Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware Attack. ACCDFISA


  • Please log in to reply
4 replies to this topic

#1 AR1OF9

AR1OF9

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 06 November 2012 - 09:29 AM

Hi All, first thanks for reading.

I have a customers server that had been infected and files encrypted. all of the backups have been deleted and chance of recovery looks slim.

While checking the drive for recoverable files i found a file called "ProgramDaZZZZZZZZZZZZZZZZZZZZ.doc" and it was crerated the same time as the files being encrypted.

I was wondering if some one wiser than be would be willing tot ake a look and see if this is actually of any help or just a wild goose chase.

I have uploaded a small enrypted file and the above mentioned file in the attached link.

Link to the enc file and the possible dycript.

Thank you for any help.

Kind Regards

Andy

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 06 November 2012 - 10:41 AM

It's just a shot in the dark, but have you tried to recover deleted files with a tool like NTFS Undelete?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 AR1OF9

AR1OF9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 06 November 2012 - 11:51 AM

I have indeed.

I was anable to recover any of my backup files. the attached file was one of the few files i could recover.

Regards

Andy

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 06 November 2012 - 01:58 PM

I took a look at the ProgramDaZZZZZZZZZZZZZZZZZZZZ.doc file.

It's impossible that this file is a Word document, even encrypted, because it's only 50 bytes long.
The .doc file format is the Compound File Binary Format https://en.wikipedia.org/wiki/Compound_File_Binary_Format
It starts with a 512 byte header. So this means that a .doc file is at least 512 bytes long.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 AR1OF9

AR1OF9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 07 November 2012 - 10:25 AM

Thanks for the update. give me something to have a look at.

Thanks

Andy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users