Lessandro 0 Posted July 11, 2018 Share Posted July 11, 2018 (edited) Bom dia! Recentemente notei em meu disco removível alguns arquivos que estão com extensão .BIP. Pelo que pesquisei se trata de uma criptografia por ransomware e não encontrei uma solução até o momento. Alguém teria como me ajudar? Obrigado. I recently noticed on my removable disk some files that are .BIP extension. For what I researched is an encryption for ransomware and I have not found a solution so far.Could someone help me? Edited July 11, 2018 by Marcos Machine translation added Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 11, 2018 Administrators Share Posted July 11, 2018 Files were encrypted by Filecoder.Crysis. Unfortuately, it is not technically possible to decrypt files. This ransomware is known to be run manually by attackers after they make it to a system with administrator rights after performing a bruteforce RDP attack. It is important that you harden RDP, e.g. by using VPN or 2FA. At least you could restrict RDP connections on a firewall to specific IP addresses or ranges. Also users with administrator rights and RDP allowed must not use weak passwords. Link to comment Share on other sites More sharing options...
Guest sindbad Posted August 24, 2018 Share Posted August 24, 2018 (edited) I have the same. Files got encrypted and now they are called --> [files.recovery@foxmail.com].bip ESET can't decrypt it? ESET is scanning the whole time. But it is not telling us that "BIP" is a virus. WHY? We should get a notification or an e-mail (if you have set it up), that there is a virus/ransomware. This is not right! Edited August 24, 2018 by sindbad Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 24, 2018 Administrators Share Posted August 24, 2018 22 minutes ago, sindbad said: ESET can't decrypt it? Not only ESET but nobody. Except the attacker. Quote ESET is scanning the whole time. But it is not telling us that "BIP" is a virus. WHY? We should get a notification or an e-mail (if you have set it up), that there is a virus/ransomware. This is not right! Most likely an attacker performed a bruteforce RDP attack, remoted in with admin privileges and disabled or uninstalled ESET. You can drop me a personal message with ELC logs from that machine so that I can check your ESET configuration. Link to comment Share on other sites More sharing options...
Guest sindbad Posted August 30, 2018 Share Posted August 30, 2018 I reinstalled ESET. Did a Scan. Still .bip files are there and ESET does not recognize. This is not normal behaviour right? Which logs do you need exactly? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 30, 2018 Administrators Share Posted August 30, 2018 Files with the bip extension are legitimate files that were encrypted by Filecoder.Crysis. They are not subject to detection. Please provide me with logs gathered by ELC and with another tool that I'll provide you with via a personal message. Link to comment Share on other sites More sharing options...
Guest sindbad Posted September 1, 2018 Share Posted September 1, 2018 I did not get a PM from you. Can you send me the tool. After that I will send you the output with the ESET Log Collector. ".bip" should be flagged as filecoder.Crysis when ESET is scanning. Because those files are effected and the user needs to get a warning! I will tell you what happened: The customer is attacked by Filecoder.Crysis and they asked which file got infected. I searched for: ".bip" in Windows. But somehow, Windows did not search everything. I told the customer that those files got attacked and I did replace backups. All was good. 10 days later the customer said that he is still seeing ".bip" files in a folder. Unfortunately the backup was 7 days. Files are lost. If ESET could have seen the ".bip" files, then it alerted me. I could have seen this before and replaced backups for that user. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted September 2, 2018 Administrators Share Posted September 2, 2018 22 hours ago, sindbad said: I did not get a PM from you. Can you send me the tool. After that I will send you the output with the ESET Log Check your inbox. Quote ".bip" should be flagged as filecoder.Crysis when ESET is scanning. Because those files are effected and the user needs to get a warning! No, detecting encrypted files would be a big mistake that would lead to a lot of problems (e.g. quarantining GBs of files for no good/useful purpose). In fact, detecting them would normally be considered a false positive. Quote The customer is attacked by Filecoder.Crysis and they asked which file got infected. I searched for: ".bip" in Windows. Your answer was wrong. Infected is a file that causes encryption. Already encrypted files are not infected, they are just encrypted and do not pose any risk. Quote 10 days later the customer said that he is still seeing ".bip" files in a folder. Unfortunately the backup was 7 days. Files are lost. If ESET could have seen the ".bip" files, then it alerted me. If that was another round of encryption, ie. if the user didn't take measures to prevent attackers from getting logged in via RDP and the attackers exploited RDP again and disabled or uninstalled ESET prior to running the ransomware, even theoretically encrypted files could not be detected simply because protection had been disabled by the attacker. Link to comment Share on other sites More sharing options...
Recommended Posts