New threat: Trojan.ArchiveLock.20

B

B1n@ry.B4D

Level 1
Thread author
Jul 21, 2012
28
New threat: Trojan.ArchiveLock.20

Trojan.ArchiveLock.20 is ransomware virus executed through brute force attack via the RDP protocol on target machines. Trojan.ArchiveLock.20 is variant of the ArchiveLock Trojan, which uses the archiver WinRAR to encrypt files and deletes all backups stored on the computer. The Trojan displays a message on screen, asking $5,000 for the password that would decrypt the archives.

info:
http://news.drweb.com/?i=3379&lng=en

virustotal:
https://www.virustotal.com/en/file/a4b61fb69d373628c3fdbaf5718f2da4b4953424d9edd1c13b6831d3eea82417/analysis
 
F

Fabian Wosar

This one actually pretty old:
http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/

Bottom line is: If you are using publicly accessible RDP on any of your systems better make sure to install the latest patches and use a secure password.
 
B

B1n@ry.B4D

Level 1
Thread author
Jul 21, 2012
28
Fabian Wosar said:
This one actually pretty old
Click to expand...

Old? this is not a Trojan.ArchiveLock.10 or a variant but the new version (2.0).

The infection mechanism's is similar but:

1) there's no tool for keys decryption
2) no unlock code is available for the file recovery (at present)
3) there are many Servers unpatched worldwide: in Europe, the infection rate is high
 
F

Fabian Wosar

B1n@ry.B4D said:
Old? this is not a Trojan.ArchiveLock.10 or a variant but the new version (2.0).
Click to expand...
Just compare the behavior of the malware as described by Dr. Web and compare it to the behavior of variant 4 in my blog post. File names have changed, but those were changed regularly anyways. There are dozens of these variants that all do pretty much the same and just use different file names and locations. A small selection:

