!!!MARS_DECRYPT

[Menakutkan 0]

Dear team eset,

please help me, have a virus ransomware .mars...
is there any solution ? decrypt...

!!!MARS_DECRYPT.TXT

[Marcos 3,632]

The Filecoder is unknown. We assume that files were encrypted after an attacker gained access to the machine via RDP and disabled antivirus protection. Please provide logs collected with ESET Log Collector.

[peteyt 177]

On 11/13/2020 at 2:45 AM, Menakutkan said:

Dear team eset,

please help me, have a virus ransomware .mars...
is there any solution ? decrypt...

!!!MARS_DECRYPT.TXTUnavailable

Googling shows this https://www.pcrisk.com/removal-guides/19266-mars-ransomware

It also shows you have posted on the Kaspersky forum with screenshots. I should note that the eset forum is only for people with eset and if you have both it is not recommended to use two AVs together. If that is the case technically malware could sneak past if the two AVs came into conflict

Edited November 17, 2020 by peteyt

[itman 952]

2 hours ago, peteyt said:

Googling shows this https://www.pcrisk.com/removal-guides/19266-mars-ransomware

Note: If you're using Google as your search engine, Eset for some reason is not alerting to web sites it blocks. It does however appear to block and log the attempt. I reported this bug some time ago.

However if you were able to access the above link, something is wrong with your Eset installation or its settings:

 

[peteyt 177]

1 hour ago, itman said:

Note: If you're using Google as your search engine, Eset for some reason is not alerting to web sites it blocks. It does however appear to block and log the attempt. I reported this bug some time ago.

However if you were able to access the above link, something is wrong with your Eset installation or its settings:

 

Cheers. Did wonder about the site but used chrome but on my mobile. I do have eset on there but not sure if it can work the same or maybe I've not set it up right 

[itman 952]

Here's the details on MARS ransomware: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html . Eset and other AV vendors detect it; at least the original version of it.

 

Quote

Technical details

Probably spread by hacking through an unprotected RDP configuration, since most of the victims reported attacks on servers that never connected to the network or downloaded anything.

When reconfiguring the vector, attacks can start spreading through email spam and malicious attachments, spoofed downloads, botnets, exploits, malicious ads, web injections, fake updates, repackaged and infected installers.

Edited November 13, 2020 by itman

[Menakutkan 0]

I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection

https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection

 

at this time I haven't found the Decryption Tools

[Marcos 3,632]

5 hours ago, Menakutkan said:

I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection

https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection

Since both are benign files (the ransomware note and an encrypted file), they are not subject to detection.

[peteyt 177]

7 hours ago, Menakutkan said:

I have used the best antivirus but it was not detected. and upload virus total not found https://www.virustotal.com/gui/file/97516c6bb12e5a30b15831098adeceb25f6d1d51bda77b58da7c7af75f807939/detection

https://www.virustotal.com/gui/file/a42876a0f19a8dc9457877893b220792977092fe944663953978a7a66c9a50a7/detection

 

at this time I haven't found the Decryption Tools

Are you using eset or kaspersky? As mentioned this forum is meant for support for eset users. 

[Menakutkan 0]

15 hours ago, peteyt said:

Are you using eset or kaspersky? As mentioned this forum is meant for support for eset users. 

I am an old user of Eset Nod32. but I posted on another forum and need to remember I need the best solution

 

18 hours ago, Marcos said:

Since both are benign files (the ransomware note and an encrypted file), they are not subject to detection.

it seems I thought that, thank's

[peteyt 177]

16 minutes ago, Menakutkan said:

I am an old user of Eset Nod32. but I posted on another forum and need to remember I need the best solution

 

it seems I thought that, thank's

Do you use eset now though or you used to?

[Marcos 3,632]

If you had ESET installed, we'll need to check your ESET and system configuration. Please provide:
- logs collected with ESET Log Collector
- a handful of smaller encrypted files (e.g. Office documents)

[Gergo Adam 0]

@Marcos One of our customer has the same problem second time. I made the log file with Eset log collector and I have an encrypted file too. Where I can send it to analyze? Thanks!

[Marcos 3,632]

You can upload it here. However, as stated above decryption will not be possible.

