ACCDFISA – RansomWare

 

Well, we have now had our first run-in with Ransomware.  We received a call from a client stating that they were having issues accessing a remote application server. Sure enough, we were unable to access the remote application server through the VPN connection.  Once on site, I was greeted with a screen stating that the server had been used to access illegal content on the internet and was shut down by the ACCDFISA, an acronym for the Anti Cyber Crime Department of Federal Internet Security Agency. The screen gave instructions for unlocking the system by paying $100 using Moneypak, Paysafecard, or Ukash.  This looked to be a standard scamware application so I decided to attempt removal.

Hmm, nothing I could do would allow me around this screen.  Pressing CTRL-ALT-DEL would bring up the menu allowing me to choose Task Manager but nothing would show up.  I shutdown the server and was able to see Task Manager running in the background as the malicious application shutdown. The application relaunched after the reboot so I decided to restart to safe mode.

I was able to start the system in Safe Mode to the Command Prompt only.  I was now able to start an analysis of the system.  My first task was to export the system log files for review on a different PC.  Next, I began tracking down how the Ransomware was loading.  I found it in one of the remote users’ appdata folder.  I now know who was logged on (or so I thought) when the application was downloaded.  At this point,  I created a backup of the files that I felt were causing the issues.  I also found 1433 files that had been encrypted with an AES algorithm. Uh oh, not good!

Files from c:\programdata\local\ —  (hidden)

  • aescryptor.exe
  • svchost.exe
  • undxkpwvlk.dll
  • vpkswnhisp.dll

Files from c:\decrypt — (hidden)

  • decrypt.exe

File downloaded from remote website

  • sys100s.exeSYS100s.exe Ransomware Installer

 

 

 

 

File from user desktop

  • “how to decrypt aes files.lnk”  points to c:\decrypt\decrypt.exe

I also found that the IP address had been changed to a 172.x.x.x address and default gateway was removed.

I launched the registry editor and found all references to the above files.  The process loading the ransomware is the svchost.exe that was created in the user profile folder.  Renaming the files remedied the issue with the application loading.  However, nothing I could do would let me change the IP address.  It’s at this point that I decided to test out the decrypt.exe file.  When launched I received the following screen where I could put in the “purchased” recovery key should I have decided to fall to the ransom.  This wasn’t going to happen as you’re not guaranteed that you’ll receive your code!ACCDFISA Ransomware Screen

I decided to reload the server, but I still wanted to know “how did this load?” I know the username that the application was loaded from so started by looking through the user’s IE history. There it was, a single entry in the history to an .exe on a webserver somewhere. Unfortunately, I didn’t write this URL down.  I found the file in the internet cache and was able to make a copy. Nice! Now, why did she go to this…..  Oh no.  I realized at this point that her account had to have been compromised.  I began digging through the security log on the server and there it was, right there.  There was a logon entry for the user just two minutes before the AES encryption was began.  The next log entry provided what I feared!!  The successful logon was from an IP address from 178.178.3.169, or wimax-client.yota.ru!!  The account had been compromised.  The password was complex and was something that could not have been acquired through a dictionary attack.  Furthermore, there was NO failed logon attempts from this account in the event logs.  Someone was able to get the password and get it right the first time!!!

I notified the IT support for this employee’s home office and the computer was put offline for analysis.  I’m putting my chips on the guess that there is a key logging Trojan on this employee’s PC.

Now, back to the server.  I decided to reload the server as it only hosts two applications for remote users.  The AES encrypted files were random files on the server that the compromised user account had rights to.  Everything was easily recoverable once the system was reloaded. We spent four hours on the reload and made changes to the firewall so that the published applications were accessible to specific addresses only.

What can you do with the AES files?  Well, I’m gonna say that there’s nothing you can do without the encryption key. Hopefully, you have a good backup!

 

UPDATE:

It looks like it’s now being detected by F-Secure, BitDefender, and GData as Gen:Trojan.Heur.TP.bqW@b4F!vWj.  Symantec is detecting it as Suspicious.Cloud.5!!

