Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcware Ransomware Support Topic (.btcware #_HOW_TO_FIX_!.hta READ ME.txt)


  • Please log in to reply
380 replies to this topic

#376 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:49 PM

Posted Yesterday, 02:45 PM

I replied the first time you asked. See my previous posting.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#377 Anton_789

Anton_789

  • Members
  • 4 posts
  • ONLINE
  •  
  • Local time:08:49 PM

Posted Today, 12:56 AM

Hi, after Xorist ransomware last month(luckily we've fully recovered), now we were hit by Aleta  :smash: . The most important programs were backuped up. But 3 users lost 2 months of documents. 

I uploaded the original and decrypted file here: https://www.sendspace.com/file/6rfroi 

After I read about Aleta,  I don't believe much, that the recovery is possible. 

(Sorry for poor english)



#378 BenGray

BenGray

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted Today, 01:29 AM

Hi, after Xorist ransomware last month(luckily we've fully recovered), now we were hit by Aleta  :smash: . The most important programs were backuped up. But 3 users lost 2 months of documents. 

I uploaded the original and decrypted file here: https://www.sendspace.com/file/6rfroi 

After I read about Aleta,  I don't believe much, that the recovery is possible. 

(Sorry for poor english)

Hi Anton, I just had to pay even then I have spent a week repairing files with extra bytes in them.

Aleta hit us through rdp check you don't have that enabled to the internet.



#379 Anton_789

Anton_789

  • Members
  • 4 posts
  • ONLINE
  •  
  • Local time:08:49 PM

Posted Today, 01:46 AM

And the key was sent? I think, that Aleta hit us trough RDP either. There were 3 new accounts (fpr example: Tlsc6l, PR6xkl). System(2008r2) was heavily damaged by Aleta, so I reinstalled the system on new disk. Our users work trough RPD, so I can't disable it. 


Edited by Anton_789, Today, 01:52 AM.


#380 BenGray

BenGray

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted Today, 01:59 AM

And the key was sent? I think, that Aleta hit us trough RDP either. There were 3 new accounts (fpr example: Tlsc6l, PR6xkl). System(2008r2) was heavily damaged by Aleta, so I reinstall the system on new disk. Our users work trough RPD, so I can't disable it. 

Yes it was it was very expensive though at 2 Bitcoin, the weakness we had was an external software company had created an accounts user with the same password and gave it admin rights not impressed by them at all. You could block rdp to the internet if they are working externally and setup a vpn.

It got our main online backup as well and our offline has not proved much good as they have lost some of the tapes. There has been 4 written warnings to staff issued so far over behaviour traced the virus intake to a user and the others who have lost tapes. Sadly the person who gave the authorisation to create the accounts user no longer works for us. I run the IT from a different country which makes it even harder there is a lot of trust involved.

I recommend ESET server Antivirus that did a good cleanup job they disabled the other one. All the standard files have been openable have had a problem with Pegasus Opera files as the decrypt program left a few extra characters.



#381 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,096 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:49 PM

Posted Today, 11:51 AM

There is no excuse for having RDP open to the world in 2017. It needs to be put behind VPN. If you don't have a firewall that supports VPN tunnels, then it isn't a good enough one to protect your business in the first place.

 

No antivirus in the word will do squat if someone literally has control of your system. Once they are in, they can just turn off anything like you would.

 

Unfortunately, the extra bytes are a bug of the malware's encryption routine, not specifically of their decrypter. It's the same padding bug as .master, and there's nothing that can be done in an automated way unless you know each format very well (most don't have specifications for the end of files really). Usually most programs won't care, but some proprietary software might have issues.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users