mnaeembaig Posted August 4, 2020 Report Share Posted August 4, 2020 Can any one help me out in decrypting files by ransomware. Tycoon 2.0 / 3.0 This ransomware has no known way of decrypting data at this time. It is recommended to backup your encrypted files, and hope for a solution in the future. Identified by sample_extension: .[<hex>].eruption sample_bytes: [0x64 - 0x6C] 0xD160F3C5716D5AFF Link to comment Share on other sites More sharing options...
Amigo-A Posted August 4, 2020 Report Share Posted August 4, 2020 Attach several encrypted files and a ransom note to your message. Do not change or edit anything in these files. Link to comment Share on other sites More sharing options...
el_lo Posted August 11, 2020 Report Share Posted August 11, 2020 Hi, we have the same infection over here. I attached two crypted files and the .txt. I hope we will find a solution soon Tycoon2.magneto.eruption-samples.zip Link to comment Share on other sites More sharing options...
Amigo-A Posted August 11, 2020 Report Share Posted August 11, 2020 Your files adslocal.cfg.[FFF0FD830BD189BE0002AE5C0A251B5325].magneto.[01F0FD830BD189BE0002AE5C0A251B5325].eruption.[FFF0FD830BD189BE0002AE5C0A251B5325].magneto.[01F0FD830BD189BE0002AE5C0A251B5325].eruption Log.txt.[FFF0FD830BD189BE0002AE5C0A251B5325].magneto.[01F0FD830BD189BE0002AE5C0A251B5325].eruption.[FFF0FD830BD189BE0002AE5C0A251B5325].magneto.[01F0FD830BD189BE0002AE5C0A251B5325].eruption Your files were encrypted four times by different variants of this ransomware. This indicates that the malware is still active on your PC. Variant with .eruption extension - used since June. Variant with .magneto extension - appeared in August. My Article in Digest "Crypto-Ransomware" It is urgent to neutralize the infection, otherwise it will prevent you from using your PC. Due to the different extensions, I can assume that even two variants of this ransomware are active if they encrypt files alternately. Link to comment Share on other sites More sharing options...
el_lo Posted August 11, 2020 Report Share Posted August 11, 2020 Many thanks for the warning. Seems like the previous IT has reinstalled the server completely. I found these files on an "inactive" USB backup drive, but they are critical for business operations. So, as you can see, the backup is crypted too... Link to comment Share on other sites More sharing options...
GT500 Posted August 12, 2020 Report Share Posted August 12, 2020 19 hours ago, el_lo said: So, as you can see, the backup is crypted too... Unfortunately that's common with many ransomwares, since they will encrypt any shared files they find on the network. Link to comment Share on other sites More sharing options...
GT500 Posted August 12, 2020 Report Share Posted August 12, 2020 There's more information about this ransomware at the following link:https://www.bleepingcomputer.com/news/security/new-tycoon-ransomware-targets-both-windows-and-linux-systems/ Since it appears to be spread via RDP compromise, I'm going to paste some steps for getting started with securing the network against such attacks below: First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses. Link to comment Share on other sites More sharing options...
Recommended Posts