safe-data.ru Infection

Ran into a new infection on a computer today. The computer boots to a DOS-style screen that says the following:

Your PC is blocked.
All the hard drives were encrypted.
Browse www. safe-data. ru to get an access to your system and files.
Any attempt to restore the drives using other way will lead to inevitable data loss.
Please remember: Your ID: 773923
with its help your sign-on password will be generated.
Enter password:

I've done some Google searching but haven't been able to come up with virtually anything at all. Can't boot into various modes on the computer because it never gets into Windows. BartPE doesn't recognize the drive at all, and when I removed and installed it into an enclosure, Windows 7 sees this as an unallocated partition. Acronis won't allow me to clone the drive or create a disk image, since it sees it as an "empty drive".

Previously, the computer DID boot into XP, and the person had run MBAM, removing 347 entries. This happened immediately upon reboot. Reformatting is an option after any possible user data is recovered, preferably not before.

Any ideas? The Safe-data.ru site says $100 to "clean" it using the six digit member ID, and from what I've seen on Google, everyone's member ID is identical. The main page lists the item as "RBN Encryptor" which also returns nothing on Google with the exception of the designer of the site's portfolio, amusing enough.

The domain is registered to NAUNET-REG-RIPN as a private domain, and was registered on Nov 27th, 2010.

An updated thread online says the code "aaaaaaclip" may get you into the system but that hasn't worked in my case. Here's a link on the infection:

http://www.nsaneforums.com/topic/68902-new-ransomware-installs-itself-in-the-master-boot-record/

Edited by Zeromus-X, 30 November 2010 - 10:15 AM.

EDIT: Updated the first post instead of just posting replies, but can't delete my own posts. Oops.

Edited by Orange Blossom, 29 November 2010 - 08:42 PM.
Move to AII for initial assistance. ~ OB

Hi,

i ran into the same problem today.

I'm recovering my data at the moment. I got access to my "encrypted" partitions by downloading, burning and running Hiren's Boot CD <link removed since Hiren's boot CD is not supported at BC>. Inside the mini XP System I installed EASEUS Partition Recovery. I recovered my lost partitions and after a reboot with Hiren's mini XP I could access and backup all data on the former lost partitions to an external drive.
I'll see if I can repair the complete system afterward and will post my experiences with it.

I hope this helps you for the moment.

Ran into a new infection on a computer today. The computer boots to a DOS-style screen that says the following:

Your PC is blocked.
All the hard drives were encrypted.
Browse www. safe-data. ru to get an access to your system and files.
Any attempt to restore the drives using other way will lead to inevitable data loss.
Please remember: Your ID: 773923
with its help your sign-on password will be generated.
Enter password:

I've done some Google searching but haven't been able to come up with virtually anything at all. Can't boot into various modes on the computer because it never gets into Windows. BartPE doesn't recognize the drive at all, and when I removed and installed it into an enclosure, Windows 7 sees this as an unallocated partition. Acronis won't allow me to clone the drive or create a disk image, since it sees it as an "empty drive".

Previously, the computer DID boot into XP, and the person had run MBAM, removing 347 entries. This happened immediately upon reboot. Reformatting is an option after any possible user data is recovered, preferably not before.

Any ideas? The Safe-data.ru site says $100 to "clean" it using the six digit member ID, and from what I've seen on Google, everyone's member ID is identical. The main page lists the item as "RBN Encryptor" which also returns nothing on Google with the exception of the designer of the site's portfolio, amusing enough.

Edited by elise025, 30 November 2010 - 12:35 PM.
Link to Hiren's Boot CD removed.

I haven't tried the Hiren's disc yet, but from this link:

http://www.securelist.com/en/blog/208188032/And_Now_an_MBR_Ransomware

SecureList is saying that Kaspersky's Rescue 10 disc can repair the partition and boot back into Windows without having to worry about a backup/restore situation. I'm downloading the ISO right now to give it a shot. That link lists two passwords to try -- "aaaaaaclip" and "aaaaadabia", neither of which worked in my situation, which leads me to believe that there are many more variants of this virus than Kaspersky is thinking right now.

Hello, this appears to be indeed a very new and very advanced ransomware infection.

What we can try is rewriting the MBR, however, I want to subline that this is an untried procedure. I would like to check this back with a few experts and will get back to you shortly.

