safety

by the way, kamiran.asia, in this version of the rootkit there should also be a security policy, check Active IPSec Policy [Local]: SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{9cebfa4f-4ea7-4c53-b4ce-fbeba78b7175}

check also in tdsskiller from Kaspersky

those. uVS (Universal Virus Sniffer - there is a Russian, there is an English version) from normal mode can show malicious threads injected into a clean process. and then, if we do not find out who created these streams, we need to analyze the system from under Winpe, as a rule, either a rootkit driver, or dll is launched through a service, or MBR is infected

in Universal Virus Sniffer it might look like this. In normal mode: from under Winpe + uVS

I would make logs in the Universal Virus Sniffer program, perhaps there are embedded threads in the legal process

Please send me link EES 7 beta + EEA 7 beta

@ Ali Akbar In your case, ESET discovered a note about the redemption, which apparently remained in the system for some reason. (As they say, there were only horns, but the legs of the encoder). The main body of the encoder in the system is not, at least, you would see its result in the form of encrypted files. This file (!#_RESTORE_FILES_#!.INF) can not be deleted by the ESET antivirus, because it was detected at the time of scanning the system in malwarebytes, so mbam blocked it.

@Marcos this is most likely BTCWare. https://id-ransomware.malwarehunterteam.com/identify.php?case=2877613b7a7ce3420fe5a415bc24e7d190472452 The .WALLET extension has been used by several ransomwares to include CryptoMix Wallet Ransomware, Dharma (CrySiS) Ransomware, BTCWare.wallet and Sanctions Ransomware which does not contain the standard Dharma/Crysis file markers. .[<email>].ID.<16 random hexadecimal character ID>.WALLET (i.e. ,[ADMIN@HOIST.DESI].ID[DF1866CB3A6F9701].WALLET) = CryptoMix .id-<8 random hexadecimal characters>.[<email>].wallet (i.e. .id-480EB957.[legionfromheaven@india.com].wallet) = Dharma (CrySiS) .[<email>]-id-[4 random hexadecimal characters>.wallet (i.e. .[amagnus@india.com]-id-37DC.wallet) = BTCWare AES-256 .filename.[extension].wallet = Sanctions https://www.bleepingcomputer.com/forums/t/601084/unblockedemailsututaio-ransomware-support-topic-how-to-decrypt-filestxt/page-10#entry4418219

you can use this service to correctly determine the type of encoder. On a note on redemption, an encrypted file, on the contact e-mail https://id-ransomware.malwarehunterteam.com/index.php eg: https://id-ransomware.malwarehunterteam.com/identify.php?case=26bfdc216afdb6c5c1e6cb46d0db179f30c7bf79

In the log we see that the decoder is running in the key detection mode, but the key does not explicitly find, and therefore the decryption of the files that are added to the test folder is impossible. [2017.09.21 15:01:55.705] - INFO: Init: CleanerMode(DetectKeys) [2017.09.21 15:01:55.707] - INFO: Init: Generating test vectors... [2017.09.21 15:01:55.997] - INFO: Looking for infected files... [2017.09.21 15:01:55.997] - -------------------------------------------------------------------------------- [2017.09.21 15:01:55.997] - [2017.09.21 15:01:56.037] - -------------------------------------------------------------------------------- [2017.09.21 15:01:56.040] - INFO: 6 infected files found. [2017.09.21 15:01:56.043] - INFO: 0 file(s) cleaned. [2017.09.21 15:02:03.992] - End

Dear Marcos, I know that Virlab can calculate the key for several encrypted (office) documents. :). And I once asked for help with the decryption of files after Xorist / Filecoder.Q. I'm wondering if it's possible to calculate the decryption key yourself using the FilecoderQCleaner utility using the "/ a" option ?

Tell me, please, can I use the / a option to define the decryption key for several encrypted files? How to use this option correctly? and what information can I get with this? If possible, please show a specific example.

Attackers attack the system from an external network. Either WannaCry, or AdylKuzz It is necessary to eliminate the vulnerability of the system.

Interesting, Judging by the technical description of Symantec, SOREBRECT uses the already known encoder AES_NI as the encoder https://www.bleepingcomputer.com/forums/t/635140/aes-ni-ransomware-aes256-aes-ni-read-this-importanttxt-support-topic/

Clean an AES-NI or XData infection using the ESET AES-NI decryptor hxxp://support.eset.com/kb6467/ https://download.eset.com/com/eset/tools/decryptors/aesni/latest/esetaesnidecryptor.exe