Code: 
0075a5ee77bc26df158ae848b33550428273fc6f2c2e0c30725656b7e8d21c31 AccdfisaCrypter
03ad42f2dea5cd363ec600286d9d7764002f1dfdf0460165862f68888070cc29 AccdfisaCrypter
04beef000bb7c93b16bbc4917d4a15d919126a5cee7468b2401b29fc1c82a2a9 AccdfisaCrypter
08a5df14dab3462540af9b4cc2f23e66b7360eec995ff926d94585709774e814 AccdfisaCrypter
125d078cce7085822564f436e7c186cbee9707388927315d47f87b2eb9ecf4c8 AccdfisaCrypter
148e7883289d8b048b0b586bfb3c8faf48a49ab44a011cfa6d050d58a0a68dda AccdfisaCrypter
17c2dedb46b8f7fa34e05f9be9c9a16476eb72066bff42bbd699d6c8bd821dc4 AccdfisaCrypter
18ed72105e8401b69225e823780b89fccc352c8e00a577493e989331015620e3 AccdfisaCrypter
192879bfd7e86e905d9379c0644cd7c869e39095d4f9564caf9c5060cd85f1f4 AccdfisaCrypter
1979cb361eebd9c3083445a21fd5aaadb4630b41819631825ffd16c390e23519 AccdfisaCrypter
1979cb361eebd9c3083445a21fd5aaadb4630b41819631825ffd16c390e23519 AccdfisaDropper
1ef79b3e5fe613a46682a7abe7dd02e669d1c0e56193054811216f01f624970d AccdfisaCrypter
222a6493c6613875837325f3b3984317cba8a80fa054ede0f3fe8a0b09f2d164 AccdfisaCrypter
2462ad1402abc35620ac9d5f78132cd4e20644bb9dd98aed074a0ec1443b0b50 AccdfisaCrypter
286cc6474590d802d1fca4da81c9a7eae45095e31c4682cf98ec1ce6e7a367c7 AccdfisaDropper
2996b7869d34a46a4c6fe93f0d24a262e4b7674d8f1c56925b2861fbce062925 AccdfisaDropper
33341de854d6484ecefe57b696dc0a36a9e34bc87bd7510975f25986f3dd8dcb AccdfisaCrypter
33f7ce6dfc03b82f152f50b47af4187db7b3888fc75656b00778819f5aa61df0 AccdfisaCrypter
34a6d1dd2e9d6e5f11307b41770d9a1ca050fd0890015b36cee7b9bbaef591c8 AccdfisaCrypter
353b342b9edb6f4d4cb3897c853aabb18f2d8c9a10b07e4e245b7783f2ccc28d AccdfisaDropper
367125540eb59c45e5d4987c105109ba8aff3f37db6165904bf009d24dc37797 AccdfisaDropper
388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b AccdfisaCrypter
388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b AccdfisaDropper
39fba3bb9abca8ce9037e07242219b5ef8032f40736ba7c5c070f333b77f11d8 AccdfisaCrypter
3a1c209abcf2bf05893fa8220c895c1bc93841d71aff6a3ff09866858a25a9a6 AccdfisaCrypter
3ea8795705cea56fd00a84547ea21780824e661f469492a95628a9af3c5f3a15 AccdfisaCrypter
41925b5dde87add5aee0a38c2e0b8ab991bee5e42afc0cc952748f3c251b3df8 AccdfisaCrypter
41925b5dde87add5aee0a38c2e0b8ab991bee5e42afc0cc952748f3c251b3df8 AccdfisaDropper
460d5817b2e1d8d711b038fc2757bcc1d88236ea8ce7b46377d87b7596662fab AccdfisaCrypter
475499595676f0ee481734933a8c8d35628d02b9fb825360c3cb6e2626b770b3 AccdfisaDropper
478534144c943a62b043d3d74499e01d32efc573d18a875a911121f624c6ade1 AccdfisaCrypter
48f64fa48dd5d0a280aa0c7d375c2944dfefa39cce3503b17302c95bc3c639ed AccdfisaCrypter
4dbd2a3b4f68ebb301eac373a9b0f588ffbf7011b680e135747ae4c0ddfcb541 AccdfisaCrypter
4febd122aeffbeacc06b5539810137706da8fcf5727fc71cccb8477c66500dca AccdfisaCrypter
51581f64ca5ab07810047710e7caf37290f719378fbba6d9625263c3a5053233 AccdfisaCrypter
51581f64ca5ab07810047710e7caf37290f719378fbba6d9625263c3a5053233 AccdfisaDropper
5227a02003e1c8799e3c70b88d8311c16183e668a94311725e4d0c57a5cbd50f AccdfisaCrypter
533b175825168f2724d4bbe9a16054e702bb159aa1c1104d1d95bd06e40c18bf AccdfisaCrypter
55ee5219ac0679ac948bd1f9a2b1f2a299820e6ebcf76b30f59262126c56ea35 AccdfisaCrypter
5c29a6038378bba647cd6e31e781778695785170f8fc9256fb31dd0422d255a6 AccdfisaCrypter
5c29a6038378bba647cd6e31e781778695785170f8fc9256fb31dd0422d255a6 AccdfisaDropper
5e00eb161c4731cbb18f10bee5346cf48b24f34a719069579c89fef2d7ba5349 AccdfisaCrypter
5e1b8c7865126bb744c518af96e3dbcaadf4ec7021c6752b77b430777a2a307d AccdfisaCrypter
5fe370a8a4cf56cf4b12ded40a2e5cd5bdad4c815876f5dc815a086978bfb64a AccdfisaCrypter
61020afbd8a9612a6d9e9247dbca8b4fac7476f9db3c33d569c69d445d00da11 AccdfisaCrypter
622d4a87e16b622435da2faa3c0ef29fde66a91d2708935663a29e97c412dd46 AccdfisaCrypter
661059ecee281db1a654030d000e25e101bbaa2a32e0779970544440940f2006 AccdfisaCrypter
6b8cdf81a83ea75cd2e2c0530b4dc00ed6ce64f27ab8a48dcf1ba65dacda8892 AccdfisaCrypter
6c90e3d04693002ad3ff7713e90ac2b70e6e875bbc8a66cac0e2df7e0841ea00 AccdfisaCrypter
7467369e268196abfb8ff217c9240ee9ca6295730835515bfd67f767489fda4f AccdfisaCrypter
7579e601b0934dd3a84920a48073622aa6efbcdd1a98ae05391800ef19f7a20d AccdfisaCrypter
7664e005f3110581a50420425d613b7fdb52c507adf3f568214edd6d00494408 AccdfisaCrypter
7cbdef2b7812c4d274b7324107d43fa2ca9b505f642d412305e4f8eca03575e6 AccdfisaCrypter
7d1dab83e737f066339a1f529603b109df91b2bcb887c3f00a0590ab3ad337ce AccdfisaDropper
7ea13edebecbf79bdef3679f2f20c1c19efaecd47385fd00b783642ae177fdc4 AccdfisaDropper
81392ce63681aa687422f726d6db596a40dc945f28f72dc4ce22ad6a2e8902ac AccdfisaCrypter