I removed all links to Hirens BootCD, since this is not supported at BC. The mirror contains copyright protected microsoft files as well as tools used to circumvent certain security measures.

Please keep me also informed about the Kaspersky rescue disk and more important, if it works as promised.

Edited by elise025, 30 November 2010 - 12:51 PM.

The Kaspersky disc did nothing for me. The Boot Sector scan ran for about an hour and returned apparently nothing; the full system scan halts in about five seconds and returns to the menu. I don't know if it's an issue with this particular infection or an incompatibility somewhere else along the line, but it's proving to be worth what I paid for it.

There's another forum where people are tossing around ideas, but it's all in Greek. I've been trying to keep up on it via Google Translate. Someone over there mentioned Hiren's CD as well. A Google search does return someone who was able to get to their files using the CD, though it wasn't able to clean the infection -- only allow them to back up their files so they could reformat. I'm still holding out for a solution that doesn't involve a wipe and reinstall. While there's the potential for other security holes to be present, this computer is going to be decommissioned from the Internet after this, and the client would rather have his software functional.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Click on Start and follow the prompts to burn the image to a CD.
• Download xPUDtestdisk.exe and save it to the USB device
• Double click xPUDtestdisk.exe to extract the contents to your USB device
• Remove the USB & CD and insert it in the sick computer
• Boot the Sick computer with the CD you just burned
• The computer must be set to boot from the CD
• Gently tap F12 and choose to boot from the CD
• Follow the prompts
• A Welcome to xPUD screen will appear
• Press File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Press Tool at the top
• Choose Open Terminal
• Type testdisk/testdisk_static
• Press Enter
  • The TestDisk command window will open
  • Choose Create and press Enter
  • TestDisk will now detect all local hard drives
  • Use the arrow (up and down) keys to highlight the disk called /dev/sda if it represents your primary hard drive and press Enter
  • If your not sure then note everything you see and post it for my review
  • Select Intel (even if you have an AMD processor) and press Enter
  • Select Advanced and press Enter
  • Select [Boot] and press Enter
  • Select [Dump] and press Enter
  • Select [Quit] to exit
• A log will be created in the root of the usb device
• Remove the USB drive and insert back in your working computer
  
  Please note - all text entries are case sensitive

Copy and paste the resultant log for my review

I'm on it. Since this is a relatively unknown infection, what do we think the odds are of infection of the USB drive? I've already created a fake autorun.inf to block that out, but I'm not totally familiar with what a boot sector virus can do to a flash drive, if anything.

No worries about that. The HD is not active since we do not use it to boot from. In that state the infection is not loaded and thus harmless.
Boot sector malware is nothing new, just this ransom version.

From within the Testdisk software, I can see the hard disk as SDA, then can get to [Intel]. When I select [Advanced], I'm stopped with an error "No Partition Available", and the only option is to quit.

Edited by Zeromus-X, 30 November 2010 - 02:49 PM.

In Testdisk, instead of Advanced, select Analyse to check your current partition structure and search for lost partitions.
Confirm at Analyse with Enter to proceed.
Now, your current partition structure is listed. Examine your current partition structure for missing partitions and errors.
Confirm at Quick Search to proceed.
When asked to search for Vista Partitions, type N
Any found partitions will now be listed. Please see if the information is correct.

At this point press Q until you exit and post me the Testdisk log (will be created on your USB drive).

Tue Nov 30 14:46:56 2010
Command line: TestDisk

TestDisk 6.12-WIP, Data Recovery Utility, April 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4 - Jul 27 2010 17:00:22
ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501
/dev/sda: LBA, HPA, DCO support
/dev/sda: size 78165360 sectors
/dev/sda: user_max 78165360 sectors
/dev/sda: native_max 78165360 sectors
/dev/sda: dco 78165360 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
/dev/sr0 is not an ATA disk
Hard disk list
Disk /dev/sda - 40 GB / 37 GiB - CHS 4865 255 63, sector size=512 - ATA ST340015A
Disk /dev/sdb - 2004 MB / 1912 MiB - CHS 1018 62 62, sector size=512 - FLASH Drive SM_USB20
Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32770 1 1 (RO), sector size=2048 - LITE-ON DVDRW SOHW-832S

Partition table type (auto): Intel
Disk /dev/sda - 40 GB / 37 GiB - ATA ST340015A
Partition table type: Intel

