1 2 Previous Next 19 Replies Latest reply on Jul 5, 2013 8:55 AM by Hayton

    Anti porn child spam protection 2.0 - ransomware - ACCDFISA

      Hi, I'm Aaron. I have a Windows 2003 server that it has been infected for this malware.

       

       

      Fortunatly, I was able to disinfected it, but now i have 80GB on crypted files with aes256.

      The original files was compressed and deleted with SDelete.

      Now its renamed like "Nuevo Documento de texto.txt(!! to get password email id 1546298610 to spainsecfs-at-gmail.com !!).exe"

      Email address modified - Hayton

       

       

      I have the C:\programdata and the C:\062201163xx folders yet.

      I have contacted the guys from Dr. Web but now I am still waiting any anwser.

       

       

      Anyone has any solution? something.... I'm still trying since a few days.

       

       

      Thank you very much. Sorry for my poor english

       

       

       

      Warning! Access to your computer is limited. Your files has been encrypted.

      Have you already see that your files are encrypted and desktop locked?

      Please don't panic and send us angry emails or scare us to send claims in police, fbi or others - this is useless.

      Please read this instruction carefully, then you will get answers to most of your questions.

      We don't answer to questions which already was answered in this instructions.  Do not waste our and your time.

      Stupid questions like - "I have backup and need only 1-2 files and can pay you only 500,1000,1500$ USD etc., We have a small business, this amount is too high" - will be ignored.

      Have backup - restore your files from it.

      We know that in most cases this is lie, you have no backups and just trying to trick us to get discounts and pay less amount.

      Our minimal price for your files is 4000$ USD. We don't get passwords for free or for 500,1000,1500$ USD etc. We know that you have money.

      Information to persons who believe that professionals can decrypt files:

      **** Now only WE can get you the true password to decrypt all your files.

      You can write to Dr.Web, Eset, Panda and other antivirus and security or datarestore companies, but now this is useless. This "Anti-Child Porn Spam Protection - 2.0 version" you have is from 22.03.2013 - more than 3 month passed and no one helped to get password or decrypt files. Yes, we know there was the vulnerability to generate password in previous version using our software folders names which was generated using the same pseudorandom generator which was generate passwords.

      Now to generate folders names didn't using any generators. Also password generates using both generators pseudorandom plus cryptographic safe pseudorandom generator.

      If you will not pay us forgot about your files forever. Password generation vulnerability fixed and there is using rar AES archives with very strong password and this is unreal to crack. If you don't believe read forums about rar - there are only one way to crack it - use bruteforce, but this is only in theory, because to brute passwords like used by us it's need trillions years even if you will use all computers in the World.

      May be you think that you can find password on your server? No, password will be copied by us and securely deleted. Source files also secure deleted - data restore software will not help you.

      Of course you don't believe in our words, so read forums or ask cryptologists. Now files encrypted using our software (winrar + very strong password using new right and safe generation method) is locked forever, no one will help you, all talks like - We can't help now but we will write you if we will found the method to generate password etc. is ********. If it was possible to get password and decrypt it was be already done, but more than 3 month passed and no results. They just does not want to recognize their full rout.

      Also you can read on bleepingcomputer.com forum about multi-round sha-1 degradation method which was using to generate password in previous version this is ******** post to deceive us, we already know the true vulnerability and was successefully fixed it.

      P.S.  Our software is don't like others encryptors which usually will be cracked and files will be decrypted within 1-2 weeks. Don't try to use decrypt tools for other encryptors, this is really ******** to believe that this will be help. Our software is unique and now called: "Anti-Child Porn Spam Protection - 2.0 version from 22.03.2013" previous version called simple "Anti-Child Porn Spam Protection".

      Other info about Why you locked, Our Guarantees about decrypt your files after payment, About payment and other info you can read below, just scroll down.

      Latest Updates (lesson learned, bugs fixed).

      You have Antichild Spam Porn Protection 2.0 from 22.03.2013. What's new?

      1. Now we have 2 randomly generated cryptographic safe passwords, unlike the previous version when it will be a chance to generate passwords in certain circumstances. Now generating password is impossible in all cases.

