Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware windows server 2003 How do i decrypt


  • This topic is locked This topic is locked
2 replies to this topic

#1 marcmelb

marcmelb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 15 February 2015 - 05:20 AM

Hi guys! i logged into my server 2003 to find out this on a text document loaded on the front page with all the files (most) of the files encrypted with some kinda of encrytion.

Can someone help me with decrypting one of the files i need the most..

 

This was the message :

 

Anti-Child Porn Spam Protection - 2.0 version from 22.03.2013

 

Your personal Id: 139316917 | Our E-mail to contact: afhelper1@gmail.com

Warning!  Access  to your  computer  is limited.  Your files  has  been encrypted.

 

Have you already see that your files are encrypted?

 

Please don't panic and send us angry emails or scare us to send claims in police,  fbi or others - this is useless.

 

Please read this instruction carefully, then you will get answers to most of your questions.

 

We don't answer to questions which already was answered in this instructions.  Do not waste our and your time.

 

Our minimal price for your files is 3000$ USD.

 

Information to persons who  believe that professionals  can decrypt files:

 

**** Only WE can get you the true password to decrypt all your files.

You can write to any antivirus and security or datarestore companies, but now this is useless. This "Anti-Child Porn Spam Protection - 2.0 version" you have is from 22.03.2013 - more than 1 Year and 3 month passed and no one helped to get password or decrypt files.

 

Passwords generates using cryptographic safe pseudorandom generator.

 

If you will not pay us forgot about your files forever. If you don't believe read forums about rar - there are only one way to crack it - use bruteforce, but this is only in theory, because to brute passwords like used by us it's need trillions years even if you will use all computers in the World.

 

May be you think that you can find password on your server? No, password will be  copied by us and securely deleted. Source files also secure deleted - data restore software will not help you.

 

Of course you don't believe in our words, so read forums or ask cryptologists. Now files encrypted using our software (winrar + very strong password using new right and safe generation method) is locked forever, no one will help you, If it was possible to get password and decrypt it was be already done, but more than 1 Year and 3 month passed and no results.

 

P.S.  Our software is don't like others encryptors which usually will be cracked and files will be decrypted within 1-2 weeks.  Don't try to use decrypt tools for other encryptors, this is really bullbleep to believe that this will be help. Our software is unique and now called: "Anti-Child Porn Spam Protection - 2.0 version from 22.03.2013" previous version called simple "Anti-Child Porn Spam Protection".

 

Other info about Why you locked, Our Guarantees about decrypt your files after payment, About payment and other info you can read below, just scroll down.

 

Latest Updates (bugs fixed).

 

You have Antichild Spam Porn Protection 2.0 from 22.03.2013. What's new?

 

1. Now we have 2 randomly generated cryptographic safe passwords, unlike the previous version when it will be a chance to generate passwords in  certain circumstances. Now generating password is impossible in all cases.

 

2. Now files are encrypted using 2 randomly generated cryptographic safe passwords from 80 to 114 characters long, unlike one 55 characters long  password and not cryptographic safe pseudorandom number generator in the previous version.

 

Now password look's like this:

 

First password sample : 9DF19AB897351C2A0A0FE18A6A73722EDM66BSAl3jBe2a3K8L275j34525b3&E=4RDP4-9y8Q1j3zDa9G9u3bD04t4dFuEO7M2%4zFT

( 104 characters long)

 

Second password sample : 6B1783B4656C5433B430F2CC28070B4E6^1HDq9JEV1+9L0SFr9(6aDu3rF8Cg6X7gC3F#D07LAxFgAD7&9G1%6S4k4YFzEm7^2g4PF*C%9y2T92

(112 characters long)

 

You will read in this instructions about:

 

1. Why?

 

2. Our Guarantees

 

3. General Info

 

4. About Payment

 

5. How to get your data back

 

6. How decrypt process working

 

1. Why?

 

We have detected spam  advertises illegal  sites with child pornography from your computer.

This contradicts law and harm other  network users and in this  case we have to do next steps:

 

1. Encrypt your files using Advanced  Encryption  Standard  and 256 symblols  randomly generated  password and delete source files using  DOD 5220.22-M.

(DOD 5220.22-M is the Department of Defense clearing and sanitizing standard - You cant recover your files - NEVER).

