Jump to content

.arena Virus on Windows server 2008 R2


Recommended Posts

Hello,

I have problem on Microsoft server 2008 R2. Yesterday. 1.10 (around 10am) Almost all files were crypted. This applies almost to all docs ( office, .dll, financial programs).

Any ideas how to rid of it?

 

WhatsApp Image 2017-10-02 at 14.04.13.jpg

Link to post
Share on other sites

It is a CryptoMix variant. Article on it here: https://www.bleepingcomputer.com/news/security/new-arena-cryptomix-ransomware-variant-released/ .

Another detailed analysis was done by this Polish CERT organization: https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/ . You might want to contact them to see if they have developed a decryptor for it. Appears the have decrytors for some CryptoMix variants.

Eset has a sig. for the hash, 3d615c210addb2672e40b291c2bf7f322955e7df475512a60d682ef1110ff511, associated with the ransomware noted in the bleepingcomputer.com article. So this must be a new variant.

Also you did not state in your posting if you are a current Eset user?

Edited by itman
Link to post
Share on other sites
  • Administrators

The files were encrypted by Filecoder.Crysis. Decryption is not possible. Modus operandi is that an attacker runs a bruteforce attack on RDP, disables or uninstalls AV and then runs ransomware to encrypt files. It could also be that files were encrypted from a remote computer in shares for which the remote user has write permissions.

Make sure that you have the latest version of the ESET product installed and all protection features are enabled. We recommend protecting the settings with a password and also enabling detection of potentially unsafe applications.

 

Link to post
Share on other sites

Thanks for answering. Yes, I have instaled ESET FIle seciruty on our server. But It didnt help.

I have backup file .VHD of hole server so the recovery should work.

So you are saying that there is no possibility to decrypt those files?

Edited by netbus
Link to post
Share on other sites

Eset has a decryptor for Crysis ransomware here: https://support.eset.com/kb6274/?viewlocale=en_US . The problem is that it currently does not work for this recent .arena variant:

Quote

Your files have been renamed with one of the following extensions: .xtbl, .crysis, .crypt, .lock, .crypted, .dharma, .wallet, .onion

Here's the bleepingcomputer.com article on the recent .arena variant: https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/ . You could try what they state in the article:

Quote

Unfortunately, at this time it is not possible to decrypt .arena files encrypted by the Crysis Ransomware for free.

The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Crysis does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.

 

Edited by itman
Link to post
Share on other sites

Realy thank you for your help. 

Shadow Volume are deleted.

You also mention that there is no FREE way to decrypt those files. Is there any soft where I have to pay for ? (and works)

Is there any site where can I check status about this decryption?

Edited by netbus
Link to post
Share on other sites
  • 1 month later...

Hello netbus. Try Shadowexplorer programm. It helped me to restore 34 files. But not all. Some were lost. Good info is also on a German site: https://www.virus-entferner.de/arena-ransomware-datei-verschlüsselung-entfernen/

The decryptor for Crysis didnt work with .arena. I tried it several times.

Best regards.

 

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...