milopware

Member
  • Content Count

    9
  • Joined

  • Last visited

Community Reputation

0 Neutral

About milopware

  • Rank
    New Member
  1. milopware

    [email protected] ransomware attack

    oh dear, it says: Dharma (.cezar Family) This ransomware has no known way of decrypting data at this time. so its a good job we had some really good backups as we have recovered pretty much back to full capacity! we are currently using RDP but I think we need to look at alternative ways to get remote users connected, i'm told VPN is the way to go with this but what is best software to use?
  2. Hi you guys were really helpful to me before when one of my clients servers were attacked by Zenis and we were able to recover all data with the help you gave... I have another client who has experienced a Ransomware attack this time the ramsom note is from [email protected] we are in a good position as we stopped the attack before it was able to do too much damage (although it still has caused us a massive cleanup operation) and also we have some very good backups in place so were able to recover everything but of course still costing my client some uncomfortable down time... First question is does anyone know anything about this ransomware? Secondly because we have 'before & after' files would this be of use to you? also I think we identified how the attacker was able to get access etc and we still have the account that was used intact in case there may be useful information on there?
  3. milopware

    Identifying Ransomware

    it seems my server is under attack again, I have installed Malwarebytes and it picked up the attack before it happened, not sure what the attackers intentions were as data is still encrypted from last attack... I have isolated some more files / folders... it seems the attacker has created 2 user 'profiles' in the Documents & settings directory one called sysyem (not a typo) and the other called support. The 'support' profile has WindowsHelpPanel.exe in the desktop folder & in the My documents / Downloads folder. Also found: C:\WINDOWS\WindowsHelpServices folder containing install.vbs / setup.bat & Winhost.exe C:\WINDOWS\winhosts folder containing install.vbs / setup.bat / windriver.exe & winhost.exe C:\windows folder contains PanelH.exe / HelpPane.exe / nssm.exe / install.vbs / start.vbs / setup.bat / start.bat also there is an auto start service installed which is called WindowsHelpServices Microsoft Windows Glossary Help Service which runs C:\WINDOWS\WindowsHelpServices\Winhost.exe Are any of these helpful to you to assist in getting a fix / decryption of files? also Antivirus found these files too: 18/03/2018 10:20:21 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe HideFileExt GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:21 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe SuperHidden GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:21 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe ShowSuperHidden GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:21 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Hidden GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:21 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe NoRun GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:21 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe NoFolderOptions GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:21 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe NoControlPanel GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe HideFileExt GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe SuperHidden GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe ShowSuperHidden GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Hidden GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe NoRun GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe NoFolderOptions GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe NoControlPanel GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe DisableTaskMgr GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe DisableRegistryTools GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot|AlternateShell GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe AlternateShell GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe HKEY_USERS\S-1-5-21-1596741894-1545071027-4100810151-1139\Software\Microsoft\Internet Explorer\Main|Start Page GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Start Page GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe HKLM\Software\Microsoft\Internet Explorer\Main|Start Page GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Start Page GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Type GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe ValueName GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Type GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe ValueName GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Type GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe ValueName GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\STUB.EXE GenericRXDX-TG!24179320AFD8 (Trojan) 18/03/2018 10:20:22 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe C:\windows\stub.exe GenericRXDX-TG!24179320AFD8 (Trojan)
  4. milopware

    Identifying Ransomware

    the folder C:\windows\WindowsHelpPanel doesn't exist, would it be useful for me to do a data recovery and attempt to find this .exe file? and doe this mean they have a copy of the malicious file now? (as per your initial comments above on Thursday)
  5. milopware

    Identifying Ransomware

    ive just been looking at another one of your cases and saw this about shadow copies: I have managed to recover some shadow copies but the shadowexplorer software doesn't seem to 'see' them, do you have any ideas why this would be? it can see shadow copies created after the event but nothing from the ones that were created before, do they need to be 'mounted' by the system? and is this what you mean about having the hard disk plugged into another machine or booted from a disk?
  6. milopware

    Identifying Ransomware

    please find attached the requested files. I have no idea what they are but looking at them could it be possible that the start.bat file has the encryption key in it?... from start.bat file C:\windows\WindowsHelpPanel\svchost.exe -l zec-eu1.nanopool.org:6666 -u t1Ynpy5dBWxuJsDTbYzAfNnuRpwLrX38vqJ/MindFlyer/[email protected] -p x and is this where it was emailed to? is there a way of determining which program was used to encrypt the files? im guessing there is a finite number of programs so is there a way of telling by looking at one of the encrypted files? I think the server was compromised via a virus on a machine connected to the domain, but I cannot be certain, there were virus scan messages showing on the screen of the server referring to a virus called RDN/PWS-Banker (see logs below) When I scanned client machines 2 of them were infected with Trojan Downloader :097M/Donoff 05/03/2018 17:36:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Start Page RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe HKLM\Software\Microsoft\Internet Explorer\Main|Start Page RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Start Page RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Type RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe ValueName RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Type RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe ValueName RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe Type RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe ValueName RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\TEMP\GXDRV.EXE RDN/PWS-Banker (Trojan) 05/03/2018 17:36:22 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\rundll32.exe C:\Windows\Temp\gxdrv.exe RDN/PWS-Banker (Trojan) info.zip
  7. milopware

    Identifying Ransomware

    Thanks for coming back to me, I have downloaded scanner and results are attached Addition.txt FRST.txt
  8. milopware

    Identifying Ransomware

    I did this and got the following: This ransomware is still under analysis. Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation Not enough information is public about Zenis. Please check back later. Does this mean i've had a zero hour attack?
  9. milopware

