SmartK8

Member
  • Content Count

    5
  • Joined

  • Last visited

Community Reputation

0 Neutral

About SmartK8

  • Rank
    New Member
  1. No problem. This is all I have gathered on that IP address so far. The IP address of server (reconstructed from communication logs during the attack) is not confirmed. Attackers.txt regards Kate
  2. I have recovered IP address of the attacker (he missed deleting parts of some specialized event log), their group, their web site, if it is of any use to someone? The new version of decrypter works for me. I'm eternally grateful. Thanks and best regards, Kate
  3. After two days of layman analysis, I'm starting to think that the attacker brute forced my RDP (only recently opened port), ran the program, erased event logs (they start when the attack ended.. according to my crude established timeline), securely deleted the program (nothing notable in disk recovery software). All those programs in the cleanup seems to be legit libraries (free make updater, lavasoft libraries, spy hunter looked shady, but it was installed after and I removed it before using it) that were there at least on 2/25/2017 (long before attack) and are OK by TotalVirus. Definitely no signs of Crypton.exe or something obvious like that (not even in the past). I'm not sure what modus operandi is for RDP attacks (obviously different than when person is being infected via email attachement), but I hope it's not a new trend to erase the encryptor. regards, Kate
  4. Hi, I have found out I ran AdwCleaner first (I'll post both logs) and then MalwareBytes (to be sure). Sorry for not being precise. I was scared/angry. AdwCleaner[S0].txt MalwareBytes.txt regards, Kate
  5. Hi, I have been infected with (probably) CryptON (identified via ID Ransomware). It ends locked_by_krec, is 16 bytes longer and every folder contains How to decode your files.html. I turned off RDP port on router, cleaned computer with Malewarebytes (quarantined everything), made a backup of important files and then I've tried to use EMSISOFT tool to decrypt it (on several pairs) but it doesn't work. The files really are encrypted (not just random noise) consistently. I've compared two same files on (in two different places) and they're identical when encrypted. Luckily I have been able to use ShadowExplorer to restore most of the system disk and source repositories were untouched as well as my main virtual machine (it was probably too big to encrypt and fit on the disk). Unfortunately my backup was password protected and even though I had multiple files with this password store all have been encrypted. So I can't use backup (I was caught by surprise on ransomware). FRST.txt Addition.txt scan_170312-134925.txt JRT.txt Document.txt Document.txt.id-4044008089_locked_by_krec https://id-ransomware.malwarehunterteam.com/identify.php?case=5fc0a3ddc2e44e76e8899dab7846d9106ff24409 Is there a possibility to help somehow to enhance the decryptor tool to work on my files as well? What more should I provide? regards, Kate