      2. Now files are encrypted using 2 randomly generated cryptographic safe passwords from 80 to 114 characters long, unlike one 55 characters long password and not cryptographic safe pseudorandom number generator in he previous version.

      Now password look's like this:

      First password: 9DF19AB897351C2A0A0FE18A6A73722EDM66BSAl3jBe2a3K8L275j34525b3&E=4RDP4-9y8Q1j3zD a9G9u3bD04t4dFuEO7M2%4zFT
      ( 104 characters long)

      Second password: 6B1783B4656C5433B430F2CC28070B4E6^1HDq9JEV1+9L0SFr9(6aDu3rF8Cg6X7gC3F#D07LAxFgA D7&9G1%6S4k4YFzEm7^2g4PF*C%9y2T92
      (112 characters long)

      **** Now only WE can get you the true password to decrypt all your files.

      You will read in this instructions about:

      1. Why?

      2. Our Guarantees

      3. General Info

      4. About Payment

      5. How to get your data back

      6. How decrypt process working

      1. Why?

      We have detected spam advertises illegal sites with child pornography from your computer.
      This contradicts law and harm other network users and in this case we have to do next steps:

      1. Block access to your desktop.

      2. Encrypt your files using Advanced Encryption Standard and 256 symblols randomly generated password and delete source files using DOD 5220.22-M.
      (DOD 5220.22-M is the Department of Defense clearing and sanitizing standard - You cant recover your files - NEVER).

      3. Sent this randomly generated password to our secure server and delete this password from your computer. (you cant get this password -NEVER)

      This password is unique for each computer and stored on our secure server(and then erasing from this server and sending to us) and in each encrypted file.

      **** Warning! Don’t delete any our software config files, because it can start encrypt process again and we can’t get you warranty that we will decrypt all your files! In this case you may be loose part of your files forever. If you dont know what to do - better do nothing. ****

      2. Our Guarantees

      You can send one encrypted file (jpg or bmp or other picture, no a document or not any important file for you) to us and as soon as we decrypt them we send them to you and it will proof that we are able to decrypt them all. Please don't send us important data like databases etc. to decrypt, because if we will decrypt it and send to you - you will pay us 0$.

      We had decrypt databases files to some people and after this they did not pay us any money.
      After you will pay us, sure we give you passwords and decrypt tool and of course you can decrypt all your files including databases files.

      To send file to us better use sendspace.com (just upload and send link to us) because gmail can block any .exe extensions.

      Our guarantee is your decrypting file.

      So we dont need to lock your files forever, we just need a money for our work.

      Also send us your ID number.

      3. General Info

      You will need to buy some ecurrency (equal 4000$ USD) in some internet payment system. 4000$ USD is a minimal price and cannot be less, no any discounts even if you need only 1 file. When we get payment we will send you passwords and decryption tool to unlock all your files.

      You can send files or your computer to any experts or antivirus companies, recovery companies but you just lose your time, money and nerves.

      You can go to the police or fbi or other departments - but this is will not help you, we are working about 12 month and no one can trace us, because we are working using chain of servers in different countries and using only offshore ecurrency internet payment systems as payment method (We will not accept Western Union or Bank transfer directly to us, because this is not secure for us.) and withdrawal money using anonymous offshore bank accounts and ATM cards belong to other people.

      4. About Payment

      You will need to buy some ecurrency (equal 4000$ USD) in some internet payment system. We will not accept Western Union or Bank transfer directly to us, because this is not secure for us. Contact us and we will give you payment instructions.

      5. How to get your data back

      You have already see files like for example database.mdb(!! to decrypt email id 1111111 to ouremail-at-gmail.com !!).exe

      Email address modified - Hayton
      This is about 256 symbols password protected AES archive contains your file.

      You just need password to decrypt it and get your original file from this archive.

      How encrypt process working:

      1. For example database.mdb is source file wich will encrypted to database.mdb(!! to decrypt email id 1111111 to ouremail-at-gmail.com !!).exe

      Email address modified - Hayton

      2. Then original file database.mdb secure deleted from your disk drive using sectors owerwriting.

      3. Original file database.mdb now in AES password protected archive.

      This is impossible to crack archive with password like this (this is NOT 6-8 symbols simple password, and have trillions combinations to bruteforce and 1000000's years to brute it).

