Recommended Posts

Seem to have been a victim of the attack mentioned above.... unfortunately the regular FenixLocker decrypter doesn't work with this one. Most likely culprit is Remote Desktop since I had it enabled.

 

But I have included two files: original and encrypted one. Is there any tools out there that can decrypt this? Or at least one that is in the works? I lost a lot of files.

 

Thank you

 

https://id-ransomware.malwarehunterteam.com/identify.php?case=8f97bf424c3a5797fafb41fe43b6f9593e127d88

 

 

GreenScreen.dtx

[email protected] !!

Help to decrypt.txt

Share this post


Link to post
Share on other sites

FenixLocker 2.0 uses a more secure form of encryption, and it isn't possible to decrypt files that have been encrypted by it without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post


Link to post
Share on other sites

Since this was more than likely Remote Desktop related, I'll paste some steps below to help with getting started securing Remote Desktop:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

So, you're saying a free decrypt tool isn't possible and most likely never will be? Just wondering because i still have all those files in hope one will be made. If not, I'm just going to delete them all and free up all that space...

 

Also, I can't think of any other possible culprits it could be, other than RDP. I never open any email attachments from anyone besides people I know, and even recently that hasn't been for a few months. I don't visit sketchy websites, no one uses the computer besides me and my wife (she uses the internet even less than me, only uses the computer to type papers), and the other day a strange Windows popup was saying a connection was trying to connect to my computer through my wife's account through remote desktop (she didn't really have a complicated password), but I didn't think much of it. 

Share this post


Link to post
Share on other sites

The criminals changed the encryption routine and there is no known method to decrypt files encrypted by FenixLocker 2.0 without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Demonslay335 (Michael Gillespie) expalns why here.

Share this post


Link to post
Share on other sites
On 2/19/2019 at 11:18 AM, quietman7 said:

For reference, Michael Gillespie is a ransomware analysis and decryption expert who has made a number of free decryption tools. He can be found on our forums as well, although most of the information he has shared is either on the BleepingComputer forums or on Twitter.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.