the private key file
1. Run the command with the User ID:
>shadedecrypt.exe -u F7AB2CA6D04AC4DA110C
You will receive a URL output to the console. Copy this URL into a browser and download the linked text
file. If you get a message such as "404 file not found" or " Cannot find file", then we have been
unable to locate the private key that encrypted the files.
So if that is missing the decryptor tool will not work for McAfee and also Kapersky. This variant may have already evolved to close up the gap and misses in the earlier version. Looks like there are no other means and you just have to move on then ...
http://www.mcafee.com/us/resources/misc/guides/shadedecrypt-readme.pdf
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Generally if there is nothing on nomoreransom.org, then you are out of luck. Backups (versioning only) will help you in the future,  but for now those files may be lost.  Make a backup,  in case a key/ decryptor is made available in the future., then rebuild.
0
 
btanExec ConsultantCommented:
As advised.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now