      This passwords is unique and randomly generated for each computer.

      We also take care to secure delete password from your system, previously had copy password to our database of course.

      After payment (and once again, ONLY after payment) we will get you passwords and decrypt tool, so you will not need to decrypt each file manualy. Just run it on your server and your files will be decrypted on all disk drives.

      6. How decrypt process working

      1. You will put 2 passwords given by us in decrypt tool and start it.

      2. Our decrypt tool scan your disk drives for files like database.mdb(!! to decrypt email id 1111111 to ouremail-at-gmail.com !!).exe


      3. Encrypt files like database.mdb(!! to get password email id 1111111 to ouremail-at-gmail.com !!).exe, so you will get unencypted original file database.mdb

      4. Delete decrypted database.mdb(!! to get password email id 1111111 to ouremail-at-gmail.com !!).exe because you will not need more decrypted file, you will have your original source file database.mdb

      Email addresses modified - Hayton

      Also we will get you desktop unlock code and you can run decrypt tool.

      Thank You.

      Your ID Number and our contacts (please write down this data):

      Your Id #:  1546298610   Our special service email: spainsecfs-at-gmail.com

      Email address modified - Hayton

       

       

      Message was edited by: Hayton : changed email addresses to be non-clickable; slightly modified subject header. on 26/06/13 22:48:21 IST
        • 1. Re: Anti porn child spam protection 2.0 - ramsonware - accdfisa
          exbrit

          At the first sign of any trouble such as this you should immediately power off without touching any keys or mouse buttons as the slightest action starts the process.   Then boot to Safe Mode and start System Restore.

           

          That may not have been an option in your case anyway.

           

          It's too late for that now though so best to ask DrWeb for help as per this thread at BleepingComputer: http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child -porn-spam-protection-or-accdfisa/page-13#entry3001838  .

           

          Message was edited by: Ex_Brit on 26/06/13 1:10:21 EDT PM
          • 2. Re: Anti porn child spam protection 2.0 - ransomware - accdfisa
            Hayton

            System Restore won't recover the encrypted files. Plus, this is a server running Windows Server 2003. Do they even have System Restore?

             

            The information in the first post - not a screenshot, I note - shows that this is Version 2, but I know of at least two variants. Someone was unwise enough to post a description of how to extract the password you need from data in one of the files, and the authors promptly changed the program so that method no longer works.

             

            The only antivirus company I know of who are able to decrypt those files is Dr. Web, although Panda were having some success earlier (latest reports say their method no longer works, although I can't confirm if that is the case). You would think that McAfee would take an interest, as this version seems to be specifically targetting servers and so hitting their main customer base, but I haven't found anything yet on the McAfee site about this.

             

            There are posts in the forums of all the major AV companies requesting help to recover from this malware. There are a lot of these to work through, and it will take some time, but if I find any reliable information on a recovery tool I'll post here to let you know.

             

            In the meantime your best hope is Dr Web.

             

            The most extensive and useful series of posts so far have been the multiple threads and articles on BleepingComputer. For anyone else seeking assistance please note that the information given in http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection -program and the removal methods provided there are for Version 1 of ACCDFISA, and no longer work for version 2.

             

            I am keeping note of any useful information or suggestions from users' posts elsewhere. One of the points often made is that this infection is often a result of running RDP on Port 3389, so if you must have RDP running on the server try selecting a port other than the default. And many users asking for help are saying that weak passwords were a contributing factor.

             

            Here are some quotes from posts elsewhere. The third one makes a very important point - there is probably other malware installed on the server, and you may have had data files exfiltrated.

             

            I advise people not to post any specific information publicly about Dr Web's methods or files required, we don't want to help any malware authors see how their password is being recovered

             

            ... you should save your server RDP-access logs, ask your provider for RDP-access logs and report to the Police.

             

            I suggest that you also, if possible, set up a temp file server and reinstall the primary. There is absolutely no idea what else this person may have installed while they were connected. It is important that they had full remote access to your server and could have made numerous configuration changes or installed other software. Unless you feel comfortable with your audit, I would fully suggest you reinstall the hacked server.

