A new variant of the ACCDFISA Protection Center ransomware has been released called Malware Protection. The malware developers target Windows servers and appear to hack them in order to install the software. Once the Malware Protection ransomware is installed, it will lock you out of computer and create password-protected RAR archives out of your data that you can no longer access unless you pay a $300 ransom. When installed, the Malware Protection ransomware will scan your computer for all files using certain file extensions and will use the command line RAR program to turn them into a password protected RAR archive. These files will be renamed with the .aes extension and are supposed encrypted with the AES encryption. You will then be prompted to pay a ransom in order to get the decryption key to restore your files. The decryption key starts with aes987156 and then the password for the RAR files is appended to it. The decrypt.exe program will read through the list of encrypted files and extract them to the proper location using the RAR password. In the past version of this malware, there have been some cases reported that the decrypt process actually deleted the files, so once you have the RAR password it is suggested that you use a manual method restore the files. A manual method using a batch file can be found in the How to remove and decrypt the ACCDFISA Protection Program guide. The files that this infection installs can be found in the following locations:
C:\decrypt lock\decrypt.exe C:\how to decrypt aes files.lnk %System%\csrss32.exe %System%\csrss64.exe %System%\svschost.exe C:\security lock\svchost.exe C:\decrypt lock\decrypt.exe C:\ProgramData\system files\ntbavtnjs.bat C:\ProgramData\system files\vpkswnhisp.dll C:\ProgramData\mssupport\aes256crypter.exe
As these are 32-bit programs, if you are using an x64 version of Windows, they will be installed in the C:\Windows\SysWOW64 folder instead. This infection will also create a service with the Display Name User Profile Services and a Service Name of ProfSvcs. Some people have reported that they have found the aes256crypter.exe process running. This is a command line RAR program and if you see it running you may be able to launch Sysinternals Procmon and look for Process Start operation for one of the above files. Double-click that line and you can see the command line used to start it. If the process was for aes256crypter.exe, there is a good chance the password will be shown on that line. I hope this helps those of you struggling with this. If you have any other information to share, please let us know here.