    Identifying Ransomware

    Hi all i'm hoping someone can help me work out which ransomware has encrypted my files as the method / ransom note etc doesn't seem to match anything in the decryption software assistance page... my documents have all been renamed, all names are different, for example these files were .jpg but now called Zenis-0b.0bUMIAhxyu6B / Zenis-0E.0EjBzgesopM2 / Zenis-2q.2qYIjYnApmsC the ransom note is a html doc called Zenis-instructions.html as below: I have a feeling the <small hidden> text at the bottom could be the encryption key used just looks a bit random? can anyone help with this? <title>Zenis</title> <p>*** All your files has been encrypted ***</p> <p>I am ZENIS. A mischievous boy who loves cryptography, hardware and programming. My world is full of unanswered questions and puzzles half and half, and I'm coming to discover a new world. A world in digital space that you are supposed to play the role of my toys.</p> <p>If you want to win in this game, you have to listen carefully to my instructions, otherwise you will be caught up in a one-step game and you will become the main loser of the story.</p> <p>My instructions are simple and clear. Then follow these steps:</p> <p>1. Send this file (Zenis-Instructions.html) to my email with one your encrypted file less than 2 MB to trust to the game.</p> <p>2. I decrypt your file for free and send for you.</p> <p>3. If you confirm the correctness of the files, verify that the files are correct via email</p> <p>4. Then receive the price of decrypting files</p> <p>5. After you have deposited, please send me the payment details</p> <p>6. After i confirm deposit, i send you the "Zenis Decryptor" along with "Private Key" to recovery all your files.</p> <p>Now you can finish the game. You won the game. congratulations.</p> <br>Please submit your request to both emails:</br> <br>[email protected]</br> <br>[email protected]</br> <br>If you did not receive an email after six hours, submit your request to the following emails:</br> <br>[email protected]</br> <br>[email protected] (On the TOR network)</br> <br></br> <span style="color:#FF0000;font-family:Arial;font-size:13px;">Warning: 3rd party and public programs, It may cause irreversible damage to your files. And your files will be lost forever.</span> <small hidden>OG6jhoN+MFmnCMdgSEGQttqGJ3/z/r43lS7ip+ueIa1tFQlop4yQCh/gtO9lZkQrR8mDaIQZQIWBvb5S5twbvzAOFtMWRLxWW34NrdyBhQUy77Xu7DDs6LQdFhNPGoR7A66IJuI4mqW/eNZ6uTlOpCU7ZAYFrgq4uWPo+SFedb+2koI/hJZFEBXRJ0M9qIqR1tWs5xrasj1Ui+RG1RCuieW/NUY33O8xUX+e3wsrcG8OA7fw90FJipwX0iMxRONSorRLl1TMuWAAR+wN/lMhMkx4x7vHZrWYFIUKUrNX3pmeInyrtbDfdNJ7plc3u0szd5siW8AfxEe+BRROibAfV/UdBOHQY5BylPnjtxV11e/YOwOY7wEJvT9ojOMop6HrB/4YEyety3PmPrHoZ5ewFY6mNf+PknBEU9Tdy/RX9oCJeQPawRB0VUf6AokIPPl/2cYXoCCe6pCGqolfpo5bp3sCJLtPtuD2gTXc9Jcvwov7RSl57O0R4vUF0SliU423SYiqYJcY6cAVmzY3+P7BgIPjoQbpr2giQ+wEOTUXIj/tCgXfp6dFl04gZFuj83KxsluKlG/6aylE/V+8L8MgH2kVB7sTW4zpqZ8Z7RHIcfyLrTO37+uOIf6oYN+ushyTrP2oDxjqHjspnAy8IjwFxPx+1xpWg65/xL8v+GhU7mu1l61BVl8NDKRkdf2np+dIKj+YovFUMrN1TSI0obxmMKuN8HNIh5wkcdgfBJkvYPSMUOIZayZac3f9icn/EGVSE98R8R/dZYJXnIAvb3lIG0bWjRtDKTBHvO1jmyZrj/fR0Dw7ZbMdM91d267ggC2JEbXxinE9cqlPvm5OiDsmioFLw3wrrmkYdfHhiIxdGEMjtEemQ7sP8Hogo/nCSgmn5kktf9sWLQapGLYDNmc/5TrSfOG4yKtIl33mS4vWVK0H/+XZTcZl3Qq8VyFoO5zjb9eNmsCdrtnspJWzlBm2kykPEpdtDB2+tdg59Y14IfSkYBNeDMz2fI6lXCX9UNmZH43qnsj4+F6XscEmHLMS5XlR/fyL4SpQDzj5RKBEKeP0pHUjWLoIob3mEFeCMUZPSvoxtbO2JdPMSIVw5Zn6SobbWQJ8B8iRMiWudIKB78yftbpvpf5hgw+Q/Oq/D0rtgfZRgW5REYgIboYT325PDOOwaO009SItWI31+rpiZmwqhXmQs8NsIiNJRhuKsSK8XPAemzS/QHiAOZ3pUS2rXukSFB3oOBvZ7U2dku1lV6Y=:cDHsqhXuJub2MVk19lztsIWTTGXd49Dc0TAl+mwy1zDsGNmrIDABTaFHIlW5pOt3ZWudI9l1UPziv2yxeaEX2LjFJ+5figQEdBQbJZLUA3ACyE+qpw0CU97KiTG05w09zu4u1NvBnflW2ZN1jHseP1BPaV7++kj0k0JE8TJGXhQM8uXQOgrnN/DxQ7DWE4EXPtNCjOSocwmamgorjgtnwT2OJhe77Kw4x4Uw5OCYe6mCLrgarKVacfLK+I6DT+NSOoJu3fp+PrFGYkRZRSw5dJeV+oadKbNNPznGPhGddSOHYliiVD0mKrOWNuGdE88H75sBFgjpSsoz2CoBSS176Q==</small>