Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ACCDFISA v2.0 Ransomware Support Topic - filename(!! to get password email id *id* to *email* !!).exe/.rar


  • Please log in to reply
241 replies to this topic

#211 woji

woji

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 27 October 2017 - 06:06 AM

Infection through email eucodes17@gmail.com create Karwos's generator 3th key - not 2nd encryption key.

I dont know, which files 3th key decrypt,  but it's as I say



BC AdBot (Login to Remove)

 


m

#212 oscar_ramirez

oscar_ramirez

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 27 October 2017 - 09:11 AM

our server is infected with eucodes17 but Karwo's generator doesn't work with any file...



#213 DReffects

DReffects

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 28 October 2017 - 07:43 AM

Good luck to everyone restoring from backup or with data recovery tool!

 

Would be great if you guys could go into detail on this:

- Have the attacks stopped after you pulled the server or does the attacker still try to access?

- Could you please list the point of entry as specific as you can?

 

We're currently restoring a server but after weeks after the attack still no information from microsoft in regards to a possible RDP exploit. RDP was used to access the server but I do not see how that was possible in my case.



#214 saladice

saladice

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 31 October 2017 - 03:44 AM

same euro 17 infection. it was quite a while ago for our server.

 

could someone with deep technically knowledge and skills to trace this m@therf@cker to a specific location in poland?? I got too much free time and dont mind to track this guy down :_)) 



#215 krumplee

krumplee

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 31 October 2017 - 05:02 AM

I confirm an eucodes17 infection to a friend.  :(

 

RDP was exposed. :(

 

The computer was PoweredOff, I think after the 1Phase was done. It worked 1-2 day, also rebooted.

Win 7 X64. Backups deleted from other partition.

 

Looks almost like somebody doing the things personally.

 

I made a sector-by-sectore clone.

With the a recovery tool I saw the big SDELTEMP files ( 5 on one partition, and 8 on the other part.)  

 

"Green" files which could be recovered with deep scan, many of them are corrupted.

 

@Karwos , do You have any new info?

 

Your tool don't work for me.

With which files should I start try to reverse engineering....



#216 DReffects

DReffects

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 31 October 2017 - 01:56 PM

THe SDELTEMP files are files created by sdelete to overwrite all free space of a disk with zeros. They are pretty much useless.

 

@krumplee

Did you find evidence of a brute force attack on rdp?

Looks almost like somebody doing the things personally.

yes, i think so, too.



#217 krumplee

krumplee

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 01 November 2017 - 02:51 AM

@DReffects.

 

Yes, I read about sdelete in this thread... very sad.

 

I didn't try to find evidence to Brute Force, I can check the event log if exist...  or something else? Does it help with something?

 

Interesting how everything was done like puzzle, and files were encrypted selectively. But it could be also a "good written" code.

 

I have cleaned  this clone manually ( with NO Networking, to BE sure),  based on wcodya  post - page-13#entry4355552.

After that I used the kvrt tool (from Kaspersky) it found two files. One of them was named ccproxy.

 

I want to help if  I could ...



#218 DReffects

DReffects

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 01 November 2017 - 01:28 PM

Hm CCproxy is a very ordinary proxy tool. Kaspersky probably has this software listed on their "probably unwanted apps" list, but the tool itself does not cause any harm or provide a backdoor as far as I know.

 

Please check your event log for event IDs 261 and 4625. That would indicate a direct brute force attemt.

 

Check this link for further info

http://techsupport.foreverwarm.com/brute-force-remote-desktop-attack



#219 krumplee

krumplee

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 02 November 2017 - 02:49 AM

@DReffects

 

I had 15 minutes this morning to check a little bit.

 

Two months of Security Event Logs looks like it missing.

 

But I found unusual multiple of these in System logs:

 

Time unsynced. ID forget to note.

56 - The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Client IP: [hidden]

4634 - Lots of --> Logoff

1012 - Remote session terminated, max allowed failed logon attempts.

             |->  three in one minute

 

I noted 7 IP addresses randomly, they are from all over the world:

Datacenter Poland, US, Spanish , German, and Seul - South Korrea.


Edited by krumplee, 02 November 2017 - 02:52 AM.


#220 manestevez

manestevez

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 02 November 2017 - 03:02 AM

@DReffects

 

I had 15 minutes this morning to check a little bit.

 

Two months of Security Event Logs looks like it missing.

 

But I found unusual multiple of these in System logs:

 

Time unsynced. ID forget to note.

56 - The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Client IP: [hidden]

4634 - Lots of --> Logoff

1012 - Remote session terminated, max allowed failed logon attempts.

             |->  three in one minute

 

I noted 7 IP addresses randomly, they are from all over the world:

Datacenter Poland, US, Spanish , German, and Seul - South Korrea.

 

I think hacker uses bootnet : works with multiple computers to to hack.

 

from Poland

from germany

from ...



#221 dewinbrush

dewinbrush

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 03 November 2017 - 05:07 AM

Hello My Friends. I coudn't understand to use Decryiption Utility. There are 3 Pharspase Key in this tool. Also ACCDFISA generate the key about  ID names like to get passowrd email id: xxxxxxxxx (9Chars) I think 3th key generated by ACCDFISA... However how can I get or generate first and second Key Pharspase ?  :gathering:



#222 Palmsbeach

Palmsbeach

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 09 November 2017 - 03:51 PM

En mi caso mi servidor si infecto con

 

.mdf(!! to get password email id 1512283164 to eucodes17@gmail.com !!)

