Menakutkan 0 Posted November 13, 2020 Share Posted November 13, 2020 Dear team eset, please help me, have a virus ransomware .mars... is there any solution ? decrypt... !!!MARS_DECRYPT.TXT Quote Link to post Share on other sites
Administrators Marcos 3,632 Posted November 13, 2020 Administrators Share Posted November 13, 2020 The Filecoder is unknown. We assume that files were encrypted after an attacker gained access to the machine via RDP and disabled antivirus protection. Please provide logs collected with ESET Log Collector. Quote Link to post Share on other sites
Most Valued Members peteyt 177 Posted November 13, 2020 Most Valued Members Share Posted November 13, 2020 (edited) On 11/13/2020 at 2:45 AM, Menakutkan said: Dear team eset, please help me, have a virus ransomware .mars... is there any solution ? decrypt... !!!MARS_DECRYPT.TXTUnavailable Googling shows this https://www.pcrisk.com/removal-guides/19266-mars-ransomware It also shows you have posted on the Kaspersky forum with screenshots. I should note that the eset forum is only for people with eset and if you have both it is not recommended to use two AVs together. If that is the case technically malware could sneak past if the two AVs came into conflict Edited November 17, 2020 by peteyt Quote Link to post Share on other sites
itman 952 Posted November 13, 2020 Share Posted November 13, 2020 2 hours ago, peteyt said: Googling shows this https://www.pcrisk.com/removal-guides/19266-mars-ransomware Note: If you're using Google as your search engine, Eset for some reason is not alerting to web sites it blocks. It does however appear to block and log the attempt. I reported this bug some time ago. However if you were able to access the above link, something is wrong with your Eset installation or its settings: Quote Link to post Share on other sites
Most Valued Members peteyt 177 Posted November 13, 2020 Most Valued Members Share Posted November 13, 2020 1 hour ago, itman said: Note: If you're using Google as your search engine, Eset for some reason is not alerting to web sites it blocks. It does however appear to block and log the attempt. I reported this bug some time ago. However if you were able to access the above link, something is wrong with your Eset installation or its settings: Cheers. Did wonder about the site but used chrome but on my mobile. I do have eset on there but not sure if it can work the same or maybe I've not set it up right Quote Link to post Share on other sites
itman 952 Posted November 13, 2020 Share Posted November 13, 2020 (edited) Here's the details on MARS ransomware: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html . Eset and other AV vendors detect it; at least the original version of it. Quote Technical details Probably spread by hacking through an unprotected RDP configuration, since most of the victims reported attacks on servers that never connected to the network or downloaded anything. When reconfiguring the vector, attacks can start spreading through email spam and malicious attachments, spoofed downloads, botnets, exploits, malicious ads, web injections, fake updates, repackaged and infected installers. Edited November 13, 2020 by itman Quote Link to post Share on other sites
Menakutkan 0 Posted November 17, 2020 Author Share Posted November 17, 2020 I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection at this time I haven't found the Decryption Tools Quote Link to post Share on other sites
Administrators Marcos 3,632 Posted November 17, 2020 Administrators Share Posted November 17, 2020 5 hours ago, Menakutkan said: I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection Since both are benign files (the ransomware note and an encrypted file), they are not subject to detection. Quote Link to post Share on other sites
Most Valued Members peteyt 177 Posted November 17, 2020 Most Valued Members Share Posted November 17, 2020 7 hours ago, Menakutkan said: I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection at this time I haven't found the Decryption Tools Are you using eset or kaspersky? As mentioned this forum is meant for support for eset users. Quote Link to post Share on other sites
Menakutkan 0 Posted November 18, 2020 Author Share Posted November 18, 2020 15 hours ago, peteyt said: Are you using eset or kaspersky? As mentioned this forum is meant for support for eset users. I am an old user of Eset Nod32. but I posted on another forum and need to remember I need the best solution 18 hours ago, Marcos said: Since both are benign files (the ransomware note and an encrypted file), they are not subject to detection. it seems I thought that, thank's Quote Link to post Share on other sites
Most Valued Members peteyt 177 Posted November 18, 2020 Most Valued Members Share Posted November 18, 2020 16 minutes ago, Menakutkan said: I am an old user of Eset Nod32. but I posted on another forum and need to remember I need the best solution it seems I thought that, thank's Do you use eset now though or you used to? Quote Link to post Share on other sites
Administrators Marcos 3,632 Posted November 18, 2020 Administrators Share Posted November 18, 2020 If you had ESET installed, we'll need to check your ESET and system configuration. Please provide: - logs collected with ESET Log Collector - a handful of smaller encrypted files (e.g. Office documents) Quote Link to post Share on other sites
Gergo Adam 0 Posted December 21, 2020 Share Posted December 21, 2020 @Marcos One of our customer has the same problem second time. I made the log file with Eset log collector and I have an encrypted file too. Where I can send it to analyze? Thanks! Quote Link to post Share on other sites
Administrators Marcos 3,632 Posted December 21, 2020 Administrators Share Posted December 21, 2020 You can upload it here. However, as stated above decryption will not be possible. Quote Link to post Share on other sites