8491b03e7b9f4c4997bd846f9fa8fa6e68d95d7233bdb8029fe2b67b630b1ebf AccdfisaCrypter
84c72c0fd032182c28c53e20dea01ed9af9df4010c38c5a2c5252467a15f74fc AccdfisaCrypter
84c72c0fd032182c28c53e20dea01ed9af9df4010c38c5a2c5252467a15f74fc AccdfisaDropper
882d1c8e1982c73b93d2dd4b83da0874a06e9f32db968bdb6f5fc4fa47dc46b1 AccdfisaCrypter
8a6ec0c95b91592f4defcc12fa6b9b913ec1fbcd11f26c702a7cd2324f5ea902 AccdfisaCrypter
9195da994cb00a01bf57bf472ad636c9fe3227e338684c27f2824938d18aba51 AccdfisaCrypter
940aaa1c0bfd3dab187794d0c86a36824a960b100f1c273aa0fb6871422b5d84 AccdfisaCrypter
959cc2475d84010976a00986fe42577fbdae5e48b6311c429773c3d898b9272f AccdfisaCrypter
96bdb9226a72277ca9986ffc16e4495f5766d518b976648845bfa5a70f0dd81a AccdfisaCrypter
9c8e08980b981ac2eada033973206b6f6563b60f6a90ce45e8630e11dff18d7a AccdfisaCrypter
9d73c1cec17b19cad84ce694d0a20b351a762913b104bcd1b40dd6077de95d7f AccdfisaCrypter
9d7e57fce56013b34407b20a3af021ecd1a7780c7c92faa803ff6ccf504f2c35 AccdfisaCrypter
9dc9273e17127638098652d4e28847284b713a7d18a4b44115ad160b35924940 AccdfisaCrypter
9ec3504ac7e66e4a92c9e3a0b7048a2ac24e2edb2dd649a1daa0467ec040dca8 AccdfisaDropper
a2a00727bad1c7544d4f55f57221653496d155cc928e65fb45e537501360ee43 AccdfisaDropper
a4b61fb69d373628c3fdbaf5718f2da4b4953424d9edd1c13b6831d3eea82417 AccdfisaCrypter
a5cade33f8d28b8727b9acbb1d96f14003f2227b495f619ba2814d98ad78c385 AccdfisaCrypter
a954b9ea1d98c71671c30359772e35953c98664adffc6ef33656144d60eac55c AccdfisaCrypter
aa550f4df93d5d3e0940561c226a8c1718902e4b3af40471da49a862b52069dc AccdfisaCrypter
aba02b1357b0e37563782ec01f888ec7ed025bda064ca1be232c1def9c764dd2 AccdfisaCrypter
ada831f1f891a472c3a11563c709e54e0d128875ad5729d5f9c7fad86aa3a185 AccdfisaCrypter
adccaedf0876aed2e39fa7de47b4725f3c687d88dda97b7d45809bbab11abf78 AccdfisaCrypter
b25601c5f7da4f7c532f2b1e821d13af2606647be09c1caf53edb8c30424197a AccdfisaCrypter
b3dc1b8dfa7c4639b4acc8d6f3f1c57646e24553cb1e026af658d1a049348a81 AccdfisaCrypter
ba179f357218285c4518f792f1736ec0ee831c85298998a184ac4a1c6145eb7e AccdfisaCrypter
bbc880481a19e37945cf2ff36253f70e9ece1342dbcf499e07baac8adb99819f AccdfisaCrypter
c0977ce3572582e461184a9cccc43d90211609e8cc11818e42247b4e962ea99e AccdfisaDropper
c2d77331eb864154c6f9540f28674a7e517af0061b52feba780491f4e9e59f56 AccdfisaCrypter
c4d9d33a436727fb6f2fe4c32fe6d99c32fe3c5ae856d9f2347ea82f0405296a AccdfisaCrypter
ca062f15a49616257b4776c1e4e405b3ede78980708c346d2ad0373c9928fcf3 AccdfisaCrypter
caefdcebe4ad9a5a3130c91187015fa7964fd127ed8d82f8b9875ed228374aaf AccdfisaCrypter
cb130fe30a9664bc82201205f3a23e8af686183335ffc1e5c1ebefaef283e846 AccdfisaCrypter
ce727771f22fc71650dc069abdefd004e9fad9c1614d4287b4fc02d21c7b9449 AccdfisaDropper
cfc6c96a43391bee0ad8fab50bc208d07113c170b175ddfd8cf0f1d0b898c5e4 AccdfisaDropper
d09fdb84e505ea62f8dd4c4c45be4b4b0a6616869afecba11d0fceb81cc537c5 AccdfisaCrypter
d0cabd65f90586fc1106d95b723d0386833e9f66ca2a71c7ed87c84ddcb2fa38 AccdfisaCrypter
d8980e959be7564cfc6f37c3fc6f9632566b533166f6bad87963a716a4b642e4 AccdfisaCrypter
db7cf45c551389835b9abb9563c23ba38a7b0aae7bf6e73fc56d20eda96e00b5 AccdfisaDropper
df84e57dc10c3ef8832901028e926cccee7e9b472b3edcb108d03a5e077eebd4 AccdfisaCrypter
e054051fc4d6acd6eba82d21317fb29a7b68674456da0f2cfa47b3f1d51b6133 AccdfisaCrypter
e285dd85b72991a2f8e6312ce6443cbf863bc4ced4f0c80a7ec3d37d7c8081d1 AccdfisaCrypter
e285dd85b72991a2f8e6312ce6443cbf863bc4ced4f0c80a7ec3d37d7c8081d1 AccdfisaDropper
e3e035f1a788465e8e7aef223bf635a6de19542ffd914c975dadbeb4cb04513e AccdfisaCrypter
e7610e1568b2fdf85feea37d238bdc5b0cdfb3ca00ce741ebd26207f11d18dc1 AccdfisaCrypter
e771d96b731526aecffb82f4f0f54fdd4a2f56112bd20802073de32fdbd76889 AccdfisaCrypter
e77cfafd7ffdea5dc03a0cc34333ecf3f34f4c6e9628053463c4ac9e9448ed3f AccdfisaCrypter
ebe0f95b789ad275cd14f63658d9a98c5372accfa95a159885963379964ac8a6 AccdfisaCrypter
eda9b66889e3fd79119b099cb33cd71057ad5319a54393996a0ca8cc183f1710 AccdfisaCrypter
ee8ce2dc62fdcb8a3ef331236b025b929533004949f9587db756adbd93653d24 AccdfisaCrypter
ee8ce2dc62fdcb8a3ef331236b025b929533004949f9587db756adbd93653d24 AccdfisaDropper
f566fc7a7404ae1b2e447f641b04fdd16cb1f6a4bcd8b696afe4bc2f6622c016 AccdfisaCrypter
f7c4a17b698c35bb89055eb187ea496aeb501087203a784ee77be1b4e3aa1b66 AccdfisaCrypter
f8d8ffe3d14b6daa2d959b0c675d8974a5ee73e0d23169af34d4cb9ec34cb5d2 AccdfisaCrypter
f971bb3111235b359e3928c8a7effc9d07b95cf0903d1fc68470f85d4e0a924b AccdfisaCrypter
fd4a32c82eabfb006bb81ff8de2a8bea630a16b1d5e11af597967497c9fa9d68 AccdfisaCrypter
ff6ef2da7a4ec48c8f8d564fcb2700b28f634559fd1aded5d9046ae30176c763 AccdfisaDropper