UPDATE 2/23/2012 – 8:13PM

Microsoft is now detecting it.  Microsoft Malware Protection Center

Screen being detected by Microsoft

 

 

42 Responses to “ACCDFISA – RansomWare”

  1. Larry Fountain says:

    I had a terminal server 2008 get hit this morning as well around 3am. I’ve never seen malware this malicious and tenaceous. We’re going to have to rebuild the server as well as removal has so far been impossible.

    • Joe P. says:

      Larry, was you able to review the security logs and identify a logon? Try booting to safe-mode command prompt and searching for the file sys100s.exe. It will be in one of the users’ temporary internet file folders. That will ID the user account used. Then dig in the security logs and find a logon right before the modified time of the AES files. As for removing: I don’t think it’s possible without the key to process the decrypting routine…

      • Richard says:

        Guys,

        We had the same problem, since yesterday. We were able to stop it from running and even got they key extracted out of a .data file in the ProgramData\Local folder. There are a few lines of plain text at the beginning that have a short and a longer number. These work for the decryption file. Don’t get your hope up though. All it does is DELETE all the .AES files. You can undelete them, but they are still encrypted. This thing deleted all out SQL and Exchange databases as well as all our Bacup Exec backups that were on an external hard drive attached to the server.

        • Joe P. says:

          Richard,

          That’s kinda what I figured would happen if the “ransom” was paid. Fortunately, and I use that word loosely, the only problem so far was that the client was unable to access the two applications for a day.

          Be sure to update us if you’re able to find out anymore.
          Thanks!

  2. Larry Fountain says:

    Joe, that file was searched for but not found. What was found of interest, however, was in the security event log, the IP 178.178.19.91 is where the attack was coming from and it was always using the local admin account. Not sure how they learned this password as nobody ever logs into this server as local admin. A couple of techs are still digging for more clues. One thinks he may have successfully cleaned it. I’m still waiting to hear for sure, and if so, how.

    • Joe P. says:

      That IP address belongs to the same ISP, yota.ru. I’m waiting on the tech to look at the user PC whose account was used to logon. I do believe there will be a keylogger on that PC. It’s the only PC that she accesses the system from.

      I was able to clean the infection but could not decrypt the files… Let me know what you find out!

  3. Chuck M. says:

    Did it affect the shadow copy files on the 2008 server? I haven’t hit this yet, but Im sure it’ll be coming.

  4. Joe P. says:

    Chuck, I had the shadowcopies disabled so I’m unable to answer. I’m setting up a VM with Win7 to test. I’ll let you know! 🙂

  5. Adam T. says:

    hello guys! I Had same crap 3 days ago. I was able to take off screen lock by myself but then i found out that almost all my files are encrypted and i decide to pay $300. I was not sure that i get any codes but i had no choice. My business and system were down for 5 hours. In 1 hour after i sent moneypak code i receive codes for encrypted files and after paste codes in fields it start decrypting files and everything back to normal.
    Here are codes for decrypting i received, try them to decrypt files maybe its gonna be work for you guys too :

    First Passcode: Nope – Not Here buddy
    Second Passcode: Nope – Not Here buddy

    • Joe P. says:

      Adam T or Adam R, really? You’re telling me that it worked for you when all other accounts (including a VM setup to test) resulted in the files being deleted and not decrypted???? You sound like you was taken to the cleaners. All others were charged $100US or 100EU..

      • Adam T. says:

        That $100 they ask for screen unlock (i took it off by myself) but for decrypted files they charged me $300 as punishment for screen unlock and for all i paid $300. After decrypting AES files nothing delete on my server. I think you buddy not right about this or you tried to delete that by yourself and as a result it damages your files. I’m not happy about this too but $300 save my files and business as well.
        Nope – No codes here
        Nope – No codes here.

        • Adam T. says:

          Here are codes for decrypting files i received:
          Nope
          And Nope again.

          • Adam T. says:

            to moderator:
            Why you don’t want me help people with this codes?
            I bought that codes and and everything back to normal on my server.
            I give it for free and i would be happy if its help for somebody else.

            What we see here? all advice here how to decrypt files its right way to DAMAGE all files instead SAVE THEM!!!!!!!!!!!!!!!!!!!!!

