Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New ransomware called Anti-Child Porn Spam Protection or ACCDFISA


  • Please log in to reply
328 replies to this topic

#31 mavsman

mavsman

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 18 April 2012 - 09:42 PM

Greetings everyone. This is my first post to bleeping computer as I'm not an IT pro, just an office manager that just got slammed with this computer today.

Our Win2003 server got infected by this crap today. We had RDP open on both the server AND the router (we are a small office with 10-15 computers), so I'm guessing that's somehow related to how we got it. To make matters worse, it turns out the backups we had been doing (that were setup before I started working in the office) have not been successfully backing up new data for almost two years, even though I thought I was checking the backups. (Side note: NTBackup is a worthless program from what I can tell).

Anyhow, I was just curious if anyone has any new updates on this ransomware? I don't know for sure if our files are actually encrypted or not, but I'm getting the impression that a TON of data will now be gone.

I'm definitely not going to be paying any money to get any purported passwords, since I'm 100% confident that will not do anything constructive. Anyone have any other suggestions on recovering any data? Once we're back up and operational I'll definitely be implementing quite a few new policies to prevent anything this disastrous from happening again in the future.

BC AdBot (Login to Remove)

 


m

#32 David911

David911

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 20 April 2012 - 01:11 AM

Hello everyone,
Our windows server 2003 got hit April 18th. I did a lot of reading online on bleepingcomputer.com (my favorite malware site)and also the posting at http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/
The Emsisoft.com site states the hackers enter through RDP. I agree that is how they got into our site, but our administrator password is highly secure, so I do not know how they figured that one out. I decided it would be far less in labor costs to pay the $500.00 ransom and get back to normal. It was only 16 hours after they hit us, so I was well within the stated 48 hours. I sent the payment and 3 hours later, received the reply of:
Hello Thank you for payment.
Unfortunately, but 48 hours has been ended. We wrote about it in our software.
You must pay now 1500$ (you must buy buy additional 1000$ moneypak and send code to us and after this we will get you decryption information)
At that point, I realized I would never get the code, no matter how much money I sent them.
Anyway, I set out to repair the server. Our antivirus and Backup Exec had been deleted, but the infected files (even though they were in Hidden folders), were exactly as bleeping computer described. They were easy to remove and then I ran Malwarebytes just in case and found 1 infected file and 3 registry errors related to the Ransomware. The ipaddress had also been changed. After testing the server to make sure everything was OK, I reinstalled Backup Exec and restored my files (should have done that in the first place). Everything is back to normal and I am grateful to BleepingComputer and Emisoft.com for their information.
From this I have learned to always have good backups, secure your RDP connections to only communicate from one external IPAddress and never pay ransom money.

#33 cjulia

cjulia

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Sussex
  • Local time:12:16 AM

Posted 20 April 2012 - 03:05 AM

Hello, My husband has this on his pc and we cant find out how to remove it. I know my way around a computer but am not very technically minded. Does anyone have an idea?

I would be really grateful for some help.

Thanks :wink:

#34 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 20 April 2012 - 09:13 AM

Thanks for sharing your experience David.

For those who are affected, please pm me with your version of Windows that was hacked.

Thanks

#35 cjulia

cjulia

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Sussex
  • Local time:12:16 AM

Posted 20 April 2012 - 09:45 AM

Sorry should have put this information in my first post.

We are using Windows XP. The Page the virus puts up says "Specialist Crime Directorate" quotes our IP number and says the computer has been locked as it has been used for child porn etdc - it says that we should pay 100 to get it unlocked. Obviously we will not pay anything as it is a scam but we dont know how to remove. We can turn the computer on in safe mode with networking as one site suggested we do this and run Malwarebytes (MBAM) but it didnt find the virus.

Thanks for any help you can give us. :mellow:

#36 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 20 April 2012 - 10:00 AM

cjulia, yours is a different infection unfortunately.