Files marked with AccdfisaCryper are the actual crypto malware samples like the one you linked to. Samples marked as AccdfisaDropper are complete droppers/installers as used by the attacker once they got access to your system. Feel free to look up those hashes at VirusTotal yourself :).

B1n@ry.B4D said:
The infection mechanism's is similar but.
Click to expand...
It's not similar it's identical.

B1n@ry.B4D said:
1) there's no tool for keys decryption
Click to expand...
There hasn't been a decryption tool since variant 3.

B1n@ry.B4D said:
2) no unlock code is available for the file recovery (at present)
Click to expand...
And there won't be one in the future due to the way the malware operates. As Dr. Web and I already mentioned in our respective blog posts, the malware uses two passwords. The first is used for the initial encryption run on the system that is intended to encrypt all existing files. It consists of 50 randomly selected characters as well as some static pre- or postfixes. The random number generator is seeded with the system's tick count and the thread id of the thread doing the encryption. The second password is used for all files that are added later or weren't encrypted in the first run. This password is easy to generate as it is based on the boot drive's volume id. Unfortunately the second password is not the passwords most victims are after as the majority of their data is encrypted using the first one.

B1n@ry.B4D said:
3) there are many Servers unpatched worldwide: in Europe, the infection rate is high
Click to expand...
There is no such thing as a patch. The attacker doesn't use some kind of exploit to get access to those machines. They rely on you having remote administration enabled and using a weak password and try to guess your password. Even an AV won't protect you because the attacker would simply allow the malware to run.

Sorry to disappoint you, but just because the attackers moved from attacking mostly US and Canadian users to attacking Europeans as well doesn't change the fact that this group has been active for over a year already without changing their tactics or malware much at all.
 
B

B1n@ry.B4D

Level 1
Thread author
Jul 21, 2012
28
Fabian Wosar said:
There is no such thing as a patch.
Click to expand...