          • Joe P. says:

            Adam??? It’s because I don’t trust the codes you’re posting nor the information you’ve given? Your IP address has changed in short periods of time as if you’re using multiple hosts to post here. Also, your English is questionable. It closely matches the language from the ransomware. Futhermore, the code referenced in the application changes between infected hosts so why would the decryption key “provided” to you work on others? You wanna prove that you’re indeed sincere in your posts, then provide a little more information about your situation.

      • Adam T. says:

        Ok. I just wanted to help. I’m Indian nationality and of course my English
        is not perfect as yours but not about this and please don’t tell that *@%# that i work for ransomware team!!! The same i can tell about you that you work for them and do not want me help people with codes !!! Have great time and i wish you guys to solve that problem soon.

        P.S. My i.p address is changing coz i driving and stop sometimes to check
        Facebook , witter and your blog at open WiFi spots …

  6. JSnell says:

    I had this same virus, starting Monday 4:20am. No one was in the office and I find no log history of the file being downloaded…

    I had to do the same steps mentioned in primary post. Kasp, AVG would not detect the virus, Malware Bytes did but there is still residual somewhere…

    I can lose the 172.xxx.xxx.xxx IP via clearing IP tables… switching to DHCP getting a new address, and doing a ROUTE DELETE 0.0.0.0

    I was able to surf the internet again… Many of our files were encrypted with AES extensions and every reboot would go back to 172.xxx IP…

    I am in the process of performing a wipe and reload of this server 2008 also…

    We have a SonicWall Firewall and MS Firewall was up, using AVG Server AV. This virus blew passed all of that and infected system… Truly the worst virus I have seen in 17yrs of IT…

    JSnell

    • Joe P. says:

      I submitted the virus to Microsoft Security Labs around 9:00. Around 1 this morning, I received confirmation of malicious content (I guess I knew this). Security essentials will detect it with the pre-release definitions. I’ll be resubmitting it tonight to find out how many AV vendors are detecting it now.

      Did you check your shadow copies? I’m interested in knowing if it removed them. Did you have RDP open through your firewall?

      I’m 100% positive the virus was installed using a compromised account. Internet explorer was launched and download the file just 1 minute before it was installed and the user disconnected. I did notice that the server still had access to network devices on the local LAN even though IP appeared to be hosed. I’m wondering if there was a back door left open so the attacker could monitor access??? There was some attempted access stopped by the firewall’s IPS services from the IP that the attacker connected from.

  7. Adam T. says:

    to moderator:
    Why you don’t want me help people with this codes?
    I bought that codes and and everything back to normal on my server.
    I give it for free and i would be happy if its help for somebody else.

    What we see here? all advice here how to decrypt files its right way to DAMAGE all files instead SAVE THEM!!!!!!!!!!!!!!!!!!!!!

  8. Channing Thomas says:

    Thisone got us, too. We ae running a Windows 2003 Terminal Server. Fortunately/Unfortunately it’s actually a Virtual Machine running under VSphere Infrastructure. I’ve spent 10 hours on this. I mounted the instance as a hard disk to another Virtual machine only to discover that all the files are AES encrypted… Im trying to salvage what I can for the users, unfortunately, we only had 5 days of previous rotating backups and since the Terminal Server users were on vacation.. No one realized it until all of our backups were infected. Im reinstalling a new Term Server 2008 VM and hoping that this exploit is patched.

  9. Adam P. says:

    The fact of the matter is that no legitimate government agency would provide an on-board disclaimer for infraction and compliance payment. Adam T.’s efforts are obviously fruitless and additionally malicious.

  10. Channing Thomas says:

    I think we all need to seriously brace ourselves because this hit us from completely under the radar. The Adam guy seems sketchy to me as well.

    • Joe P. says:

      Yeah, he’s posted the codes at bleepingcomputer.com and I’m seriously suprised that the moderator hasn’t removed them. What’s humorous to me is that he copied the exact text that he posted here to the forums there instead of submitting a new story.

      As for as how this happened: The account that was compromised had a 11 digit password with four complexities. It makes me wonder if there’s a zero day in Microsoft’s RDP protocol. So far, only servers have been hit. Were you able to pull log files?