[Gergo Adam 0]

I don't need to decrypt files, we have backups of the VM, I just want to provide some info to you to analyze and find a prevention for this ransomware.  

encrypted file.zip efsw_logs.zip

[itman 952]

The problem with MARS ransomware is the sources that analyze ransomware and develop decrypters  haven't been able to find a sample of it.  Ref.: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html

Note per above reference, Eset does detect MARS. This further supports the theory of an attacker RDP incursion into the local network. Then disabling Eset to run the ransomware.

Edited December 21, 2020 by itman

[notimportant 2]

On 12/21/2020 at 11:13 AM, Gergo Adam said:

I don't need to decrypt files, we have backups of the VM, I just want to provide some info to you to analyze and find a prevention for this ransomware.  

encrypted file.zip 7.57 kB · 0 downloads efsw_logs.zip 4.08 MB · 1 download

There are hundreds of warnings from ESET about exploiting RDP vulnerability since 30.11., so unfortunately RDP was unprotected once again.

https://www.eset.com/fileadmin/ESET/SK/Tlacove_spravy/Whitepapery/ESET_RDP.pdf

[peteyt 177]

4 hours ago, notimportant said:

There are hundreds of warnings from ESET about exploiting RDP vulnerability since 30.11., so unfortunately RDP was unprotected once again.

https://www.eset.com/fileadmin/ESET/SK/Tlacove_spravy/Whitepapery/ESET_RDP.pdf

I read a while ago i belive from @Marcosyou where looking at making some kind of tool to easily detect if RDP was enabled. Did this ever happen?

I'd love eset to maybe look at warning users of potential risks e.g. patches missing, options enabled that leave you vulnerable. This could also include warning users when RDP is enabled

[Angry IT Guy 0]

Hi All,

 

2 and a half months later and still ESET without any solution to this variant.

My client running ESET File Security for Windows Server, did not protect the server against the ransomware, so my question/s are, what is the point of recommending a ESET solution to the next client who asks?  It was infected this morning.

[Marcos 3,632]

6 minutes ago, Angry IT Guy said:

2 and a half months later and still ESET without any solution to this variant.

My client running ESET File Security for Windows Server, did not protect the server against the ransomware, so my question/s are, what is the point of recommending a ESET solution to the next client who asks?  It was infected this morning.

This variant encrypts files in remote shares as far as I know. Most likely it was run on a machine not protected by ESET or an attacker gained access via RDP and disabled protection prior to running the ransomware.

Please provide:
- logs collected with ESET Log Collector
- a couple of encrypted files
- the ransomware note with payment instructions.

[itman 952]

Quote

2 and a half months later and still ESET without any solution to this variant.

I  just referred back to a link: https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html , I posted earlier in this thread.

As of the end of Dec., 2020, no one yet has been able to harvest a MARS ransomware sample. Without a sample, it is impossible to positively determine the initial attack vector for this ransomware. What is known is the source is predominately e-mail based ; as most malware is. Are Eset recommended HIPS and firewall rules against ransomware link below - especially those in regards to e-mail clients - being deployed?

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware?ref=esf

https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware?ref=esf

Edited January 29 by itman

[esref 0]

When will you find a remedy? I want decrypt my files.

[Marcos 3,632]

5 minutes ago, esref said:

When will you find a remedy? I want decrypt my files.

When the malware authors decide to disclose the master decryption key or when the police seize their servers and get the MDK.

[peteyt 177]

4 hours ago, esref said:

When will you find a remedy? I want decrypt my files.

The problem is encryption on its own is a good thing that allows private files to stay private. For example if this forum was hacked the passwords should be encrypted as well as hopefully other personal information.

Without knowing the encryption key hackers shouldn't be able to decrypt it (although in hacks it's always recommended to change your password for safety). Hackers take advantage of this by infecting users and businesses and basically locking their files and holding them ransom.

I presume your an Eset user. If so make sure your using the latest version. Some users are seen to be using very old versions that are no longer supported and don't have ransomeware protection. Make sure you have the latest Windows updates to as missing patches can leave you vulnerable. Also if you have RDP it should be disabled or protected. For extra protection add a password to esets settings