The patch exist (although it is not resolutive to 100%):

Microsoft Security Bulletin MS12-020 - Critical
Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
http://technet.microsoft.com/en-us/security/bulletin/MS12-020

--------

Update

New File:
scsvserv.exe (17.920 byte) --> edit the Windows registry, disabling error reporting and deletes all entries from HKLM and HKCU RUN


Registry path:
[HKLM\System\CurrentControlSet\Services\WinSamSs]
%system%\lsassw86s.exe -> Trojan.Win32.ACCDFISA.B


lsassw86s.exe -> virustotal first Analysis date: 2013-03-24
https://www.virustotal.com/en/file/5fe370a8a4cf56cf4b12ded40a2e5cd5bdad4c815876f5dc815a086978bfb64a/analysis


Very Low Detection ratio:
9 / 39
 
M

moyaqf

New Member
Jun 26, 2013
1
Fabian Wosar said:
B1n@ry.B4D said:
Old? this is not a Trojan.ArchiveLock.10 or a variant but the new version (2.0).
Click to expand...
Just compare the behavior of the malware as described by Dr. Web and compare it to the behavior of variant 4 in my blog post. File names have changed, but those were changed regularly anyways. There are dozens of these variants that all do pretty much the same and just use different file names and locations. A small selection:

Code: 
0075a5ee77bc26df158ae848b33550428273fc6f2c2e0c30725656b7e8d21c31 AccdfisaCrypter
03ad42f2dea5cd363ec600286d9d7764002f1dfdf0460165862f68888070cc29 AccdfisaCrypter
04beef000bb7c93b16bbc4917d4a15d919126a5cee7468b2401b29fc1c82a2a9 AccdfisaCrypter
08a5df14dab3462540af9b4cc2f23e66b7360eec995ff926d94585709774e814 AccdfisaCrypter
125d078cce7085822564f436e7c186cbee9707388927315d47f87b2eb9ecf4c8 AccdfisaCrypter
148e7883289d8b048b0b586bfb3c8faf48a49ab44a011cfa6d050d58a0a68dda AccdfisaCrypter
17c2dedb46b8f7fa34e05f9be9c9a16476eb72066bff42bbd699d6c8bd821dc4 AccdfisaCrypter
18ed72105e8401b69225e823780b89fccc352c8e00a577493e989331015620e3 AccdfisaCrypter
192879bfd7e86e905d9379c0644cd7c869e39095d4f9564caf9c5060cd85f1f4 AccdfisaCrypter
1979cb361eebd9c3083445a21fd5aaadb4630b41819631825ffd16c390e23519 AccdfisaCrypter
1979cb361eebd9c3083445a21fd5aaadb4630b41819631825ffd16c390e23519 AccdfisaDropper
1ef79b3e5fe613a46682a7abe7dd02e669d1c0e56193054811216f01f624970d AccdfisaCrypter
222a6493c6613875837325f3b3984317cba8a80fa054ede0f3fe8a0b09f2d164 AccdfisaCrypter
2462ad1402abc35620ac9d5f78132cd4e20644bb9dd98aed074a0ec1443b0b50 AccdfisaCrypter
286cc6474590d802d1fca4da81c9a7eae45095e31c4682cf98ec1ce6e7a367c7 AccdfisaDropper
2996b7869d34a46a4c6fe93f0d24a262e4b7674d8f1c56925b2861fbce062925 AccdfisaDropper
33341de854d6484ecefe57b696dc0a36a9e34bc87bd7510975f25986f3dd8dcb AccdfisaCrypter
33f7ce6dfc03b82f152f50b47af4187db7b3888fc75656b00778819f5aa61df0 AccdfisaCrypter
34a6d1dd2e9d6e5f11307b41770d9a1ca050fd0890015b36cee7b9bbaef591c8 AccdfisaCrypter
353b342b9edb6f4d4cb3897c853aabb18f2d8c9a10b07e4e245b7783f2ccc28d AccdfisaDropper
367125540eb59c45e5d4987c105109ba8aff3f37db6165904bf009d24dc37797 AccdfisaDropper
388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b AccdfisaCrypter
388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b AccdfisaDropper
39fba3bb9abca8ce9037e07242219b5ef8032f40736ba7c5c070f333b77f11d8 AccdfisaCrypter
3a1c209abcf2bf05893fa8220c895c1bc93841d71aff6a3ff09866858a25a9a6 AccdfisaCrypter
3ea8795705cea56fd00a84547ea21780824e661f469492a95628a9af3c5f3a15 AccdfisaCrypter
41925b5dde87add5aee0a38c2e0b8ab991bee5e42afc0cc952748f3c251b3df8 AccdfisaCrypter
