Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

decrypt the ACCDFISA Protection


  • Please log in to reply
4 replies to this topic

#1 kcpalmer

kcpalmer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 25 October 2012 - 11:27 PM

My client had their server (W2K3Std) hacked with this Trojan. Unable to access the OS I did a clean install but am having problems restoring the files. Following is an example of the file now: trunorth98.mdb(!! to decrypt email id 1549178345 to casec222777@gmail.com !!).exe

I have tried changing the .exe to .rar and extracting but no luck error is Corrupt file or wrong password.

Backups appear to have been damaged so desperate to recover from the original files.

Can anyone help?

Thanks

BC AdBot (Login to Remove)

 


#2 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 PM

Posted 27 October 2012 - 06:57 PM

Hi,

Welcome to the site. I'm fairly certain there is no fix for this but I will speak to the experts behind the scenes and get back to you
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,984 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:04 AM

Posted 01 November 2012 - 12:01 PM

Hello, because CStew23 is not available (hurricane damage) I'll work with you from here, my apologies for the delay.

Unfortunately the latest ACCDFISA variants can not be decrypted. YOur best shot is reformatting and restoring a backup. See also here:

From: http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/

Password generation changed again as well. Similar to variant 3 two different passwords are used to encrypt the files on the system. To generate the first password the crypto malware will generate a 50 character long random string. The string is then saved to fvd31234.txt as well as udsjaqsksw.dlls. The random string is than prefixed with a static string to create the first password. As usual the fvd31234.txt file is copied by the attacker to his system and then securely deleted using the fvd31234.bat script. On the next boot the service will securely delete “udsjaqsksw.dlls” as well if still present and fall back to a second password generation algorithm. The second algorithm will calculate the second password based on the boot drive’s volume id, similar to variant 2. While it is possible to generate the second password with ease, it is almost impossible to recover the first password due to the random nature and secure deletion.


Please let me know if you have any other question or if this topic can be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 kcpalmer

kcpalmer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 01 November 2012 - 01:41 PM

Thanks for the update Elise.

I have reformated and done a clean install of the OS and restored the data from a month old backup to get the client back in business.

This is certainly the nastiest one I have ever seen and I am now ensuring that all clients use complex passwords and VPNs for remote access instead of just port forwarding the RDP.

Thanks for your help, the thread can be closed.

Ken

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,984 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:04 AM

Posted 01 November 2012 - 02:42 PM

I'm glad to hear that was possible. It is extremely important to have off-line backups, as any connected drive (including backup media) will be encrypted as well. And no matter how good tools are, the data that could possibly lead to decrypting the password is securely erased, meaning that even data recovery software is useless.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users