             

            Message was edited by: Hayton on 26/06/13 20:17:11 IST - Jive error during text insertion -

             

            Message was edited by: Hayton on 26/06/13 20:20:24 IST
            • 3. Re: Anti porn child spam protection 2.0 - ransomware - accdfisa
              exbrit

              Yes I realised that it was Server after I posted, sorry about that.   The link I gave indirectly pointed to Dr Web anyway.   Hope something here helps.  Thanks Hayton for clarifying things.

              • 4. Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA
                Hayton

                Not good news about Dr. Web - I thought this would happen sooner or later. They have been providing a public service to all who needed it, and doing it for free. Well, not any more. What this means is they're going to pick up a lot of new customers. Conversely, all the other anti-virus companies, including McAfee, are going to lose customers - a point I made some time ago. No-one in McAfee seemed to be interested in helping customers who had this type of malware infection; perhaps now they might change their minds.

                 

                http://news.drweb.com/?i=3628&c=9&lng=en&p=0

                 

                File decryption available to Dr.Web users only

                June 19, 2013


                Doctor Web has announced that, beginning June 19, its free service to restore files encrypted with malware from the Encoder Trojan family is available only to users of Dr.Web products. This is due to the huge number of encoder Trojan-related requests that have overloaded the company's anti-virus laboratory and technical support service.


                Doctor Web's technical support service has received as many as 2,800 decryption requests in the last three months, which means that it was processing roughly 30 Trojan.Encoder requests daily. The vast majority of users whose systems have been compromised do not use an anti-virus at all or rely on popular free anti-virus applications, thus the number of encoder infections is growing as is the number of requests.

                 

                To draw attention to its reliable and proven anti-viruses and to provide high-quality and timely support to its own clients first and foremost, Doctor Web has decided to provide the free decryption service only to registered users of Dr.Web.

                 

                 

                Message was edited by: Hayton on 26/06/13 22:36:05 IST
                • 5. Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA
                  exbrit

                  I guess the question now is, how good are their regular products?

                  • 6. Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA
                    Hayton

                    Dr Web are pretty good in certain areas. They concentrate - or have done, until now - on threats prevalent in Russia and eastern Europe. How they rate against the big players I have no idea. The more important question is, where can people go now to get rid of this type of infection and get their encrypted files back if Dr Web won't do it for free? McAfee could pick up an awful lot of brownie points by spending a little money in this area and providing that service. Will they do it? Probably not.

                     

                    This ransomware isn't exactly new, by the way. I put a note of it in the Security Awareness Moderators section back in March, under 'New Ransomware variants'. That was of course for Version 1; I didn't pick up on the updated version. I got a lead from Help Net Security - see http://www.net-security.org/malware_news.php?id=2439

                     

                    And here's another one : deletes backups, encrypts files then deletes the originals. As of 14 March the ransomware was being reported from France and Spain but, since the language of the ransom message is English, it will probably become more widespread soon.

                     

                    This program uses the archiver WinRAR to encrypt files. To spread the malware, criminals mount a brute force attack via the RDP protocol on target machines. Once connected to the attacked PC, cybercriminals launch the Trojan. After gaining control, Trojan.ArchiveLock.20 copies the encryption application to one of the system folders.

                     

                    Trojan.ArchiveLock.20 then creates a list of files to be encrypted, empties the Recycle Bin, and deletes all backups stored on the computer. The Trojan uses the console version of WinRAR to place files on the compiled list into password-protected, self-extracting archives and employs a special utility to delete original files, after which they simply can't be restored.

                     

                    Message was edited by: Hayton on 27/06/13 02:04:27 IST
                    • 7. Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA
                      exbrit

                      Well wherever they go, they should be very careful in future.   No antivirus is going to stop all of these things, ever, and people have to realise that and act accordingly.   So its pointless to lay blame on any antivirus, as so many people do.   I got one of these things popping up once and once only, and I immediately powered off without touching anything but the main power switch.  After a System Restore started in Safe Mode, all was OK and I have several different security applications supposedly protecting me.

                      • 8. Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

                        Thank you very much to all.

                        Now i will proced to register in Dr. Web for their attention to me.

                         

                        I'm telling you news....

                        1 2 Previous Next