      • Channing Thomas says:

        I was able to pull partial log files. Definitely a zero day exploit. So many of the log files are infected and/or AES encrypted that Im somewhat afraid to continue checking logs and try executing any of the files. We just put so much research thatchanging direction and installing a new TS 2008 Instance under Infrastructure will be more cost effective for us at this point. This has cost me so many hours…. There are AES decryption programs out there, but most are for PDF’s. Thank God we had backups to pull from. As well defended as we were, this somehow got past everything.

        • Joe P. says:

          Channing, This is the reason backups are so important. I’m glad you were able to recover. I’m still hoping to have someone confirm if the shadow copies are functional.

  11. Timothy says:

    After spending many hours trying to tear apart this virus infection over the past few days, and with much help from this post, I believe that I have finally found a way to defeat this RansomWare infection. Please follow-up and comment if the below codes work for you.

    First off, in order to bypass the screen that states something about “the server had been used to access illegal content on the internet and was shut down by the ACCDFISA”, try entering the following code: ——

    Next, there will be an abundance of files that have been encrypted by the virus program. All of these files will end in “.aes”. However, these files are not encrypted with AES, they are just encrypted RAR directories. Any RAR extractor that supports passwords will be able to extract these files. The password that we found and used to extract these files was: —

    Finally, one method of stopping the virus processes from running is to change the permissions on the folder C:\ProgramData\local (hidden) and remove all users except for System. Then deny all access for System. This should prevent the services from properly running, which in turn should prevent the initial splash screen from loading.

    I will try to post more as I organize the information that we have collected on this infections. Joe P., I would be happy to provide you with all the information that I have discovered if you would be interested in adding it to the original post. If the numbers above do not work for you, then that means that there is a chance that these codes are dynamically created for each system that is infected. If this this does turn out to be the case, I believe that I can provide a procedure for determining these codes on each individual system. I hope that all of this information is helpful!

    • Joe P. says:

      Timothy, where did you come about the first code??

      • Timothy says:

        I’ll soon be posting what I have learned about this virus so far so stay tuned! It should include methods for disabling the virus and decrypting files that have been encrypted. Thanks Joe for the opportunity to get this information out there!

        • Marcin Wisniowski says:

          Dear Timothy,

          I pray to whatever entity that has the power and will to aid you in discovering a cure for this gruesome digital disease.

          A client of mine has been hit with this malady and she is loosing hair every minute because of it. The information that has been encrypted on her computer is of absolute importance. Additionally, this information is essential to complete a law-required monthly report due by the end of February.

          The backups are useless as they are encrypted as well.

          Desperate, she asked me to pay the ransom and I did. Still waiting for a response. My blood boiled when I read that the decryption codes actually delete the files…please do not be so.

          If then there is any help that you can provide, please be gracious and deliver us from this evil.

          • Timothy says:

            I’m in the process of writing the tutorial now. Chances are that it will need some smoothing out as I get user feedback, but it should definitely help from the get-go. Joe will be giving me permissions to post soon.

  12. Joe,

    Thanks for sharing this blog post at BleepingComputer.com. One of our mods have closed that topic and I have posted to read this blog post before doing anything else regarding the infection.

    For anyone who has been infected and still has the samples, I would greatly appreciate it if you can submit them to me for analysis. I have two users at BC who state they need help regarding this infection. I am unsure if they are part of a sock-puppet campaign, but want to be sure.

    You can submit them here:

    http://www.bleepingcomputer.com/submit-malware.php?channel=3

    I will be happy to post what I discover or confirm back to this post.

    • Joe P. says:

      Hey Lawrence,

      I’ll send you the samples this evening. I still have the installer and will submit. Timothy has made some good headway on the infection. Please keep up posted.

  13. JSnell says:

    I have made some detailed posts on this over at Bleeping computer. I was able to get rid of the virus, but have not been able to get passed the AES ‘encryption’. I also found that the affected files are password protected via WinRar… but I have no idea what the PWs would be… I see Timothys ‘codes’ have been deleted.

    I would like to try one of the PWs you have Tim, I have archived these files on a thumbdrive and would like to see if I can extract them.

    Please PM me on Bleeping computer, your PWs you have to try.

