• Content Count

  • Joined

  • Last visited

Everything posted by willaien

  1. That, unfortunately, jives with my own findings. It's frustrating, but what I expected. Thanks for your time.
  2. Also, small file with known plaintext. I see something that looks like a signature at the end of each file. A sequence at the bottom of each file that's exactly the same. Also, IV is reused for each file - the same file was hit more than once and ciphertext is exactly the same. Whatever encryption is being used appears to be in block chaining mode, though. (Otherwise I'd use a two-pad attack and be done with it) robots.txt [email protected]!!
  3. The password for the zip file is "DoNotExecute" The RFC1053.txt is, as far as I know, the actual RFC1053 svchost.zip [email protected]!!
  4. So, a small business I work for was hit with a variant of FenixLocker. RDP was bruteforced and the attacker copied a payload "svchost.exe" to a folder, executed it and left. It found our fileshares and went to town. As soon as we realized the culprit, we shut down the server in question and are in the process of rebuilding it. RDP has been disabled and we're working on scanning the network. Don't really need help there, more interested in the encrypted files at this point. So, here's the thing: we don't want to pay the ransom, so I've been doing some research. It appears that this variant isn't capable of being decrypted with the decryption tool provided. Observed differences: 1) Appended email address is [email protected] instead of [email protected] 2) Help to decrypt.txt email address changed. Aside from that, the "observable" behavior is the same as reported for FenixLocker. I can provide sample encrypted files and the executable upon request.