41925b5dde87add5aee0a38c2e0b8ab991bee5e42afc0cc952748f3c251b3df8 AccdfisaDropper
460d5817b2e1d8d711b038fc2757bcc1d88236ea8ce7b46377d87b7596662fab AccdfisaCrypter
475499595676f0ee481734933a8c8d35628d02b9fb825360c3cb6e2626b770b3 AccdfisaDropper
478534144c943a62b043d3d74499e01d32efc573d18a875a911121f624c6ade1 AccdfisaCrypter
48f64fa48dd5d0a280aa0c7d375c2944dfefa39cce3503b17302c95bc3c639ed AccdfisaCrypter
4dbd2a3b4f68ebb301eac373a9b0f588ffbf7011b680e135747ae4c0ddfcb541 AccdfisaCrypter
4febd122aeffbeacc06b5539810137706da8fcf5727fc71cccb8477c66500dca AccdfisaCrypter
51581f64ca5ab07810047710e7caf37290f719378fbba6d9625263c3a5053233 AccdfisaCrypter
51581f64ca5ab07810047710e7caf37290f719378fbba6d9625263c3a5053233 AccdfisaDropper
5227a02003e1c8799e3c70b88d8311c16183e668a94311725e4d0c57a5cbd50f AccdfisaCrypter
533b175825168f2724d4bbe9a16054e702bb159aa1c1104d1d95bd06e40c18bf AccdfisaCrypter
55ee5219ac0679ac948bd1f9a2b1f2a299820e6ebcf76b30f59262126c56ea35 AccdfisaCrypter
5c29a6038378bba647cd6e31e781778695785170f8fc9256fb31dd0422d255a6 AccdfisaCrypter
5c29a6038378bba647cd6e31e781778695785170f8fc9256fb31dd0422d255a6 AccdfisaDropper
5e00eb161c4731cbb18f10bee5346cf48b24f34a719069579c89fef2d7ba5349 AccdfisaCrypter
5e1b8c7865126bb744c518af96e3dbcaadf4ec7021c6752b77b430777a2a307d AccdfisaCrypter
5fe370a8a4cf56cf4b12ded40a2e5cd5bdad4c815876f5dc815a086978bfb64a AccdfisaCrypter
61020afbd8a9612a6d9e9247dbca8b4fac7476f9db3c33d569c69d445d00da11 AccdfisaCrypter
622d4a87e16b622435da2faa3c0ef29fde66a91d2708935663a29e97c412dd46 AccdfisaCrypter
661059ecee281db1a654030d000e25e101bbaa2a32e0779970544440940f2006 AccdfisaCrypter
6b8cdf81a83ea75cd2e2c0530b4dc00ed6ce64f27ab8a48dcf1ba65dacda8892 AccdfisaCrypter
6c90e3d04693002ad3ff7713e90ac2b70e6e875bbc8a66cac0e2df7e0841ea00 AccdfisaCrypter
7467369e268196abfb8ff217c9240ee9ca6295730835515bfd67f767489fda4f AccdfisaCrypter
7579e601b0934dd3a84920a48073622aa6efbcdd1a98ae05391800ef19f7a20d AccdfisaCrypter
7664e005f3110581a50420425d613b7fdb52c507adf3f568214edd6d00494408 AccdfisaCrypter
7cbdef2b7812c4d274b7324107d43fa2ca9b505f642d412305e4f8eca03575e6 AccdfisaCrypter
7d1dab83e737f066339a1f529603b109df91b2bcb887c3f00a0590ab3ad337ce AccdfisaDropper
7ea13edebecbf79bdef3679f2f20c1c19efaecd47385fd00b783642ae177fdc4 AccdfisaDropper
81392ce63681aa687422f726d6db596a40dc945f28f72dc4ce22ad6a2e8902ac AccdfisaCrypter
8491b03e7b9f4c4997bd846f9fa8fa6e68d95d7233bdb8029fe2b67b630b1ebf AccdfisaCrypter
84c72c0fd032182c28c53e20dea01ed9af9df4010c38c5a2c5252467a15f74fc AccdfisaCrypter
84c72c0fd032182c28c53e20dea01ed9af9df4010c38c5a2c5252467a15f74fc AccdfisaDropper
882d1c8e1982c73b93d2dd4b83da0874a06e9f32db968bdb6f5fc4fa47dc46b1 AccdfisaCrypter
8a6ec0c95b91592f4defcc12fa6b9b913ec1fbcd11f26c702a7cd2324f5ea902 AccdfisaCrypter
9195da994cb00a01bf57bf472ad636c9fe3227e338684c27f2824938d18aba51 AccdfisaCrypter
940aaa1c0bfd3dab187794d0c86a36824a960b100f1c273aa0fb6871422b5d84 AccdfisaCrypter
959cc2475d84010976a00986fe42577fbdae5e48b6311c429773c3d898b9272f AccdfisaCrypter
96bdb9226a72277ca9986ffc16e4495f5766d518b976648845bfa5a70f0dd81a AccdfisaCrypter
9c8e08980b981ac2eada033973206b6f6563b60f6a90ce45e8630e11dff18d7a AccdfisaCrypter
9d73c1cec17b19cad84ce694d0a20b351a762913b104bcd1b40dd6077de95d7f AccdfisaCrypter
9d7e57fce56013b34407b20a3af021ecd1a7780c7c92faa803ff6ccf504f2c35 AccdfisaCrypter
9dc9273e17127638098652d4e28847284b713a7d18a4b44115ad160b35924940 AccdfisaCrypter
9ec3504ac7e66e4a92c9e3a0b7048a2ac24e2edb2dd649a1daa0467ec040dca8 AccdfisaDropper
