Menakutkan 0 Posted November 13, 2020 Share Posted November 13, 2020 Dear team eset, please help me, have a virus ransomware .mars... is there any solution ? decrypt... !!!MARS_DECRYPT.TXT Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted November 13, 2020 Administrators Share Posted November 13, 2020 The Filecoder is unknown. We assume that files were encrypted after an attacker gained access to the machine via RDP and disabled antivirus protection. Please provide logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted November 13, 2020 Most Valued Members Share Posted November 13, 2020 (edited) On 11/13/2020 at 2:45 AM, Menakutkan said: Dear team eset, please help me, have a virus ransomware .mars... is there any solution ? decrypt... !!!MARS_DECRYPT.TXTUnavailable Googling shows this https://www.pcrisk.com/removal-guides/19266-mars-ransomware It also shows you have posted on the Kaspersky forum with screenshots. I should note that the eset forum is only for people with eset and if you have both it is not recommended to use two AVs together. If that is the case technically malware could sneak past if the two AVs came into conflict Edited November 17, 2020 by peteyt Link to comment Share on other sites More sharing options...
itman 1,538 Posted November 13, 2020 Share Posted November 13, 2020 2 hours ago, peteyt said: Googling shows this https://www.pcrisk.com/removal-guides/19266-mars-ransomware Note: If you're using Google as your search engine, Eset for some reason is not alerting to web sites it blocks. It does however appear to block and log the attempt. I reported this bug some time ago. However if you were able to access the above link, something is wrong with your Eset installation or its settings: Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted November 13, 2020 Most Valued Members Share Posted November 13, 2020 1 hour ago, itman said: Note: If you're using Google as your search engine, Eset for some reason is not alerting to web sites it blocks. It does however appear to block and log the attempt. I reported this bug some time ago. However if you were able to access the above link, something is wrong with your Eset installation or its settings: Cheers. Did wonder about the site but used chrome but on my mobile. I do have eset on there but not sure if it can work the same or maybe I've not set it up right Link to comment Share on other sites More sharing options...
itman 1,538 Posted November 13, 2020 Share Posted November 13, 2020 (edited) Here's the details on MARS ransomware: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html . Eset and other AV vendors detect it; at least the original version of it. Quote Technical details Probably spread by hacking through an unprotected RDP configuration, since most of the victims reported attacks on servers that never connected to the network or downloaded anything. When reconfiguring the vector, attacks can start spreading through email spam and malicious attachments, spoofed downloads, botnets, exploits, malicious ads, web injections, fake updates, repackaged and infected installers. Edited November 13, 2020 by itman Link to comment Share on other sites More sharing options...
Menakutkan 0 Posted November 17, 2020 Author Share Posted November 17, 2020 I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection at this time I haven't found the Decryption Tools Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted November 17, 2020 Administrators Share Posted November 17, 2020 5 hours ago, Menakutkan said: I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection Since both are benign files (the ransomware note and an encrypted file), they are not subject to detection. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted November 17, 2020 Most Valued Members Share Posted November 17, 2020 7 hours ago, Menakutkan said: I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection at this time I haven't found the Decryption Tools Are you using eset or kaspersky? As mentioned this forum is meant for support for eset users. Link to comment Share on other sites More sharing options...
Menakutkan 0 Posted November 18, 2020 Author Share Posted November 18, 2020 15 hours ago, peteyt said: Are you using eset or kaspersky? As mentioned this forum is meant for support for eset users. I am an old user of Eset Nod32. but I posted on another forum and need to remember I need the best solution 18 hours ago, Marcos said: Since both are benign files (the ransomware note and an encrypted file), they are not subject to detection. it seems I thought that, thank's Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted November 18, 2020 Most Valued Members Share Posted November 18, 2020 16 minutes ago, Menakutkan said: I am an old user of Eset Nod32. but I posted on another forum and need to remember I need the best solution it seems I thought that, thank's Do you use eset now though or you used to? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted November 18, 2020 Administrators Share Posted November 18, 2020 If you had ESET installed, we'll need to check your ESET and system configuration. Please provide: - logs collected with ESET Log Collector - a handful of smaller encrypted files (e.g. Office documents) Link to comment Share on other sites More sharing options...
Gergo Adam 0 Posted December 21, 2020 Share Posted December 21, 2020 @Marcos One of our customer has the same problem second time. I made the log file with Eset log collector and I have an encrypted file too. Where I can send it to analyze? Thanks! Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted December 21, 2020 Administrators Share Posted December 21, 2020 You can upload it here. However, as stated above decryption will not be possible. Link to comment Share on other sites More sharing options...
Gergo Adam 0 Posted December 21, 2020 Share Posted December 21, 2020 I don't need to decrypt files, we have backups of the VM, I just want to provide some info to you to analyze and find a prevention for this ransomware. encrypted file.zip efsw_logs.zip Link to comment Share on other sites More sharing options...
itman 1,538 Posted December 21, 2020 Share Posted December 21, 2020 (edited) The problem with MARS ransomware is the sources that analyze ransomware and develop decrypters haven't been able to find a sample of it. Ref.: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html Note per above reference, Eset does detect MARS. This further supports the theory of an attacker RDP incursion into the local network. Then disabling Eset to run the ransomware. Edited December 21, 2020 by itman Link to comment Share on other sites More sharing options...
