WNDKK 0 Posted March 17, 2017 Posted March 17, 2017 (edited) I have encrypted files with the ending [amagnus00@gmx.org].wallet, is this a new version of the Dharma encrypter? Neither the Eset decrypter nor the RakhniDecrypter helped.Attached is a .lnk file from the infected computer.Is there something I can do?Thank you. [amagnus00@gmx.com].wallet.zip Edited March 17, 2017 by WNDKK typo
Administrators Marcos 5,452 Posted March 17, 2017 Administrators Posted March 17, 2017 Unfortunately, files encrypted by Filecoder.Crysis cannot be decrypted. Did you have ESET installed and all protection features enabled? If so, what product version it was?
WNDKK 0 Posted March 17, 2017 Author Posted March 17, 2017 ESET was indeed installed and running. It was ESET File Security 6.0.12035.1
Administrators Marcos 5,452 Posted March 17, 2017 Administrators Posted March 17, 2017 Do you use the server for browsing the web or reading email? Couldn't it be that files got encrypted in shared folders from an infected workstation? Do you have Endpoint v6 installed on all workstations and LiveGrid is enabled also in EFSW?
WNDKK 0 Posted March 17, 2017 Author Posted March 17, 2017 Workstations are running macOS and the purpose of the server was running a Windows only program needed to be accessed by all employees via intern RDP. By company regulations, users aren't allowed to check emails or browse the web while connected to the server, but that probably is what happened anyhow.
Administrators Marcos 5,452 Posted March 17, 2017 Administrators Posted March 17, 2017 Not really. As you can see, Filecoder.Crysis is often run by an attacker who connects to a computer (often a server) via RDP: https://www.bleepingcomputer.com/news/security/number-of-rdp-brute-force-attacks-spreading-crysis-ransomware-doubles-in-6-months/ Protecting ESET's settings with a password would prevent the attacker from disabling or uninstalling ESET, however, it's crucial to secure RDP in the first place.
Barder 1 Posted March 22, 2017 Posted March 22, 2017 It's a new Wallet ransomware strain https://malwareless.com/remove-wallet-ransomware-virus/ You should upload an encrypted file to https://www.nomoreransom.org/crypto-sheriff.php and try to find a decryption tool. However, as I know there is still no decryption solution for this type of ransomware.
Recommended Posts