netbus 0 Posted October 2, 2017 Share Posted October 2, 2017 Hello, I have problem on Microsoft server 2008 R2. Yesterday. 1.10 (around 10am) Almost all files were crypted. This applies almost to all docs ( office, .dll, financial programs). Any ideas how to rid of it? Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 2, 2017 Share Posted October 2, 2017 (edited) It is a CryptoMix variant. Article on it here: https://www.bleepingcomputer.com/news/security/new-arena-cryptomix-ransomware-variant-released/ . Another detailed analysis was done by this Polish CERT organization: https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/ . You might want to contact them to see if they have developed a decryptor for it. Appears the have decrytors for some CryptoMix variants. Eset has a sig. for the hash, 3d615c210addb2672e40b291c2bf7f322955e7df475512a60d682ef1110ff511, associated with the ransomware noted in the bleepingcomputer.com article. So this must be a new variant. Also you did not state in your posting if you are a current Eset user? Edited October 2, 2017 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted October 2, 2017 Administrators Share Posted October 2, 2017 The files were encrypted by Filecoder.Crysis. Decryption is not possible. Modus operandi is that an attacker runs a bruteforce attack on RDP, disables or uninstalls AV and then runs ransomware to encrypt files. It could also be that files were encrypted from a remote computer in shares for which the remote user has write permissions. Make sure that you have the latest version of the ESET product installed and all protection features are enabled. We recommend protecting the settings with a password and also enabling detection of potentially unsafe applications. Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 2, 2017 Share Posted October 2, 2017 Yeah .......... it helps to thoroughly read the article you reference. Link to comment Share on other sites More sharing options...
netbus 0 Posted October 3, 2017 Author Share Posted October 3, 2017 (edited) Thanks for answering. Yes, I have instaled ESET FIle seciruty on our server. But It didnt help. I have backup file .VHD of hole server so the recovery should work. So you are saying that there is no possibility to decrypt those files? Edited October 3, 2017 by netbus Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 3, 2017 Share Posted October 3, 2017 (edited) Eset has a decryptor for Crysis ransomware here: https://support.eset.com/kb6274/?viewlocale=en_US . The problem is that it currently does not work for this recent .arena variant: Quote Your files have been renamed with one of the following extensions: .xtbl, .crysis, .crypt, .lock, .crypted, .dharma, .wallet, .onion Here's the bleepingcomputer.com article on the recent .arena variant: https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/ . You could try what they state in the article: Quote Unfortunately, at this time it is not possible to decrypt .arena files encrypted by the Crysis Ransomware for free. The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Crysis does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well. Edited October 3, 2017 by itman Link to comment Share on other sites More sharing options...
netbus 0 Posted October 3, 2017 Author Share Posted October 3, 2017 (edited) Realy thank you for your help. Shadow Volume are deleted. You also mention that there is no FREE way to decrypt those files. Is there any soft where I have to pay for ? (and works) Is there any site where can I check status about this decryption? Edited October 3, 2017 by netbus Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 3, 2017 Share Posted October 3, 2017 40 minutes ago, netbus said: Is there any site where can I check status about this decryption? https://www.bleepingcomputer.com/forums/t/607680/crysis-extensionid-numberemailarenacrysis-ransomware-support-topic/ Another corp. user posted on the above he got nailed by same variant on 9/29. Link to comment Share on other sites More sharing options...
netbus 0 Posted October 3, 2017 Author Share Posted October 3, 2017 Thank you! Link to comment Share on other sites More sharing options...
Horst67 0 Posted November 11, 2017 Share Posted November 11, 2017 Hello netbus. Try Shadowexplorer programm. It helped me to restore 34 files. But not all. Some were lost. Good info is also on a German site: https://www.virus-entferner.de/arena-ransomware-datei-verschlüsselung-entfernen/ The decryptor for Crysis didnt work with .arena. I tried it several times. Best regards. Link to comment Share on other sites More sharing options...
safety 8 Posted November 17, 2017 Share Posted November 17, 2017 you can use this service to correctly determine the type of encoder. On a note on redemption, an encrypted file, on the contact e-mail https://id-ransomware.malwarehunterteam.com/index.php eg: https://id-ransomware.malwarehunterteam.com/identify.php?case=26bfdc216afdb6c5c1e6cb46d0db179f30c7bf79 Link to comment Share on other sites More sharing options...
Recommended Posts