a2a00727bad1c7544d4f55f57221653496d155cc928e65fb45e537501360ee43 AccdfisaDropper
a4b61fb69d373628c3fdbaf5718f2da4b4953424d9edd1c13b6831d3eea82417 AccdfisaCrypter
a5cade33f8d28b8727b9acbb1d96f14003f2227b495f619ba2814d98ad78c385 AccdfisaCrypter
a954b9ea1d98c71671c30359772e35953c98664adffc6ef33656144d60eac55c AccdfisaCrypter
aa550f4df93d5d3e0940561c226a8c1718902e4b3af40471da49a862b52069dc AccdfisaCrypter
aba02b1357b0e37563782ec01f888ec7ed025bda064ca1be232c1def9c764dd2 AccdfisaCrypter
ada831f1f891a472c3a11563c709e54e0d128875ad5729d5f9c7fad86aa3a185 AccdfisaCrypter
adccaedf0876aed2e39fa7de47b4725f3c687d88dda97b7d45809bbab11abf78 AccdfisaCrypter
b25601c5f7da4f7c532f2b1e821d13af2606647be09c1caf53edb8c30424197a AccdfisaCrypter
b3dc1b8dfa7c4639b4acc8d6f3f1c57646e24553cb1e026af658d1a049348a81 AccdfisaCrypter
ba179f357218285c4518f792f1736ec0ee831c85298998a184ac4a1c6145eb7e AccdfisaCrypter
bbc880481a19e37945cf2ff36253f70e9ece1342dbcf499e07baac8adb99819f AccdfisaCrypter
c0977ce3572582e461184a9cccc43d90211609e8cc11818e42247b4e962ea99e AccdfisaDropper
c2d77331eb864154c6f9540f28674a7e517af0061b52feba780491f4e9e59f56 AccdfisaCrypter
c4d9d33a436727fb6f2fe4c32fe6d99c32fe3c5ae856d9f2347ea82f0405296a AccdfisaCrypter
ca062f15a49616257b4776c1e4e405b3ede78980708c346d2ad0373c9928fcf3 AccdfisaCrypter
caefdcebe4ad9a5a3130c91187015fa7964fd127ed8d82f8b9875ed228374aaf AccdfisaCrypter
cb130fe30a9664bc82201205f3a23e8af686183335ffc1e5c1ebefaef283e846 AccdfisaCrypter
ce727771f22fc71650dc069abdefd004e9fad9c1614d4287b4fc02d21c7b9449 AccdfisaDropper
cfc6c96a43391bee0ad8fab50bc208d07113c170b175ddfd8cf0f1d0b898c5e4 AccdfisaDropper
d09fdb84e505ea62f8dd4c4c45be4b4b0a6616869afecba11d0fceb81cc537c5 AccdfisaCrypter
d0cabd65f90586fc1106d95b723d0386833e9f66ca2a71c7ed87c84ddcb2fa38 AccdfisaCrypter
d8980e959be7564cfc6f37c3fc6f9632566b533166f6bad87963a716a4b642e4 AccdfisaCrypter
db7cf45c551389835b9abb9563c23ba38a7b0aae7bf6e73fc56d20eda96e00b5 AccdfisaDropper
df84e57dc10c3ef8832901028e926cccee7e9b472b3edcb108d03a5e077eebd4 AccdfisaCrypter
e054051fc4d6acd6eba82d21317fb29a7b68674456da0f2cfa47b3f1d51b6133 AccdfisaCrypter
e285dd85b72991a2f8e6312ce6443cbf863bc4ced4f0c80a7ec3d37d7c8081d1 AccdfisaCrypter
e285dd85b72991a2f8e6312ce6443cbf863bc4ced4f0c80a7ec3d37d7c8081d1 AccdfisaDropper
e3e035f1a788465e8e7aef223bf635a6de19542ffd914c975dadbeb4cb04513e AccdfisaCrypter
e7610e1568b2fdf85feea37d238bdc5b0cdfb3ca00ce741ebd26207f11d18dc1 AccdfisaCrypter
e771d96b731526aecffb82f4f0f54fdd4a2f56112bd20802073de32fdbd76889 AccdfisaCrypter
e77cfafd7ffdea5dc03a0cc34333ecf3f34f4c6e9628053463c4ac9e9448ed3f AccdfisaCrypter
ebe0f95b789ad275cd14f63658d9a98c5372accfa95a159885963379964ac8a6 AccdfisaCrypter
eda9b66889e3fd79119b099cb33cd71057ad5319a54393996a0ca8cc183f1710 AccdfisaCrypter
ee8ce2dc62fdcb8a3ef331236b025b929533004949f9587db756adbd93653d24 AccdfisaCrypter
ee8ce2dc62fdcb8a3ef331236b025b929533004949f9587db756adbd93653d24 AccdfisaDropper
f566fc7a7404ae1b2e447f641b04fdd16cb1f6a4bcd8b696afe4bc2f6622c016 AccdfisaCrypter
f7c4a17b698c35bb89055eb187ea496aeb501087203a784ee77be1b4e3aa1b66 AccdfisaCrypter
f8d8ffe3d14b6daa2d959b0c675d8974a5ee73e0d23169af34d4cb9ec34cb5d2 AccdfisaCrypter
f971bb3111235b359e3928c8a7effc9d07b95cf0903d1fc68470f85d4e0a924b AccdfisaCrypter
fd4a32c82eabfb006bb81ff8de2a8bea630a16b1d5e11af597967497c9fa9d68 AccdfisaCrypter
ff6ef2da7a4ec48c8f8d564fcb2700b28f634559fd1aded5d9046ae30176c763 AccdfisaDropper