 

2. Sent this randomly generated password  to  our  secure  server  and  delete  this  password  from  your  computer. (you cant get this password - NEVER)

 

This password is unique for each computer and stored on our secure server(and then erasing from this server and sending to us) and in each encrypted file.

 

**** Warning! Dont delete any our software config files, because it can start encrypt process again and we cant get you warranty that we will decrypt all your files! In this case you may be loose part of your files forever. If you dont know what to do - better do nothing. ****

 

2. Our Guarantees

 

You can send one encrypted file (jpg or bmp or other picture, no a document or not any important file for you) to us and as soon as we decrypt them we send them to you and it will proof that we are able to decrypt them all. Please don't send us important data like databases etc. to decrypt, because if we will decrypt it and send to you - you will pay us 0$.

 

We had decrypt databases files to some people and after this they did not pay us any money.

After you will pay us, sure we give you passwords and decrypt tool and of course you can decrypt all your files including databases files.

 

To send file to us better use sendspace.com (just upload and send link to us) because gmail can block any .exe extensions.

 

Our guarantee is your decrypting file.

 

So we dont need to lock your files forever, we just need a money for our work.

 

Also send us your ID number.

 

3. General Info

 

You will need to buy some ecurrency (equal 3000$ USD) in some internet payment system. 3000$ USD is a minimal price and cannot be less, no any discounts even if you need only 1 file. When we get payment we will send you passwords and decryption tool to unlock all your files.

 

You can send files or your computer to any experts or antivirus companies, recovery companies but you just lose your time, money and nerves.

 

You can go to the police or fbi or other departments - but this is will not help you, we are working about 12 month and no one can trace us, because we are working using chain of servers in different countries and using only offshore ecurrency internet payment systems as payment method (We will not accept Western Union or Bank transfer directly to us, because this is not secure for us.) and withdrawal money using anonymous offshore bank accounts and ATM cards belong to other people.

 

4. About Payment

 

You will need to buy some ecurrency (equal 3000$ USD) in some internet payment system. We will not accept Western Union or Bank transfer directly to us, because this is not secure for us. Contact us and we will give you payment instructions.

 

5. How to get your data back

 

You have already see files like for example database.mdb(!! to decrypt email id 1111111 to ouremail@gmail.com !!).exe

This is about 256 symbols password protected AES archive contains your file.

 

You just need password to decrypt  it and get your original file  from this archive.

 

How encrypt process working:

 

1. For example database.mdb is source  file wich  will  encrypted to  database.mdb(!! to decrypt email id 1111111 to ouremail@gmail.com !!).exe

 

2. Then original file database.mdb secure  deleted from your disk  drive using sectors owerwriting.

 

3. Original file database.mdb now in AES  password  protected archive.

 

This is impossible to crack archive with password like this (this is NOT 6-8 symbols simple password, and have trillions combinations to bruteforce  and 1000000's years to brute it).

 

This passwords is unique and randomly generated for  each computer.

 

We also take care to secure delete password from  your system, previously had copy password to our database of course.

 

After payment (and once again, ONLY after payment) we  will get you passwords and decrypt tool, so you will not need to decrypt each file manualy. Just run it on your server and your files  will  be  decrypted  on all disk drives.

 

6. How decrypt process working

 

1. You will put 2 passwords given by us in decrypt tool and start it.

 

2. Our decrypt tool scan your disk drives for files like database.mdb(!! to decrypt email id 1111111 to ouremail@gmail.com !!).exe

 

3. Encrypt files like database.mdb(!! to get password email id 1111111 to ouremail@gmail.com !!).exe, so you  will get unencypted original file database.mdb

 

4. Delete decrypted database.mdb(!! to get password email id 1111111 to ouremail@gmail.com !!).exe because  you will not need more decrypted file, you will have your original source file database.mdb

 

Also we will  get you desktop unlock  code and you can run decrypt tool.

 

Thank You.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:58 AM

Posted 18 February 2015 - 10:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Panda Security has developed a tool to decrypt these files. Follow the instructions below:
http://www.pandasecurity.com/usa/enterprise/support/card?id=1676

Hope that you can get you files back as we cannot do anything to help you in that matter.
===

When completed please run this tool and post the logs for my review.
We can remove any remant items that the tool will identify as not required.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:58 AM

Posted 23 February 2015 - 10:21 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users