Plagocki

Infection with nmoreia.. -AiraCropEncrypted!

Recommended Posts

One of our Customers was attacked at 2. December. It seemed to be via an RDP Port and used an old Account we had not used for years.

Allmost all files were encryped ( he hit 7 Servers), shadow copys deleted, the backup was deleted manually, we were able to restore many files from the last Server, where the process was not fully completed, and the shadow copy were still there.

But we have still files that are not accessible. The Decryptor from Emsisoft for nmoriea doesn´t work - we tried different files (txt, doc, pdf)  with no result.

Will there be a new Version of the decryptor? Thanks for any help :-)

Torkret_Weimar_2001.07.31.doc.__AiraCropEncrypted!

Share this post


Link to post
Share on other sites

I do not have a timeline for an update to the Nmoreia decryption tool.  Our decryption tool developer would need a sample of the malware responsible for the encryption.  Since this was an RDP attack it is high unlikely that a copy of the malware is still on the system.

Share this post


Link to post
Share on other sites
1 hour ago, Kevin Zoll said:

I do not have a timeline for an update to the Nmoreia decryption tool.  Our decryption tool developer would need a sample of the malware responsible for the encryption.  Since this was an RDP attack it is high unlikely that a copy of the malware is still on the system.

I've also been infected by this malware.

The server still has a Photo.scr file but it has a __AiraCropEncrypted! extension so, I'm not sure if it got encrypted as well.

Do you want me to send this file ?

Regards
Daniel

Share this post


Link to post
Share on other sites

Fortunately i have a sample of the encryption Software. it was embedded to start on the infected Server if you Login with another admin account via registry, i saved the .exe file to another Directory for later Investigation purposes.Should i upload this file here?

Share this post


Link to post
Share on other sites

@danielmd, @Emanuel Do not post in someone else's support thread.  That will lead to confusion.  Each system is different and often requires different instructions.

@Plagocki ZIP the malware sample and attach it to your reply.  I will get it to our decryption tool developer.

Share this post


Link to post
Share on other sites

We were asked by the sender of the Ramsomware software to post this here. Sorry admins

 

 

Hello friends! I would like to inform you that Ransomware NMoreira will be discontinued at the end of this year. Due to lack of team time, we decided not to invest in his Algaritimo anymore, with all the Our private key servers and Bitmsg will be shut down permanently later this year. It is essential to contact as soon as possible if you intend to recover your files. Many people are waiting for a descrypt of Fabian Wosar but this will not be possible Although he is a very intelligent person he knows he will not be able to do the descrypt The Fwosar Decrypter worked due to the use of a weak number generator Pseudorandom (ANSI C srand). This allowed the Emsisoft decrypter to Perform brute-forces on the AES keys used in the encrypted files beforehand. Decrypter could not be sure that the file was properly decrypted because the same Did not have the RSA key to decrypt the initial 512 bytes that had the correct AES key, So it needed a unique 4-byte initial identification of the files in order to Check if the ID checked with the decrypted file. In this latest version the use of Of the srand has been changed to the CryptGenRandom of CryptoAPI that uses several variables to Increase its entropy as input and output data (mouse, keyboard, ethernet traffic), Unlike the previous one that used only the schedule of the system. With this, it becomes Remote the bruteforce possibility of the original key. 

 

 

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.