Gergo Adam 0 Posted December 21, 2020 Share Posted December 21, 2020 I don't need to decrypt files, we have backups of the VM, I just want to provide some info to you to analyze and find a prevention for this ransomware. encrypted file.zip efsw_logs.zip Quote Link to post Share on other sites
itman 952 Posted December 21, 2020 Share Posted December 21, 2020 (edited) The problem with MARS ransomware is the sources that analyze ransomware and develop decrypters haven't been able to find a sample of it. Ref.: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html Note per above reference, Eset does detect MARS. This further supports the theory of an attacker RDP incursion into the local network. Then disabling Eset to run the ransomware. Edited December 21, 2020 by itman Quote Link to post Share on other sites
ESET Support notimportant 2 Posted December 23, 2020 ESET Support Share Posted December 23, 2020 On 12/21/2020 at 11:13 AM, Gergo Adam said: I don't need to decrypt files, we have backups of the VM, I just want to provide some info to you to analyze and find a prevention for this ransomware. encrypted file.zip 7.57 kB · 0 downloads efsw_logs.zip 4.08 MB · 1 download There are hundreds of warnings from ESET about exploiting RDP vulnerability since 30.11., so unfortunately RDP was unprotected once again. https://www.eset.com/fileadmin/ESET/SK/Tlacove_spravy/Whitepapery/ESET_RDP.pdf Quote Link to post Share on other sites
Most Valued Members peteyt 177 Posted December 23, 2020 Most Valued Members Share Posted December 23, 2020 4 hours ago, notimportant said: There are hundreds of warnings from ESET about exploiting RDP vulnerability since 30.11., so unfortunately RDP was unprotected once again. https://www.eset.com/fileadmin/ESET/SK/Tlacove_spravy/Whitepapery/ESET_RDP.pdf I read a while ago i belive from @Marcosyou where looking at making some kind of tool to easily detect if RDP was enabled. Did this ever happen? I'd love eset to maybe look at warning users of potential risks e.g. patches missing, options enabled that leave you vulnerable. This could also include warning users when RDP is enabled Quote Link to post Share on other sites
Angry IT Guy 0 Posted January 29 Share Posted January 29 Hi All, 2 and a half months later and still ESET without any solution to this variant. My client running ESET File Security for Windows Server, did not protect the server against the ransomware, so my question/s are, what is the point of recommending a ESET solution to the next client who asks? It was infected this morning. Quote Link to post Share on other sites
Administrators Marcos 3,632 Posted January 29 Administrators Share Posted January 29 6 minutes ago, Angry IT Guy said: 2 and a half months later and still ESET without any solution to this variant. My client running ESET File Security for Windows Server, did not protect the server against the ransomware, so my question/s are, what is the point of recommending a ESET solution to the next client who asks? It was infected this morning. This variant encrypts files in remote shares as far as I know. Most likely it was run on a machine not protected by ESET or an attacker gained access via RDP and disabled protection prior to running the ransomware. Please provide: - logs collected with ESET Log Collector - a couple of encrypted files - the ransomware note with payment instructions. Quote Link to post Share on other sites
itman 952 Posted January 29 Share Posted January 29 (edited) Quote 2 and a half months later and still ESET without any solution to this variant. I just referred back to a link: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html , I posted earlier in this thread. As of the end of Dec., 2020, no one yet has been able to harvest a MARS ransomware sample. Without a sample, it is impossible to positively determine the initial attack vector for this ransomware. What is known is the source is predominately e-mail based ; as most malware is. Are Eset recommended HIPS and firewall rules against ransomware link below - especially those in regards to e-mail clients - being deployed? https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware?ref=esf https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware?ref=esf Edited January 29 by itman Quote Link to post Share on other sites
esref 0 Posted March 31 Share Posted March 31 When will you find a remedy? I want decrypt my files. Quote Link to post Share on other sites
Administrators Marcos 3,632 Posted March 31 Administrators Share Posted March 31 5 minutes ago, esref said: When will you find a remedy? I want decrypt my files. When the malware authors decide to disclose the master decryption key or when the police seize their servers and get the MDK. Quote Link to post Share on other sites
Most Valued Members peteyt 177 Posted March 31 Most Valued Members Share Posted March 31 4 hours ago, esref said: When will you find a remedy? I want decrypt my files. The problem is encryption on its own is a good thing that allows private files to stay private. For example if this forum was hacked the passwords should be encrypted as well as hopefully other personal information. Without knowing the encryption key hackers shouldn't be able to decrypt it (although in hacks it's always recommended to change your password for safety). Hackers take advantage of this by infecting users and businesses and basically locking their files and holding them ransom. I presume your an Eset user. If so make sure your using the latest version. Some users are seen to be using very old versions that are no longer supported and don't have ransomeware protection. Make sure you have the latest Windows updates to as missing patches can leave you vulnerable. Also if you have RDP it should be disabled or protected. For extra protection add a password to esets settings Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.