Jump to content

!!!MARS_DECRYPT

Menakutkan

By Menakutkan
in Malware Finding and Cleaning

 Share

Recommended Posts

  • Most Valued Members
peteyt

peteyt 349

Posted
  • Most Valued Members
Posted (edited)
On 11/13/2020 at 2:45 AM, Menakutkan said:

Dear team eset,

please help me, have a virus ransomware .mars...
is there any solution ? decrypt...

!!!MARS_DECRYPT.TXTUnavailable

Googling shows this https://www.pcrisk.com/removal-guides/19266-mars-ransomware

It also shows you have posted on the Kaspersky forum with screenshots. I should note that the eset forum is only for people with eset and if you have both it is not recommended to use two AVs together. If that is the case technically malware could sneak past if the two AVs came into conflict

Edited by peteyt
Link to comment
Share on other sites
itman

itman 1,497

Posted
Posted
2 hours ago, peteyt said:

Googling shows this https://www.pcrisk.com/removal-guides/19266-mars-ransomware

Note: If you're using Google as your search engine, Eset for some reason is not alerting to web sites it blocks. It does however appear to block and log the attempt. I reported this bug some time ago.

However if you were able to access the above link, something is wrong with your Eset installation or its settings:

Eset_PCRisk.thumb.png.ef03994632fce31cacaed6cfa3cf0e87.png

 

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 349

Posted
  • Most Valued Members
Posted
1 hour ago, itman said:

Note: If you're using Google as your search engine, Eset for some reason is not alerting to web sites it blocks. It does however appear to block and log the attempt. I reported this bug some time ago.

However if you were able to access the above link, something is wrong with your Eset installation or its settings:

Eset_PCRisk.thumb.png.ef03994632fce31cacaed6cfa3cf0e87.png

 

Cheers. Did wonder about the site but used chrome but on my mobile. I do have eset on there but not sure if it can work the same or maybe I've not set it up right 

Link to comment
Share on other sites
itman

itman 1,497

Posted
Posted (edited)

Here's the details on MARS ransomware: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html . Eset and other AV vendors detect it; at least the original version of it.

 
Quote
Technical details

Probably spread by hacking through an unprotected RDP configuration, since most of the victims reported attacks on servers that never connected to the network or downloaded anything.
When reconfiguring the vector, attacks can start spreading through email spam and malicious attachments, spoofed downloads, botnets, exploits, malicious ads, web injections, fake updates, repackaged and infected installers.
Edited by itman
Link to comment
Share on other sites
Menakutkan

Menakutkan 0

Posted
  • Author
Posted

I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection

https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection

 

at this time I haven't found the Decryption Tools

mars.png

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,551

Posted
  • Administrators
Posted
5 hours ago, Menakutkan said:

I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection

https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection

Since both are benign files (the ransomware note and an encrypted file), they are not subject to detection.

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 349

Posted
  • Most Valued Members
Posted
7 hours ago, Menakutkan said:

I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection

https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection

 

at this time I haven't found the Decryption Tools

mars.png

Are you using eset or kaspersky? As mentioned this forum is meant for support for eset users. 

Link to comment
Share on other sites
Menakutkan

Menakutkan 0

Posted
  • Author
Posted
15 hours ago, peteyt said:

Are you using eset or kaspersky? As mentioned this forum is meant for support for eset users. 

I am an old user of Eset Nod32. but I posted on another forum and need to remember I need the best solution

 

18 hours ago, Marcos said:

Since both are benign files (the ransomware note and an encrypted file), they are not subject to detection.

it seems I thought that, thank's

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 349

Posted
  • Most Valued Members
Posted
16 minutes ago, Menakutkan said:

I am an old user of Eset Nod32. but I posted on another forum and need to remember I need the best solution

 

it seems I thought that, thank's

Do you use eset now though or you used to?

Link to comment
Share on other sites
  • 1 month later...
itman

itman 1,497

Posted
Posted (edited)

The problem with MARS ransomware is the sources that analyze ransomware and develop decrypters  haven't been able to find a sample of it.  Ref.: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html

Note per above reference, Eset does detect MARS. This further supports the theory of an attacker RDP incursion into the local network. Then disabling Eset to run the ransomware.