Interface Advanced

Analyse Disk /dev/sda - 40 GB / 37 GiB - CHS 4865 255 63
Current partition structure:
No partition is bootable
Ask the user for vista mode
Computes LBA from CHS for Disk /dev/sda - 40 GB / 37 GiB - CHS 4866 255 63
Allow partial last cylinder : Yes
search_vista_part: 1

search_part()
Disk /dev/sda - 40 GB / 37 GiB - CHS 4866 255 63
FAT32 at 0/1/1
FAT1 : 38-10810
FAT2 : 10811-21583
start_rootdir : 21584 root cluster : 2
Data : 21584-11052655
sectors : 11052656
cluster_size : 8
no_of_cluster : 1378884 (2 - 1378885)
fat_length 10773 calculated 10773
heads/cylinder 240 (FAT) != 255 (HD)

FAT32 at 0/1/1
FAT32 0 1 1 687 254 62 11052656 [PRESARIO_RP]
FAT32, 5658 MB / 5396 MiB
NTFS at 688/0/1
heads/cylinder 240 (NTFS) != 255 (HD)
filesystem size 67102560
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 4193909
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 688 0 1 4864 239 63 67102560 [PRESARIO]
NTFS, 34 GB / 31 GiB
get_geometry_from_list_part_aux head=255 nbr=3
get_geometry_from_list_part_aux head=8 nbr=4
get_geometry_from_list_part_aux head=16 nbr=4
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=4
get_geometry_from_list_part_aux head=255 nbr=3
Warning: the current number of heads per cylinder is 255 but the correct value may be 240.

Results
* FAT32 0 1 1 687 254 63 11052657 [PRESARIO_RP]
FAT32, 5658 MB / 5396 MiB
P HPFS - NTFS 688 0 1 4864 254 63 67103505 [PRESARIO]
NTFS, 34 GB / 31 GiB

interface_write()
1 * FAT32 0 1 1 687 254 63 11052657 [PRESARIO_RP]
2 P HPFS - NTFS 688 0 1 4864 254 63 67103505 [PRESARIO]
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

Interface Advanced

Interface Advanced

Analyse Disk /dev/sda - 40 GB / 37 GiB - CHS 4866 255 63
Current partition structure:
No partition is bootable
Ask the user for vista mode
Allow partial last cylinder : Yes
search_vista_part: 0

search_part()
Disk /dev/sda - 40 GB / 37 GiB - CHS 4866 255 63
FAT32 at 0/1/1
FAT1 : 38-10810
FAT2 : 10811-21583
start_rootdir : 21584 root cluster : 2
Data : 21584-11052655
sectors : 11052656
cluster_size : 8
no_of_cluster : 1378884 (2 - 1378885)
fat_length 10773 calculated 10773
heads/cylinder 240 (FAT) != 255 (HD)

FAT32 at 0/1/1
FAT32 0 1 1 687 254 62 11052656 [PRESARIO_RP]
FAT32, 5658 MB / 5396 MiB
NTFS at 688/0/1
heads/cylinder 240 (NTFS) != 255 (HD)
filesystem size 67102560
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 4193909
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 688 0 1 4864 239 63 67102560 [PRESARIO]
NTFS, 34 GB / 31 GiB
Search for partition aborted
get_geometry_from_list_part_aux head=255 nbr=3
get_geometry_from_list_part_aux head=8 nbr=4
get_geometry_from_list_part_aux head=16 nbr=4
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=4
get_geometry_from_list_part_aux head=255 nbr=3
Warning: the current number of heads per cylinder is 255 but the correct value may be 240.

Results
* FAT32 0 1 1 687 254 63 11052657 [PRESARIO_RP]
FAT32, 5658 MB / 5396 MiB
P HPFS - NTFS 688 0 1 4864 254 63 67103505 [PRESARIO]
NTFS, 34 GB / 31 GiB

interface_write()
1 * FAT32 0 1 1 687 254 63 11052657 [PRESARIO_RP]
2 P HPFS - NTFS 688 0 1 4864 254 63 67103505 [PRESARIO]

What I see here is a 5,5 GB FAT32 partition (compaq recovery?) and a 34,5 GB NTFS partition on a 40 GB drive. Is this supposed to be so?

That's probably accurate. The client stores most of his data on an external drive and uses this drive for his OS and program installs.

Just as a heads up, I won't be back at the computer until about 10:30 AM EST, so if anyone posts any updates, it'll be a little while before I can respond.