classiccor83

I will be sending files over to them to check and scan this afternoon when home from work. What I feel could be useful is a concise guide of settings and tips that people can apply to their machines to try and ensure they are as safe as can be. This is the 1st time in over a decade I have had anything happen to the many pc's I have had, never a virus or anything so it is quite shocking for me. Especially being a sysadmin so I felt my machine was pretty well protected, how wrong I was. 😩

Yes that was my request... I was unaware the two forums were linked in any way. Is there any chance of these files being decrypted? I have also made a post in the ESET forum as that is my current antivirus provider.

Hello, I was the victim of an RDP Scarab trojan early this morning that has encrypted all the files on my hard drives and NAS with the ".sfs" file suffix. I have ran malwarebytes and that has cleared up a few files and a few registry changes also a complete scan of NOD32 has also cleaned a few things up. I 1st noticed the issue when my computer was logged out this morning as it's never logged out, I had to use a usb boot tool to change my password as it had been changed and when doing this I noticed a new user account called "localadmin" I changed the password to that and also disabled the account just in case. When I finally managed to log in I noticed that the following pieces of software had been uninstalled: teamviewer ESET Nod32 Malwarebytes Also my firewall had been disabled and the onedrive client installed, I fixed those issues and then restarted as requested by malwarebytes. Once logged back in my torrent client auto started and advised me that essentially every torrent had missing files, so I checked locations and noticed all my media, movies, anime etc had the ".sfs" added to the file names and that's when I noticed the "HOW TO RECOVER ENCRYPTED FILES.TXT" in 1 of the folders, the following is what's in the document: " HOW TO RECOVER ENCRYPTED FILES Hello, my friend! All your files have been encrypted. >>> Your personal ID: >>> pAQAAAAAAADbUkxqJZSJ70MkDAR=sfPwyazMIn6sCB1ZIj27f1dOspHw8laKO8aZq+EmPio2susIqx5cpt4svG3J59qpWopli7N0 Fm+3r7XbWVLuJaz1lv+G4gihobaJq7eLu3H1+Spfn0UaTXrPfzoqKTTbeerL6NX0KfnT8nypTArenMeopfWNH0xW+TgvBfac1n6C 47h23ft1nSWv+O7PDCUrFo5XIADnyv5hndtNnNVovQbYg43lb3EM4J3ANHpWoZoTbY1E4lCf2uS3hbGcu9MQuCaD06HBsy0BW0RB DFb9cmdiUakKZG5VfmngLBmHoJk3=YYTAW8BtiCWXElItIUmwbct=zB0PlmE6+401ho7xOM507ZOhBIclQvhIbEcMBOPc1Icas7P 7h5ChqaCUaIFfm0=5IGpIdI2RI8uhmiHMYaAziHKAmF5B8CJAPJQqai0FBACcyz4HbKTaRTSj6xmIo8vd957D40Ez136BYcKuIHz mi0KujT4CZnMBr2BTpAPUO4LGAt0PEtcB5q0j+IFQUVGLWmuCSGuEaxow40K425hnM3iERNGcI3b9pXEjN5ye0dup6IC4LCZiCop gA9gPiIUaI8fhW5H6FVPKacQQVIHhq+y7JJPBO4T9u3=EaCC5lCMU1mxY+M+KuFnWDYTa740hAR5sDiJn4UF9k8OI7ErJCEK2ZIw EklKNO8=jEiC7SmYMRqr58cA3Zf7ELG9aSPG2nM0gkNct4shUYFJYhDZG3AzfoVchW5BcIFI=1l75D9Z2PDWssqBQXA7QfkzHirb zDOEo0IkRE3OzCpxn7kBzLoQ6FSw3FE+9OQRoQDMdJFk8fzxAQ If you want to recovery your files, send us e-mail with your personal ID and 1-2 test files (image or text, non archived, total size of files must be less than 10Mb). >>> Contacts: >>> [email protected] [email protected] Use please both e-mail addresses. If your mail server doesn't send e-mail to our contacts, we recommended you to create an e-mail on Protonmail.com (https://protonmail.com). >>> ATTENTION! >>> * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam." I have read a few topics on the forums and lead me to check the ransom id site to confirm I had been infected with Scarab. I have also submitted a ticket with ESET to see if their decryption tool can help out. I also noticed that they created 2 new partitions on my main drive (please see screenshots), with 1 having a winre image contained within. So initially I would like to know if there are tools out there to check I am clean and what changes I can make to firewall/registry/etc to prevent this from happening again and applying it to my other computers.