Edited by itman
Link to comment
Share on other sites
  • ESET Support
notimportant

notimportant 5

Posted
  • ESET Support
Posted
On 12/21/2020 at 11:13 AM, Gergo Adam said:

I don't need to decrypt files, we have backups of the VM, I just want to provide some info to you to analyze and find a prevention for this ransomware.  

encrypted file.zip 7.57 kB · 0 downloads efsw_logs.zip 4.08 MB · 1 download

There are hundreds of warnings from ESET about exploiting RDP vulnerability since 30.11., so unfortunately RDP was unprotected once again.

https://www.eset.com/fileadmin/ESET/SK/Tlacove_spravy/Whitepapery/ESET_RDP.pdf

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 349

Posted
  • Most Valued Members
Posted
4 hours ago, notimportant said:

There are hundreds of warnings from ESET about exploiting RDP vulnerability since 30.11., so unfortunately RDP was unprotected once again.

https://www.eset.com/fileadmin/ESET/SK/Tlacove_spravy/Whitepapery/ESET_RDP.pdf

I read a while ago i belive from @Marcosyou where looking at making some kind of tool to easily detect if RDP was enabled. Did this ever happen?

I'd love eset to maybe look at warning users of potential risks e.g. patches missing, options enabled that leave you vulnerable. This could also include warning users when RDP is enabled

Link to comment
Share on other sites
  • 1 month later...
Angry IT Guy

Angry IT Guy 0

Posted
Posted

Hi All,

 

2 and a half months later and still ESET without any solution to this variant.

My client running ESET File Security for Windows Server, did not protect the server against the ransomware, so my question/s are, what is the point of recommending a ESET solution to the next client who asks?  It was infected this morning.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,551

Posted
  • Administrators
Posted
6 minutes ago, Angry IT Guy said:

2 and a half months later and still ESET without any solution to this variant.

My client running ESET File Security for Windows Server, did not protect the server against the ransomware, so my question/s are, what is the point of recommending a ESET solution to the next client who asks?  It was infected this morning.

This variant encrypts files in remote shares as far as I know. Most likely it was run on a machine not protected by ESET or an attacker gained access via RDP and disabled protection prior to running the ransomware.

Please provide:
- logs collected with ESET Log Collector
- a couple of encrypted files
- the ransomware note with payment instructions.

Link to comment
Share on other sites
itman

itman 1,497

Posted
Posted (edited)
Quote

2 and a half months later and still ESET without any solution to this variant.

I  just referred back to a link: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html , I posted earlier in this thread.

As of the end of Dec., 2020, no one yet has been able to harvest a MARS ransomware sample. Without a sample, it is impossible to positively determine the initial attack vector for this ransomware. What is known is the source is predominately e-mail based ; as most malware is. Are Eset recommended HIPS and firewall rules against ransomware link below - especially those in regards to e-mail clients - being deployed?

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware?ref=esf

https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware?ref=esf

Edited by itman
Link to comment
Share on other sites
  • 2 months later...
  • Administrators
Marcos

Marcos 4,551

Posted
  • Administrators
Posted
5 minutes ago, esref said:

When will you find a remedy? I want decrypt my files.

When the malware authors decide to disclose the master decryption key or when the police seize their servers and get the MDK.

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 349

Posted
  • Most Valued Members
Posted
4 hours ago, esref said:

When will you find a remedy? I want decrypt my files.

The problem is encryption on its own is a good thing that allows private files to stay private. For example if this forum was hacked the passwords should be encrypted as well as hopefully other personal information.

Without knowing the encryption key hackers shouldn't be able to decrypt it (although in hacks it's always recommended to change your password for safety). Hackers take advantage of this by infecting users and businesses and basically locking their files and holding them ransom.

I presume your an Eset user. If so make sure your using the latest version. Some users are seen to be using very old versions that are no longer supported and don't have ransomeware protection. Make sure you have the latest Windows updates to as missing patches can leave you vulnerable. Also if you have RDP it should be disabled or protected. For extra protection add a password to esets settings

Link to comment
Share on other sites
  • 4 weeks later...
De_Frog_disk

De_Frog_disk 0

Posted
Posted

Do you know what encryption method they are using? if its AES then there is Nothing you can do. other forms of encryption have some successful methods of attacking them. if its a legitimate piece of ransomware they probably did use AES. if not and the attackers were just lazy when writing the virus then they possibly could have just encoded the file with base64 or something and are trying to trick you. if this is the case the files can be easily recovered, if not then there is a problem.  could you please send a sample of some of the text from one of the encrypted files. you can do this by opening it with notepad.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...