Files marked with AccdfisaCryper are the actual crypto malware samples like the one you linked to. Samples marked as AccdfisaDropper are complete droppers/installers as used by the attacker once they got access to your system. Feel free to look up those hashes at VirusTotal yourself :).

B1n@ry.B4D said:
The infection mechanism's is similar but.
Click to expand...
It's not similar it's identical.

B1n@ry.B4D said:
1) there's no tool for keys decryption
Click to expand...
There hasn't been a decryption tool since variant 3.

B1n@ry.B4D said:
2) no unlock code is available for the file recovery (at present)
Click to expand...
And there won't be one in the future due to the way the malware operates. As Dr. Web and I already mentioned in our respective blog posts, the malware uses two passwords. The first is used for the initial encryption run on the system that is intended to encrypt all existing files. It consists of 50 randomly selected characters as well as some static pre- or postfixes. The random number generator is seeded with the system's tick count and the thread id of the thread doing the encryption. The second password is used for all files that are added later or weren't encrypted in the first run. This password is easy to generate as it is based on the boot drive's volume id. Unfortunately the second password is not the passwords most victims are after as the majority of their data is encrypted using the first one.

B1n@ry.B4D said:
3) there are many Servers unpatched worldwide: in Europe, the infection rate is high
Click to expand...
There is no such thing as a patch. The attacker doesn't use some kind of exploit to get access to those machines. They rely on you having remote administration enabled and using a weak password and try to guess your password. Even an AV won't protect you because the attacker would simply allow the malware to run.

Sorry to disappoint you, but just because the attackers moved from attacking mostly US and Canadian users to attacking Europeans as well doesn't change the fact that this group has been active for over a year already without changing their tactics or malware much at all.
Click to expand...

Could you give me some advise to recover the simple password?. Perhaps it could recover some files.
 
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Malware News New Bandook RAT Variant Resurfaces, Targeting Windows Machines
Replies
0
Views
1,541
Security News
silversurfer
silversurfer
[correlate]
    • Like
Vulnerability in Openfire messaging software allows unauthorized access to compromised servers
Replies
0
Views
1,213
News Archive
[correlate]
[correlate]
Gandalf_The_Grey
    • Like
    • +Reputation
    • Thanks
Shady reward apps on Google Play amass 20 million downloads
Replies
2
Views
901
News Archive
Zero Knowledge
Z

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top