 

Alguien ha tratado por la parte de quitar la contraseña a los archivos .mdf mediante algún programa.

 

Tengo el 2do password pero al parecer el 1ro y el 3er password desencriptan los archivos de Base de datos.

 

 

Mande un correo y me piden 4000 USD

 

Hello!

 
Price for your ID is 4000 USD.
 
This is minimal price for you, no discounts. PLEASE DO NOT SEND ANY EMAIL IF YOU DONT WANT TO PAID THIS AMOUNT!
 
For proof we have your passwords you can send us NOT important one NOT so big FILE for decrypt. ( size around 3Mb is good for us)
DONT TRY  to send us any of your DB files , DAT files or something like this , we never send you this type of files for free!
 
!!! Rename your file from .exe to .xxx and send us file or upload your file on WeTransfer and give us the link!!!
 
Payment method is BITCOINS ONLY!
 
After payment you will have passwords and decrypt tool for your files!
 
Thank You.
 
Alguien me podría ayudar.

 

 

 



#223 oscar_ramirez

oscar_ramirez

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 10 November 2017 - 09:33 AM

En mi caso mi servidor si infecto con

 

.mdf(!! to get password email id 1512283164 to eucodes17@gmail.com !!)

 

Alguien ha tratado por la parte de quitar la contraseña a los archivos .mdf mediante algún programa.

 

Tengo el 2do password pero al parecer el 1ro y el 3er password desencriptan los archivos de Base de datos.

 

 

Mande un correo y me piden 4000 USD

 

Hello!

 
Price for your ID is 4000 USD.
 
This is minimal price for you, no discounts. PLEASE DO NOT SEND ANY EMAIL IF YOU DONT WANT TO PAID THIS AMOUNT!
 
For proof we have your passwords you can send us NOT important one NOT so big FILE for decrypt. ( size around 3Mb is good for us)
DONT TRY  to send us any of your DB files , DAT files or something like this , we never send you this type of files for free!
 
!!! Rename your file from .exe to .xxx and send us file or upload your file on WeTransfer and give us the link!!!
 
Payment method is BITCOINS ONLY!
 
After payment you will have passwords and decrypt tool for your files!
 
Thank You.
 
Alguien me podría ayudar.

 

 

 

 

Hola, segun he investigado, y por lo que he visto, este ransom ya lleva algun tiempo que anda dando molestias, sin embargo hasta ahora no ha salido ninguna forma de desencriptar los archivos, lo unico que podria ayudar a desencriptar con algun programa seria por medio de bruteforce y como seguramente es alguna cadena muy larga te tomaria una eternidad (verdadera eternidad) desencriptarlo.

 

Yo afortunadamente tenia respaldos de todo, asi que no tuve problema en echar todo a andar, en tu caso, si no es asi, si es crucial la informacion de la base de datos tendran que pagar para recuperarla (aunque no se recomienda pagar, ya que esto financia estas actividades) o de otra manera darla por perdida y guardarla con la esperanza de que algun dia se encuentre la manera.

 

Saludos y suerte!!


Edited by oscar_ramirez, 10 November 2017 - 09:34 AM.


#224 Nocera

Nocera

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 10 November 2017 - 11:40 AM

Southern-Brazil over here...
 

I have a case where ACCDFISA 2.0 encrypted a few files on a Windows Server 2008 over the first weekend of November 2017.
The station rebooted itself as a default procedure by this ransomware ACCDFISA2.0 and had 2nd key generated, Karwos decryption tool generates the password for ID, but Where to put that password? executing encrypted files as .EXE lets WINRAR open asking for the protected password. Inserting that password in the textbox and clicking ok, gives a wrong password error message. The attacker's email is brainfo17@gmail.com . 

I have spoken to the person behind this brainfo17@gmail.com email and This person seems to be a non-English native speaker. The attacker gained access to the server through RDP and installed the virus manually in the machine and let it run on the weekend.

 

Server is funcional (logon, logout, seems ok) and original files are still in there, not all files have been encrypted. Hoping for a decryption tool to come out soon.

 

If We could have more people reaching out this threat, It could help decrypting ACCDFISA 2.0 soon.
Here goes inscrutions for it:

-- Cracking ransomware by Cylance:

https://blog.cylance.com/cracking-ransomware

 

-- What does ACCDFISA2.0 is cappable of? Please refer to this page on emmisoft blog about ACCDFISA 2.0, 

https://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/
--


Edited by Nocera, 10 November 2017 - 11:52 AM.


#225 Nocera

Nocera

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 13 November 2017 - 07:33 PM

send Your infected files to Dr.Web.

It seems They're working day and night in order to help their clients, and future ones too.

 

Here goes a link to their page:
https://support.drweb.com/new/free_unlocker/for_decode/


Edited by Nocera, 13 November 2017 - 07:59 PM.





2 user(s) are reading this topic

1 members, 1 guests, 0 anonymous users


    gozaru