Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ACCDFISA Protection Program - RansomWare


  • This topic is locked This topic is locked
7 replies to this topic

#1 adamtsv

adamtsv

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 24 February 2012 - 07:02 AM

Edit from Grinler:

A formal removal guide for this infection can be found here: How to remove and decrypt the ACCDFISA Protection Program




hello guys! I Had ACCDFISA Protection Program RansomWare 3 days ago. I was able to take off screen lock by myself but then i found out that almost all my files are encrypted and i decide to pay $300. I was not sure that i get any codes but i had no choice. My business and system were down for 5 hours. In 1 hour after i sent moneypak code i receive codes for encrypted files and after paste codes in fields it start decrypting files and everything back to normal.
Here are codes for decrypting i received, try them to decrypt files maybe its gonna be work for you guys too :

First Passcode: deleted! (becasue no thanks and only bleep posts about me!)
Second Passcode: deleted! (becasue no thanks and only bleep posts about me!)

Please post here if it solve problem.
Also if you have another codes to unlock post it here.


EDIT:Added Second Title

Edited by Grinler, 26 February 2012 - 08:59 PM.
Moved to better forum


BC AdBot (Login to Remove)

 


#2 MNMcGyver

MNMcGyver

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 24 February 2012 - 10:21 AM

We were also infected with this garbage and we got past the lock screen but everything is either encrypted or not working correctly. Let's say that now I'm ready to pay the ranson - how would I go about contacting the "virus"?

#3 adamtsv

adamtsv
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 24 February 2012 - 10:51 AM

Today one of the users from this forum send me message with new info about virus:

s****** said:

======================================================================
Just wanted to let you know that I tried this key also and was successfully able to decrypt the files that were encrypted by the virus. For some reason I was unable to reply to your post, so I decided to PM you instead just to let you know. However, I would caution users who use this code to make a backup of the encrypted files first. I say this because after extracting a working codes from the virus program itself and inputting those codes into the "decrypter" program, the program actually deleted every single encrypted file. Thanks so much for your post, though, as this should definitely help other users who are infected with the same virus.
======================================================================

#4 AP_nFocus

AP_nFocus

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 24 February 2012 - 11:34 AM

To the moderators of this board.
Be aware the the user adamtsv has posted on our company blog in response to an article about this infection. He has been desperately trying to pass on these codes. After checking his user IP, we noticed that, though he was posting every 5 minutes or so, that his IP was jumping from East Coast to West Coast. He also created other users in the same range of IPs to respond to his own post as a different person stating that the codes worked for them. My guess is the above posts in this thread are part of a similar attempt to prolong infection.
Also be aware that these "codes" can actually be found embedded in a file that comes from this infection. Attempts to use these codes results in serious data loss.

See the blog and adam's replies here: http://blog.nfocustech.com/2012/02/accdfisa-ransomware/

I would warn all future readers to in no way use these codes nor pay the ransom.

Edited by AP_nFocus, 24 February 2012 - 11:35 AM.


#5 adamtsv

adamtsv
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 24 February 2012 - 12:08 PM

Im trying to help, but i get only bleep in my face.
I've delete my post with codes!
Try to solve problem by yourself!
I've paid and solved my problem.
I dont need negative posts about me!
Good luck, Guys!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,580 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:00 PM

Posted 24 February 2012 - 12:30 PM

Paying malware developers in order to regain access to your files is never a solution. Just think about it: the same guys who encrypted your files then can also attempt to steal your credit card or online payment details.

If you have a business with important files on a computer with internet access, by far the best precaution is to backup your data. That is important for home users too, but especially if you can ill afford to lose access to your data due to malware like this.

If you have become the victim of malicious encryption/ransom malware you may be interested to read this solution posted by Kaspersky. If you need help cleaning your computer from malware, please follow the steps outlined in this guide.

Finally, at BC we respect each other, which includes using appropriate language. Continued disrespect will not be tolerated and will ultimately have negative consequences for your membership of this forum.

This topic is now closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:00 PM

Posted 24 February 2012 - 12:38 PM

In addition to what Elise has said, the IP addresses that some of the posters have been posting from is indeed suspicious.

Therefore, I strongly suggest you read the info contained in the blog post below before attempting to clean this infection or using random ransom codes that have been posted on the Internet. I am not saying the codes didn't work for the first poster, but I do not think it is worth the risk to use them. The information in the below blog post indicates that using codes will just delete the encrypted AES files. Furthermore, there is evidence that these are not encrypted at all, but rather renamed rar files. Please see the blog post below.

http://blog.nfocustech.com/2012/02/accdfisa-ransomware/

Last, but notleast, from the cases reported on the blog post,it appears that the workstations/servers affected by this were manually exploited in some manner and that this is not a viral/worm/trojan downloaded from a web site.

I am going to try and find a sample so I can examine it further.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:00 PM

Posted 26 February 2012 - 08:59 PM

I have added a removal guide for this infection here:

How to remove and decrypt the ACCDFISA Protection Program

This requires some advanced knowledge, so only follow the steps if you are comfortable doing so.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users