.aes file extensions

[unkaleong 0]

Hi,

The excel and PDF files on my shared drive have become infected and renamed with a .aes extension. I've run the ransomware-id tool and it's come up with the following results.

https://id-ransomware.malwarehunterteam.com/identify.php?case=c8a6f5e8abfacc2975908db82c67c4c23c9c49b7

Can anyone help to decrypt the files?

Much Obliged,

unkaleong

[GT500 558]

As far as I know, it isn't possible to decrypt files encrypted by newer versions of this ransomware. More information can be found here:
https://www.bleepingcomputer.com/forums/t/642013/vortex-aes-ransomware-help-support-odzszyfruj-danetxt/page-2#entry4233247

I will ask Michael if what he said in that post is still the case.

[unkaleong 0]

Thanks GT500! Looking forward to your reply

 

[GT500 558]

One of our malware analysts told me that this isn't Vortex. The guy who made/distributed Vortex was arrested months ago:
https://www.bleepingcomputer.com/news/security/author-of-polski-vortex-and-flotera-ransomware-families-arrested-in-poland/

This appears to be something new that has similarities to Vortex which caused ID Ransomware to flag it as Vortex. We'll need a copy of the ransomware (the malicious file that encrypted your files) in order to know more.

If you have a copy of the ransomware then you can upload it to VirusTotal and post a link to the analysis here for us to look at. If you have a link to where the ransomware was downloaded from, then you can run the link through VirusTotal and then post a link to the analysis here (that way we don't have live links to dangerous files on our forums).

If you don't have a copy of the ransomware or a link to where to download it, then we can try getting a log from FRST, and see if it shows any signs of the ransomware on your computer. You can find instructions for downloading and running FRST at the following link:
https://helpdesk.emsisoft.com/en-us/article/274-running-a-scan-with-frst

[unkaleong 0]

Thanks. I've been in contact with cert.pl, they requested a copy of the encrypted file and ransom note which I duly provided.  They have just got back to me and they are saying it's RSA2048Pro ransomware. I've run FRST and am attaching the logs as required.

Addition.txt

FRST.txt

[unkaleong 0]

29 minutes ago, unkaleong said:

Thanks. I've been in contact with cert.pl, they requested a copy of the encrypted file and ransom note which I duly provided.  They have just got back to me and they are saying it's RSA2048Pro ransomware. I've run FRST and am attaching the logs as required.

Addition.txt

FRST.txt

I've managed to login to the infected server via safe mode and found the malicious file. I've run the file through the link you have sent me earlier. Please find the results below:-

https://www.virustotal.com/#/file/e8fedb6e700d3676a7d38abfef791720cd4da13034a2c276783e76a91f5c356e/detection

[GT500 558]

10 hours ago, unkaleong said:

They have just got back to me and they are saying it's RSA2048Pro ransomware.

That's what our malware analysts are telling me as well. They've also taken a look at the VirusTotal link you provided, and they said it was RSA2048Pro.

They let me know that ID Ransomware has been updated to correctly detect this ransomware, rather than mistakenly flagging it as Vortex.

Note that there is very little public information about this ransomware. I would believe it was originally discovered by MalwareHunterTeam:
https://twitter.com/malwrhunterteam/status/892369358214836230

The only publicly available analysis appears to have been written by Andrew Ivanov (a Russian malware analyst):
https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fid-ransomware.blogspot.com%2F2017%2F08%2Frsa2048pro-ransomware.html

There is no information about decryption of files, however considering the type of encryption used and the way the keys are handled I expect that decryption is not possible without obtaining the private key from the criminals who made/distributed the ransomware. Just to be certain, I have asked our malware analysts for confirmation.

[GT500 558]

It's been confirmed that the ransomware is secure, and we won't be able to help with decryption of the files.

I've also been told that only the e-mail address was added to ID Ransomware, so the file extension will still be detected as Vortex.

[unkaleong 0]

Thanks GT500. A security firm is coming into my organisation is coming in to help tomorrow. I will share their findings with the community here. 

[GT500 558]

OK. I doubt the following will be helpful, and if you've searched around here a bit then you've probably also seen it, but feel free to show it to whoever will be assisting you in case they want to try it:

Ransomware like this usually deletes Volume Shadow Copies, so a tool like ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery