Jump to content

.arena Virus on Windows server 2008 R2


netbus
 Share

Recommended Posts

Hello,

I have problem on Microsoft server 2008 R2. Yesterday. 1.10 (around 10am) Almost all files were crypted. This applies almost to all docs ( office, .dll, financial programs).

Any ideas how to rid of it?

 

WhatsApp Image 2017-10-02 at 14.04.13.jpg

Link to comment
Share on other sites

It is a CryptoMix variant. Article on it here: https://www.bleepingcomputer.com/news/security/new-arena-cryptomix-ransomware-variant-released/ .

Another detailed analysis was done by this Polish CERT organization: https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/ . You might want to contact them to see if they have developed a decryptor for it. Appears the have decrytors for some CryptoMix variants.

Eset has a sig. for the hash, 3d615c210addb2672e40b291c2bf7f322955e7df475512a60d682ef1110ff511, associated with the ransomware noted in the bleepingcomputer.com article. So this must be a new variant.

Also you did not state in your posting if you are a current Eset user?

Edited by itman
Link to comment
Share on other sites

  • Administrators

The files were encrypted by Filecoder.Crysis. Decryption is not possible. Modus operandi is that an attacker runs a bruteforce attack on RDP, disables or uninstalls AV and then runs ransomware to encrypt files. It could also be that files were encrypted from a remote computer in shares for which the remote user has write permissions.

Make sure that you have the latest version of the ESET product installed and all protection features are enabled. We recommend protecting the settings with a password and also enabling detection of potentially unsafe applications.

 

Link to comment
Share on other sites

Thanks for answering. Yes, I have instaled ESET FIle seciruty on our server. But It didnt help.

I have backup file .VHD of hole server so the recovery should work.

So you are saying that there is no possibility to decrypt those files?

Edited by netbus
Link to comment
Share on other sites

Eset has a decryptor for Crysis ransomware here: https://support.eset.com/kb6274/?viewlocale=en_US . The problem is that it currently does not work for this recent .arena variant:

Quote

Your files have been renamed with one of the following extensions: .xtbl, .crysis, .crypt, .lock, .crypted, .dharma, .wallet, .onion

Here's the bleepingcomputer.com article on the recent .arena variant: https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/ . You could try what they state in the article:

Quote

Unfortunately, at this time it is not possible to decrypt .arena files encrypted by the Crysis Ransomware for free.

The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Crysis does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.

 

Edited by itman
Link to comment
Share on other sites

Realy thank you for your help. 

Shadow Volume are deleted.

You also mention that there is no FREE way to decrypt those files. Is there any soft where I have to pay for ? (and works)

Is there any site where can I check status about this decryption?

Edited by netbus
Link to comment
Share on other sites

40 minutes ago, netbus said:

Is there any site where can I check status about this decryption?

https://www.bleepingcomputer.com/forums/t/607680/crysis-extensionid-numberemailarenacrysis-ransomware-support-topic/

Another corp. user posted on the above he got nailed by same variant on 9/29.

Link to comment
Share on other sites

  • 1 month later...

Hello netbus. Try Shadowexplorer programm. It helped me to restore 34 files. But not all. Some were lost. Good info is also on a German site: https://www.virus-entferner.de/arena-ransomware-datei-verschlüsselung-entfernen/

The decryptor for Crysis didnt work with .arena. I tried it several times.

Best regards.

 

 

 

Link to comment
Share on other sites

you can use this service to correctly determine the type of encoder.

On a note on redemption, an encrypted file, on the contact e-mail

https://id-ransomware.malwarehunterteam.com/index.php

eg:

https://id-ransomware.malwarehunterteam.com/identify.php?case=26bfdc216afdb6c5c1e6cb46d0db179f30c7bf79

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...