We help IT Professionals succeed at work.

Ransomware Help!

Mario Martinez
on
I have a customer that was hit with the ACCDFISA v2.0 Ransomware they had the backup drive mounted so it seems like it deleted the files not encrypted.  is there any solution to this? they are asking for $4000 in Bitcoin.  

Thanks.
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
No.  Backups, you have now learned, must be disconnected.

Do not pay the ransom as many times that does not even work.

Format, reinstall and start over.
Exec Consultant
Distinguished Expert 2019
Commented:
Could consider checking against IDRansomeware and NoMoreRansom. These are sites with a repository of keys and applications that may decrypt data locked by different types of ransomware. Caveat is there may not be one decryptor available but no harm trying.

https://id-ransomware.malwarehunterteam.com/index.php

https://www.nomoreransom.org/en/decryption-tools.html

I read the past info that this family"s have the files not encrypted but are just password protected RAR files. An old site is providing advice which may worth try to ask for help too.

https://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/page-13#entry3001838

Commented:
Before you format and start over, I'd suggest checking around for a decryption tool. I just ran a quick Google search and found a couple results for ACCDFISA 2.0 decryption tools. I cannot vouch for whether or not they're legitimate - you'll have to make that judgment and weigh risks/benefits (you could try it in a virtual machine first to test the tool before you run it on everything).

Here's one such example:
http://karwos.net/accdfisa20/

Again, I'm always a little cautious about downloading/running anything from a site where the grammar and spelling is terrible, but sometimes you could get lucky.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
how will you decrypt if the files got deleted?
Mario MartinezIT Consultant

Author

Commented:
Files were deleted from the backup drive, actually they were hidden I ran easus recovery software and it looks like I may have an old backup I can work with
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
That is about all you can do if you have an old but disconnected backup.

Reinstall Windows (to eradicate the ransomware virus), install software and then use the older backup.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
make sure that the infected mail is separated from the network before performing any sort of actions.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
i suggest to got with what john said.

this is a learning for everyone, never mount the backup share in any of the machines after the use.
Once your purpose is done, disconnect as soon as possible.
You actually want at least 2 backups.  You do want to keep continuous backups, but you should also have offline backups.  99% of the time, you don't get ransomeware, so it's fine to keep it online.  You keep the offline backup and use it periodically, so that you can recover in the event that you do encounter ransomeware.  In a company, I would suggest 2 offline backups that can be rotated off site.  I'd also put one backup in the cloud at a location away from your region, so that you can recover in the event of a large natural disaster.  It never hurts to have multiple backups.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Our client tapes are removed each day and 1 weekly taken off site (disaster recovery).  Removed each day protects against ransomware.  We have not had that because we have really top notch spam control and users delete emails from suspicious or unknown sources.