Ransomware Help!

I have a customer that was hit with the ACCDFISA v2.0 Ransomware they had the backup drive mounted so it seems like it deleted the files not encrypted.  is there any solution to this? they are asking for $4000 in Bitcoin.  

Thanks.
Mario MartinezIT Consultant Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
No.  Backups, you have now learned, must be disconnected.

Do not pay the ransom as many times that does not even work.

Format, reinstall and start over.
btanExec ConsultantCommented:
Could consider checking against IDRansomeware and NoMoreRansom. These are sites with a repository of keys and applications that may decrypt data locked by different types of ransomware. Caveat is there may not be one decryptor available but no harm trying.

https://id-ransomware.malwarehunterteam.com/index.php

https://www.nomoreransom.org/en/decryption-tools.html

I read the past info that this family"s have the files not encrypted but are just password protected RAR files. An old site is providing advice which may worth try to ask for help too.

https://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/page-13#entry3001838

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gr8gonzoConsultantCommented:
Before you format and start over, I'd suggest checking around for a decryption tool. I just ran a quick Google search and found a couple results for ACCDFISA 2.0 decryption tools. I cannot vouch for whether or not they're legitimate - you'll have to make that judgment and weigh risks/benefits (you could try it in a virtual machine first to test the tool before you run it on everything).

Here's one such example:
http://karwos.net/accdfisa20/

Again, I'm always a little cautious about downloading/running anything from a site where the grammar and spelling is terrible, but sometimes you could get lucky.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Prabhin MPEngineer-TechOPSCommented:
how will you decrypt if the files got deleted?
Mario MartinezIT Consultant Author Commented:
Files were deleted from the backup drive, actually they were hidden I ran easus recovery software and it looks like I may have an old backup I can work with
JohnBusiness Consultant (Owner)Commented:
That is about all you can do if you have an old but disconnected backup.

Reinstall Windows (to eradicate the ransomware virus), install software and then use the older backup.
Prabhin MPEngineer-TechOPSCommented:
make sure that the infected mail is separated from the network before performing any sort of actions.
Prabhin MPEngineer-TechOPSCommented:
i suggest to got with what john said.

this is a learning for everyone, never mount the backup share in any of the machines after the use.
Once your purpose is done, disconnect as soon as possible.
serialbandCommented:
You actually want at least 2 backups.  You do want to keep continuous backups, but you should also have offline backups.  99% of the time, you don't get ransomeware, so it's fine to keep it online.  You keep the offline backup and use it periodically, so that you can recover in the event that you do encounter ransomeware.  In a company, I would suggest 2 offline backups that can be rotated off site.  I'd also put one backup in the cloud at a location away from your region, so that you can recover in the event of a large natural disaster.  It never hurts to have multiple backups.
JohnBusiness Consultant (Owner)Commented:
Our client tapes are removed each day and 1 weekly taken off site (disaster recovery).  Removed each day protects against ransomware.  We have not had that because we have really top notch spam control and users delete emails from suspicious or unknown sources.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Ransomware

From novice to tech pro — start learning today.