Jump to content

Infected by unidentified crypto virus


Recommended Posts

I am an MSP. On August 1st we had an account breach on one of our Atera (MSP Software) accounts which resulted in the propagation of this crypto virus.

Any assistance would be greatly appreciated. Attached is the information from just one machine, we have 4 or 5 other we'd like to get assistance with.

Thank you in advance



scan_190810-160007.txt Addition.txt FRST.txt

Link to comment
Share on other sites


Let's make sure of what we're dealing with. The following site is quite good at identification, and will also offer advice on who, if anyone, might have a decrypter available, even if it is not us. We contribute to the site as well.

Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note for proper identification, and share with me the web address of the results page: https://id-ransomware.malwarehunterteam.com/ 

Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

Outright cracking secure encryption is currently not possible. The encryption used is the same thing governments use and can take on the order of billions of years (no, I'm not exaggerating) with current technology to completely brute-force decrypt even a single victim's computer. Google searching for "time to decrypt AES-256" is pretty enlightening.

If this is on a server, please make sure RDP (Remote Desktop Protocol) into your server is protected by proper difficult passwords (all of them), that you audit every account on the server and every machine that can access the server, and use firewalling to limit the range of IP addresses that can use RDP into your server. Also make sure it is up to date with all the latest security patches from Microsoft, especially ones such as the EternalBlue exploit patch. Many criminals using ransomware variants these days use RDP exploits to break in physically, so the attacker can turn off any protection that is on the machine prior to encrypting it. There is no protection against that if they are able to get in, so it is very important to secure the server.

Link to comment
Share on other sites

Unfortunately, it looks like this one cannot be broken, at least at this time.

There is a piece of malware running on the system and we need to take care of that.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-18\...\Run: [Local Security Authority Subsystem Service] => "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\lsass.exe" * <==== ATTENTION

Close Notepad.

NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

NOTE: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

You may or may not get your data back.  Some will take your money and never sen you a decryption tool.  Others will send you a decryption tool  or a broken private encryption key that cannot decrypt the data.  There are some that will send you the private key and a working decryption tool.  You are rolling the dice, and hoping that you come up with a winning roll.

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...