Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ACCDFISA v2.0 Ransomware Support Topic - filename(!! to get password email id *id* to *email* !!).exe/.rar


  • Please log in to reply
461 replies to this topic

#241 romeroalexis

romeroalexis

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 16 December 2017 - 11:57 AM

parlo solo per To decrypt email id: 294231494 to eucodes17@gmail.com

 

il id può cambiare e lo rigeneri con 3st  password: http://karwos.net/accdfisa20/

 

 

key 1 e key2 sono questa per anno 06/06/2017 a 31/12/2017

 

per il momento. :bounce: :bounce: :bounce: :bounce: :bounce: :bounce: :bounce: :bounce: :guitar: :guitar: :guitar:



BC AdBot (Login to Remove)

 


#242 romeroalexis

romeroalexis

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 16 December 2017 - 11:59 AM

oggi ho fatto con questa soluzione 10 server e tutto ok



#243 SVQ

SVQ

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 AM

Posted 18 December 2017 - 04:27 AM

Hello romeroalexis,

 

Can you explain us the proccess?

 

What tools do you use for decrypt the files?

 

Where you find the keys?

 

Do you says karwos generates the 3rd key?

 

thank uoy in advance...



#244 carloslerma

carloslerma

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 December 2017 - 03:42 PM

oggi ho fatto con questa soluzione 10 server e tutto ok

Hi Romeralexis

 

Mi potrebbe aiutare con le cose per trovare una soluzione



#245 carloslerma

carloslerma

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 December 2017 - 03:46 PM

All your files encrypted.

 

To decrypt email id: 294231494 to eucodes17@gmail.com

Hello!

Do you have process in the memory called lsassw86s.exe ? If yes , kill process lsassw86s.exe first.
Also delete c:\windows\system32\lsassw86s.exe file. Or c:\Windows\syswow64\Isassw86s.exe

Now you can run decrypt tool.

1st Decrypt password:
6DA94EDA614C0D092140B20E4539BB81BXD4C#Aa5=5&C)1=A0E@4lCM2YAV1nB&6r7WB!D(BDBjDABPAA1&4=ATF47^4y771l1zC53mB(2x8I6H08
2st Decrypt password:
BC7BAE78F1D419B1B67EDF9885299CBFAWBxA#7t71B77m6@3W5k73CP2v9%BCB$D0FhBhE4EG53AI1#EYCC1n2Q13Bo1L3x9p9ICHAHD%FzB!A40l

 

3st Decrypt password: http://karwos.net/accdfisa20/

 

100% ok

 

alexis.serf85@gmail.com

 

It will work for the mail brcode2017@gmail.com



#246 gozaru

gozaru

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 18 December 2017 - 09:16 PM

Hi friends:

 

In youtube have posible solution:

 



#247 gozaru

gozaru

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 18 December 2017 - 09:18 PM

In karwos page: http://www.karwos.net/accdfisa20/

 

Last update:
1. According to webpage visit-stats, ransomware attacking almost always in weekends (friday-saturday), most views I see on mondays! Curious.
2. There is some small posibilty to reconstruct stack frames and maybe extract 1st key (accdfisa20 didn't cleanup stack memory), so if you are after FRESH infection, don't restart your PC - dump yoyour memory contents, it increases your chances. In some cases, hiberfil.sys and pagefil.sys could be helpfull aswell.



#248 romeroalexis

romeroalexis

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 26 December 2017 - 07:01 AM

1: 3 infected files
2: the text file with the ransom.
3; 2 files on window - s64 - lsas ..... exe.
4: export the reg file to a copy, using regesit.
5: the mac of your lan network card.

zip them and send them to me.

so I'll give you the keys.

regards

 

p only for key 3 In karwos page: http://www.karwos.net/accdfisa20/

 

_________________________________

 

I need these files to help give the keys
lsass86vl.exe
wblsys32vt86exkdll.dll
lsassw86s.exe
_________________________________________
 
 
 
 
 
 
 
 
 

do not delete anything on program data

otherwise I can not help anyone



#249 BEAURAIN

BEAURAIN

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 28 December 2017 - 02:24 PM

Hello romeroalexis

Please explain how to decrypt files..

Here are the files you have requested

hxxps://ufile.io/qkjx2

Sorry forgot to add regedit file..

here it is

hxxps://ufile.io/rvdyp


Edited by BEAURAIN, 28 December 2017 - 02:30 PM.


#250 romeroalexis

romeroalexis

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 28 December 2017 - 03:39 PM

SALVE TI PUOI PRESENTARE PRIMA. GRAZIE



#251 romeroalexis

romeroalexis

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 28 December 2017 - 03:44 PM

FILE MISS THE FOLLOWING:

lsass86vl.exe
wblsys32vt86exkdll.dll
lsassw86s.exe

the text file with the ransom.

AND THE MAC OF THE NETWORK CARD



#252 romeroalexis

romeroalexis

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 28 December 2017 - 03:57 PM

BEAURAIN :

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{56BE716B-2F76-4dfa-8702-67AE10044F0B}]
@="Volume Shadow Copy Service"
"LocalService"="VSS"
"LaunchPermission"=hex:01,00,04,80,60,00,00,00,6c,00,00,00,00,00,00,00,14,00,\
  00,00,02,00,4c,00,03,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,27,02,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,05,\
  12,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,\
  00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C9F65BA8-1F8F-4382-AE27-C91FFB29275F}]
@="RCM"
"LocalService"="TermService"

 

[HKEY_USERS\S-1-5-18\Software\Sysinternals\SDelete]
"EulaAccepted"=dword:00000001 FOR 00000000

 

 



#253 romeroalexis

romeroalexis

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 28 December 2017 - 04:04 PM

[HKEY_LOCAL_MACHINE\BCD00000000\Description]
"KeyName"="BCD00000000"
"System"=dword:00000001
"TreatAsSystem"=dword:00000001
"GuidCache"=hex:a7,3c,59,e9,82,24,cc,01,08,27,00,00,46,58,b0,c9,de,60,cc,89,00,\
  00,00,00
 

 

WINDOWS ? - 2008R2 ? WINDOWS 2012R2



#254 romeroalexis

romeroalexis

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 28 December 2017 - 04:06 PM

brcode2017@gmail.com
eucodes17@gmail.com
uscodes17@gmail.com
brcodes16@gmail.com
brcodes17@gmail.com

 

??????????????????????????????????????



#255 BEAURAIN

BEAURAIN

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 28 December 2017 - 04:25 PM

Hi Romeroalexis....it's eucodes17@gmail.com on Windows 7






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users