S
S
Sergey2013-12-08 20:55:49
Malware
Sergey, 2013-12-08 20:55:49

Another reincarnation of the ransomware virus

A friend turned to me for help. He had a server with Win2003, where the terminalka with 1s was spinning, one of the users brought a malicious cryptographer there.
The antivirus is installed by Eset 4, it came to its senses at some point (apparently) cleaned the malware, but the DBF files (and some others) remained encrypted, the extension - dalexf.11111 @yandex .ru was added to each encrypted file. Obviously, this is a ransomware box.
I have tried decryptors from Eset (ESETFilecoderQCleaner) and Kaspersky (RectorDecryptor and XoristDecryptor) - to no avail.
Anyone else come across this variation? A search in the mailbox does not give anything, the file "HOW TO DECRYPTION FILES.txt" contains unfinished text:

Attention! All your files are encrypted!
To restore your files and get access to them,
send an SMS with the text XXXX to YYYY
You have N attempts to enter the code. If this amount is exceeded
, all data will be irreversibly damaged. Be
careful when entering the code!

CureIT didn't find anything at all.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
M
Max Maximov, 2013-12-09
@Wardriver

Unfortunately you won't find anything. I would not like to advise you to pay, but sometimes there is no other way out. We faced a similar problem, but the file washer was infected. Data recovered from user machines.
NOD's support didn't help us in any way.
Many people buy a decoder, send it to antivirus programs, they write a decoder based on the algorithm for the rest. But it rarely helps.
ps. “People are divided into two categories: those who are not making backups yet, and those who are ALREADY doing them”

Z
zar0ku1, 2013-12-10
@zar0ku1

yesterday I struggled with a similar infection, successfully cured and decrypted everything,
first you need to determine the specific version of the virus, then pick up the key

P
PunisherDSM, 2013-12-10
@PunisherDSM

Download the above tool. But when it starts, it swears at the pass! file, then it creates many copies of the document with the K-XXX prefix. And he says that a possible key is 401.
I tried to create pass, pass!, pass.txt files and write 401 there. Nothing changes, it also swears at pass and creates a cloud of files.
Please explain how to use the utility and whether it is possible to decrypt several files at once, and not one by one.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question