Closed Infected by unidentified crypto virus

[Agos]

I am an MSP. On August 1st we had an account breach on one of our Atera (MSP Software) accounts which resulted in the propagation of this crypto virus.

Any assistance would be greatly appreciated. Attached is the information from just one machine, we have 4 or 5 other we'd like to get assistance with.

Thank you in advance

Sean

 

scan_190810-160007.txt Addition.txt FRST.txt

[Agos]

I do not know if this helps at all, but an outbound event triggered by BURAN - Win.Trojan.Buran (Buran.exe) on our firewall went to IP 88.99.66.31 (in Germany) at the moment the servers were infected

[ShadowPuterDude]

Hello,

Let's make sure of what we're dealing with. The following site is quite good at identification, and will also offer advice on who, if anyone, might have a decrypter available, even if it is not us. We contribute to the site as well.

Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note for proper identification, and share with me the web address of the results page: https://id-ransomware.malwarehunterteam.com/ 

Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

Outright cracking secure encryption is currently not possible. The encryption used is the same thing governments use and can take on the order of billions of years (no, I'm not exaggerating) with current technology to completely brute-force decrypt even a single victim's computer. Google searching for "time to decrypt AES-256" is pretty enlightening.

If this is on a server, please make sure RDP (Remote Desktop Protocol) into your server is protected by proper difficult passwords (all of them), that you audit every account on the server and every machine that can access the server, and use firewalling to limit the range of IP addresses that can use RDP into your server. Also make sure it is up to date with all the latest security patches from Microsoft, especially ones such as the EternalBlue exploit patch. Many criminals using ransomware variants these days use RDP exploits to break in physically, so the attacker can turn off any protection that is on the machine prior to encrypting it. There is no protection against that if they are able to get in, so it is very important to secure the server.

[Agos]

Please find link attached:

https://id-ransomware.malwarehunterteam.com/identify.php?case=98f6300450626bf72f806a71211423a49bb7f4d3

 

[ShadowPuterDude]

Unfortunately, it looks like this one cannot be broken, at least at this time.

There is a piece of malware running on the system and we need to take care of that.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
 

HKU\S-1-5-18\...\Run: [Local Security Authority Subsystem Service] => "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\lsass.exe" * <==== ATTENTION
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\lsass.exe

Close Notepad.

NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

NOTE: If the tool warns you about an outdated version please download and run the updated version.

[Agos]

Thank you. It would appear that we'll have to deal with the criminals and try to pay some type of ransom....any advice other than - don't do it?

[ShadowPuterDude]

You may or may not get your data back.  Some will take your money and never sen you a decryption tool.  Others will send you a decryption tool  or a broken private encryption key that cannot decrypt the data.  There are some that will send you the private key and a working decryption tool.  You are rolling the dice, and hoping that you come up with a winning roll.