If you create a new topic in the Virus Removal section and pm me the topic, I will be able to help you there. When creating this topic, also run this program from safe mode and post the logs:

http://www.bleepingcomputer.com/download/anti-virus/dds

#37 SpOiNgY

SpOiNgY

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 20 April 2012 - 08:09 PM

I agree that is how they got into our site, but our administrator password is highly secure, so I do not know how they figured that one out



@david

this "hacker" doesn't just hack the admin account, it hacks any account which may be able to log into the machine including the infamous backup account OR test account that is never deleted. there may be a number of accounts besides the administrator account that can gain access to the server and i STRONGLY ENCOURAGE anyone who watches over a domain controller or any server to REMOVE ANY ACCOUNT THAT IS NOT NECESSARY.

#38 mavsman

mavsman

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 20 April 2012 - 11:51 PM

this "hacker" doesn't just hack the admin account, it hacks any account which may be able to log into the machine including the infamous backup account OR test account that is never deleted. there may be a number of accounts besides the administrator account that can gain access to the server and i STRONGLY ENCOURAGE anyone who watches over a domain controller or any server to REMOVE ANY ACCOUNT THAT IS NOT NECESSARY.


I agree with this. It's looking like they targeted the "a" account among others when they hit us.

#39 ITC

ITC

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 24 April 2012 - 04:39 PM

One of my clients got this infection. Looks like it placed files here:
C:\ltejdryo\svchost.exe
C:\mmbdfjil\dc.exe
C:\mmbdfjil\rnuhipnz.list
C:\ProgramData\cstlaabk\svchost.exe
C:\ProgramData\ewumcfai\owlgwqsm.dll
C:\ProgramData\ewumcfai\wotmgebd.dll
C:\ProgramData\ewumcfai\yivkmnzp.dll
C:\ProgramData\ewumcfai\yivkmnzp.dll.dlls
C:\ProgramData\gaxtqtvc\svchost.exe
C:\ProgramData\qxchuygf\cubzzkec.dlls
C:\ProgramData\qxchuygf\tirmjsjj.dlls
C:\ProgramData\stppthmain\stppthmain.dll
C:\Windows\system32\svchostsv.exe
C:\Windows\system32\svschost.exe
C:\Windows\system32\csrss32.dll
C:\Windows\system32\csrss64.dll
C:\Windows\system32\lreuapqg.dll

I did a scan of the drive and it looks like your correct, nothing is recoverable. They were backing up to an external USB hard drive. It appears the hard drive has been securley wiped also, unable to recover ANYTHING from the removable USB drive. At a loss at this point...

Has anyone attempted to crack the archive?

Edited by ITC, 24 April 2012 - 04:56 PM.


#40 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 24 April 2012 - 05:43 PM

PM me the version of Windows.

#41 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:07:16 PM

Posted 25 April 2012 - 12:01 PM

Just a question here, is there anyway to use a Linux Platform to at least get in and pull the files that we can?

Are the files REALLY locked? Or is this like any other ransomeware / rouge that says the files are locked but their actually there?

#42 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:16 PM

Posted 25 April 2012 - 12:06 PM

Files are password protected rar files.

#43 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:07:16 PM

Posted 25 April 2012 - 12:12 PM

Any chance what Fabian Wosar posted will still work with the ID they give you?

I know im most likely just restating the obvious.

And any clue if this guy claiming to be the author is actually him?

Edited by Balon, 25 April 2012 - 12:13 PM.


#44 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,274 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:05:16 PM

Posted 25 April 2012 - 06:18 PM

Just a thought, but considering all of these versions are probably by the same guy, and if the phone number in the Malware Protection version is legitimate, could we have the authorities trace the phone to the hacker's residence to stop him?

Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#45 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:07:16 PM

Posted 25 April 2012 - 06:36 PM

Just a thought, but considering all of these versions are probably by the same guy, and if the phone number in the Malware Protection version is legitimate, could we have the authorities trace the phone to the hacker's residence to stop him?


I was thinking that or the email. Think about it, the FBI can bind a virus / to a .jpg and email him it. Easily infect him and stop him. Basically back hack what he has hacked then wouldn't we have the passwords to every single .rar?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users