ESET Support notimportant 5 Posted December 23, 2020 ESET Support Share Posted December 23, 2020 On 12/21/2020 at 11:13 AM, Gergo Adam said: I don't need to decrypt files, we have backups of the VM, I just want to provide some info to you to analyze and find a prevention for this ransomware. encrypted file.zip 7.57 kB · 0 downloads efsw_logs.zip 4.08 MB · 1 download There are hundreds of warnings from ESET about exploiting RDP vulnerability since 30.11., so unfortunately RDP was unprotected once again. https://www.eset.com/fileadmin/ESET/SK/Tlacove_spravy/Whitepapery/ESET_RDP.pdf Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted December 23, 2020 Most Valued Members Share Posted December 23, 2020 4 hours ago, notimportant said: There are hundreds of warnings from ESET about exploiting RDP vulnerability since 30.11., so unfortunately RDP was unprotected once again. https://www.eset.com/fileadmin/ESET/SK/Tlacove_spravy/Whitepapery/ESET_RDP.pdf I read a while ago i belive from @Marcosyou where looking at making some kind of tool to easily detect if RDP was enabled. Did this ever happen? I'd love eset to maybe look at warning users of potential risks e.g. patches missing, options enabled that leave you vulnerable. This could also include warning users when RDP is enabled Link to comment Share on other sites More sharing options...
Angry IT Guy 0 Posted January 29, 2021 Share Posted January 29, 2021 Hi All, 2 and a half months later and still ESET without any solution to this variant. My client running ESET File Security for Windows Server, did not protect the server against the ransomware, so my question/s are, what is the point of recommending a ESET solution to the next client who asks? It was infected this morning. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted January 29, 2021 Administrators Share Posted January 29, 2021 6 minutes ago, Angry IT Guy said: 2 and a half months later and still ESET without any solution to this variant. My client running ESET File Security for Windows Server, did not protect the server against the ransomware, so my question/s are, what is the point of recommending a ESET solution to the next client who asks? It was infected this morning. This variant encrypts files in remote shares as far as I know. Most likely it was run on a machine not protected by ESET or an attacker gained access via RDP and disabled protection prior to running the ransomware. Please provide: - logs collected with ESET Log Collector - a couple of encrypted files - the ransomware note with payment instructions. Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 29, 2021 Share Posted January 29, 2021 (edited) Quote 2 and a half months later and still ESET without any solution to this variant. I just referred back to a link: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html , I posted earlier in this thread. As of the end of Dec., 2020, no one yet has been able to harvest a MARS ransomware sample. Without a sample, it is impossible to positively determine the initial attack vector for this ransomware. What is known is the source is predominately e-mail based ; as most malware is. Are Eset recommended HIPS and firewall rules against ransomware link below - especially those in regards to e-mail clients - being deployed? https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware?ref=esf https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware?ref=esf Edited January 29, 2021 by itman Link to comment Share on other sites More sharing options...
esref 0 Posted March 31, 2021 Share Posted March 31, 2021 When will you find a remedy? I want decrypt my files. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted March 31, 2021 Administrators Share Posted March 31, 2021 5 minutes ago, esref said: When will you find a remedy? I want decrypt my files. When the malware authors decide to disclose the master decryption key or when the police seize their servers and get the MDK. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted March 31, 2021 Most Valued Members Share Posted March 31, 2021 4 hours ago, esref said: When will you find a remedy? I want decrypt my files. The problem is encryption on its own is a good thing that allows private files to stay private. For example if this forum was hacked the passwords should be encrypted as well as hopefully other personal information. Without knowing the encryption key hackers shouldn't be able to decrypt it (although in hacks it's always recommended to change your password for safety). Hackers take advantage of this by infecting users and businesses and basically locking their files and holding them ransom. I presume your an Eset user. If so make sure your using the latest version. Some users are seen to be using very old versions that are no longer supported and don't have ransomeware protection. Make sure you have the latest Windows updates to as missing patches can leave you vulnerable. Also if you have RDP it should be disabled or protected. For extra protection add a password to esets settings Link to comment Share on other sites More sharing options...
De_Frog_disk 0 Posted April 26, 2021 Share Posted April 26, 2021 Do you know what encryption method they are using? if its AES then there is Nothing you can do. other forms of encryption have some successful methods of attacking them. if its a legitimate piece of ransomware they probably did use AES. if not and the attackers were just lazy when writing the virus then they possibly could have just encoded the file with base64 or something and are trying to trick you. if this is the case the files can be easily recovered, if not then there is a problem. could you please send a sample of some of the text from one of the encrypted files. you can do this by opening it with notepad. Link to comment Share on other sites More sharing options...
Recommended Posts