    I will post any confirms or failures on both Bleeping and here…

    JSnell

  14. […] NOTE: It would be really useful to take a look at the previous post by Joe P. regarding this RansomWare infection here: http://blog.nfocustech.com/2012/02/accdfisa-ransomware/ […]

  15. […] make sure you don’t pay for it and remove this ransomware without any delay. According to this post, malware might be distributed manually at the moment, by hackers infecting machines […]

  16. JSnell says:

    I received a PM from Timothy and used the password he provided to unlock the ZIP files. THEY WORKED FLAWLESSLY.

    I was able to retrieve the compressed data, (in this case a clients backed up data) and lost only one days worth of info.

    I dont know who Timothy is, but he saved my clients @$$… I can personally attest to this PW working.

    As for the full virus removal, I have not tested his walkthrough as I had already been able to manually remove the virus. The only residual we have is the leftover .AES files and the IP Address still reverting back to 172.xxx…

    I dont care cuz we wiped the server clean this weekend and rebuilt it.

    I am not a shill, or a fake, I own an IT Consulting company in SPokane WA and was brought into this client cuz the previous IT Company couldnt even figure out how to get passed the initial Splash Screen.

    Timothy, thank you for your work. I owe you more than a cup of coffee, but would be cool to just hear how in the hell you found that PW?

    JSnell
    http://www.prioritynetworking.net

  17. Mattb says:

    Hi, I got this ugly ransom ware on a 2k3 server this morning. Mine seems to be a little different than what’s shown here. The wording is slightly different and the button on the bottom says Send Password which is a little different. I can not make the splash screen go away. I have tried everything including booting to miniXP, but the files under program data are not there. Can anyone help??? Thanks in advance.

  18. I was contacted today about another version of this software. I tried using the 1a2vn57b348741t92451sst0a391ba72 password as before and, indeed, it did not work. How did one find this password? Is it in the executable somewhere? Unfortunately, I don’t have the executable to examine.

  19. Alex says:

    We had a variant infection as well. Here are our are findings so far:

    This virus has its lock program under “c:\security lock”. Using a boot CD (running Mini XP) I removed the registry setting (HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost) that was running the svchost.exe file in that folder and also renamed it. After that the server was able to boot. I then reconfigured the NIC back to its original settings and restored network access.

    I also found another folder “c:\decrypt lock”. It has two files. decrypt.exe and decryptedfilelist.list. Open the latter in note pad and you see every file that has been locked out via above method. Those files are indeed password protected zip files it seems, but the password in the blog doesn’t work. I am needing this password as well. How can it be obtained? Next it’d be good to run a script against the list of encrypted files and have them “decrypted.

    I also saw a process called aes256crypter.exe running in task manager. Could not kill the process, but was able to find the executable in C:\ProgramData\mssupport i believe. I renamed it as well and it stopped running.

    Lastly, I saw the undxkpwvlk.dll and a batch file that changes the NIC IPs in c:\programdata\systemfiles which I renamed as well for now…

  20. Troy says:

    As Alex stated above, we ran into the very same problem yesterday. (Server 2003SBS)

    RDC was open and the password was hacked. It started per the Event Viewer on Sunday night with attempts to multiple logins and it found one.

    We were able to get into msconfig before it started and kill it out along with dumping the process. We then deleted the decrypt.exe and changed the NIC setting back to what was needed. The problem now is that we can not get the file unlocked. With Used 7-zip but the two passwords we were given have not worked.
    We too tried the password 1a2vn57b348741t92451sst0a391ba72 with no success.

    And not only did it change DOC, Excel, and PDF, but it also changed the Exchange database files. So that two is now down.

    Thus far the only way we were able to get to any of the data that we had to was to right click on properties, then restore previous version using a workstation with Windows XP on it. That worked for a few docs and the QuickBooks files. But not all docs and not for the exchange database but it was a start!

    We deleted the decrypt.exe from c:\programData also. It skipped the recycle bin also. We don’t have any way to find the password at this time.

  21. […] P. of nFocus Technologies explained in his blog post that he was instructed to pay $100 via Moneypak, Paysafecard or Ukash in order to unlock the files […]

Leave a Response