zariomahn

new version of amnesia ?!

Recommended Posts

Hello,

please excuse my bad English.

My computer was attacked by amnesia tonight.

I've already tried with amnesia2 to clean the computer, the program scans all files but finds nothing and decrypted nothing.

what can i do, can i send you two files, encrypted and a clean one?
In the TXT-File of amnesia there is "contact us by mail: [email protected]"

Thanks in advance for your help.

greetings

Mario

Share this post


Link to post
Share on other sites

Thx for answer, here the results :

(...)

This ransomware is still under analysis.

Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation.

Identified by

  • custom_rule: Encrypted size marker [0x00 - 0x08] 0x048E000000000000

(...)

 

Share this post


Link to post
Share on other sites
On 3/2/2018 at 3:37 AM, zariomahn said:

I have sent another file to ID Ransomware, it means it could be SCRABA to ?

You mean Scarab/Scarabey?
https://www.bleepingcomputer.com/news/security/scarabey-ransomware-a-scarab-version-targeting-enterprises/

I would believe I've seen the Scarab ransomware use the .amnesia extension before, so it could very well be Scarab.

Regardless, both Amnesia and Scarab are installed by an attacker who brute forces the password for an account on a computer via RDP, so here's some instructions on how to get started preventing this sort of compromise from happening again:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Hello, i was also attacked by [email protected] in 2018.03.03 with extension of "amnesia" . My corporation was many backup files but not 100%, some i think we lost forever. 
I tried amnesia1 and amnesia2 (1.0.0.54) decrypter [URL_=_"https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decryptor-for-the-amnesia-ransomware/"_] here [_/_URL_], first program nothing found and with amnesia2 i restored just few names of files but these files showed message "...the file has been damaged..." 

ID ransomware found 1 Result named "Scarab". This ransomware is still under analysis.

Some samples with sizes, encrypted 28.301bytes / original 28.124 //////// encrypted 370.669bytes / original 370.492 ////////  -----> difference 177

it would be helpful i can send original and encrypted files, i have a lot of them

Share this post


Link to post
Share on other sites

Scarab uses a secure form of encryption that we can't break, so we won't be able to make a decryption tool unless someone manages to get a hold of their database of private keys (which is usually stored on a secured server somewhere).

Also note that it is usually installed on a computer that is manually compromised by an attacker who brute forces an RDP password, so I recommend making sure your network is secure as well. Here's some ways to get started:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.