Jump to content

Arquivos criptografados .BIP (Encrypted .BIP files)


Recommended Posts

Bom dia!

Recentemente notei em meu disco removível alguns arquivos que estão com extensão .BIP. Pelo que pesquisei se trata de uma criptografia por ransomware e não encontrei uma solução até o momento.

Alguém teria como me ajudar?

Obrigado.

 

I recently noticed on my removable disk some files that are .BIP extension. For what I researched is an encryption for ransomware and I have not found a solution so far.

Could someone help me?

Edited by Marcos
Machine translation added
Link to comment
Share on other sites

  • Administrators

Files were encrypted by Filecoder.Crysis. Unfortuately, it is not technically possible to decrypt files.

This ransomware is known to be run manually by attackers after they make it to a system with administrator rights after performing a bruteforce RDP attack. It is important that you harden RDP, e.g. by using VPN or 2FA. At least you could restrict RDP connections on a firewall to specific IP addresses or ranges.

Also users with administrator rights and RDP allowed must not use weak passwords.

Link to comment
Share on other sites

  • 1 month later...
Guest sindbad

I have the same. Files got encrypted and now they are called --> [files.recovery@foxmail.com].bip

 

ESET can't decrypt it?

ESET is scanning the whole time. But it is not telling us that "BIP" is a virus. WHY? We should get a notification or an e-mail (if you have set it up), that there is a virus/ransomware. This is not right!

Edited by sindbad
Link to comment
Share on other sites

  • Administrators
22 minutes ago, sindbad said:

ESET can't decrypt it?

Not only ESET but nobody. Except the attacker.

Quote

ESET is scanning the whole time. But it is not telling us that "BIP" is a virus. WHY? We should get a notification or an e-mail (if you have set it up), that there is a virus/ransomware. This is not right!

Most likely an attacker performed a bruteforce RDP attack, remoted in with admin privileges and disabled or uninstalled ESET. You can drop me a personal message with ELC logs from that machine so that I can check your ESET configuration.

Link to comment
Share on other sites

Guest sindbad

I reinstalled ESET. Did a Scan. Still .bip files are there and ESET does not recognize. This is not normal behaviour right? Which logs do you need exactly?

Link to comment
Share on other sites

  • Administrators

Files with the bip extension are legitimate files that were encrypted by Filecoder.Crysis. They are not subject to detection. Please provide me with logs gathered by ELC and with another tool that I'll provide you with via a personal message.

Link to comment
Share on other sites

Guest sindbad

I did not get a PM from you. Can you send me the tool. After that I will send you the output with the ESET Log Collector.

".bip" should be flagged as filecoder.Crysis when ESET is scanning. Because those files are effected and the user needs to get a warning!

I will tell you what happened:

The customer is attacked by Filecoder.Crysis and they asked which file got infected. I searched for: ".bip" in Windows. But somehow, Windows did not search everything. I told the customer that those files got attacked and I did replace backups. All was good. 10 days later the customer said that he is still seeing ".bip" files in a folder. Unfortunately the backup was 7 days. Files are lost. If ESET could have seen the ".bip" files, then it alerted me. I could have seen this before and replaced backups for that user.

Link to comment
Share on other sites

  • Administrators
22 hours ago, sindbad said:

I did not get a PM from you. Can you send me the tool. After that I will send you the output with the ESET Log

Check your inbox.

Quote

".bip" should be flagged as filecoder.Crysis when ESET is scanning. Because those files are effected and the user needs to get a warning!

No, detecting encrypted files would be a big mistake that would lead to a lot of problems (e.g. quarantining GBs of files for no good/useful purpose). In fact, detecting them would normally be considered a false positive.

Quote

The customer is attacked by Filecoder.Crysis and they asked which file got infected. I searched for: ".bip" in Windows.

Your answer was wrong. Infected is a file that causes encryption. Already encrypted files are not infected, they are just encrypted and do not pose any risk.

Quote

10 days later the customer said that he is still seeing ".bip" files in a folder. Unfortunately the backup was 7 days. Files are lost.  If ESET could have seen the ".bip" files, then it alerted me.

If that was another round of encryption, ie. if the user didn't take measures to prevent attackers from getting logged in via RDP and the attackers exploited RDP again and disabled or uninstalled ESET prior to running the ransomware, even theoretically encrypted files could not be detected simply because protection had been disabled by the attacker.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...