Mydoom1988 0 Posted November 15, 2020 Share Posted November 15, 2020 Our company's server was encypted with Eking ransomware just this past Friday. Asks us to contact samerver1@tutanota.com to decrypt it and pay in bitcoin...All of the database files were renamed to the following: file name.pdf.id[AB76B4A0-3053].[samerver1@tutanota.com].eking It was running Windows Server 2012r2 which acted interesting in the morning prior to the attack. Logged in via remote desktop to find Eset protection logged out and a Windows update requirement. Logged in to Eset business account, ran the update on antivirus and Windows, then restarted the server. It was alright until couple of hours later all files got encrypted. Is there anyway to get the files back apart from contacting the idiots who did it and risking to pay the ransom. Any tool or advice that can help us would be appreciated. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 15, 2020 Administrators Share Posted November 15, 2020 Files were probably encrypted by Filecoder.Phobos. This encryption is typically performed by attackers who gain access via RDP and disable antivirus in order to run the ransomware. To start off, please provide me with: 1, Logs collected with ESET Log Collector (if ESET is not running, install EFSW 7.2 over the current version to preserve existing logs) 2, A couple of encrypted Office documents. 3, The ransowmare note with payment instructions. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 15, 2020 Share Posted November 15, 2020 (edited) Fortinet performed a deep analysis of Eking - aka Phobos - ransomware here: https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware . No real surprise in that this sample was a Word .doc assumed e-mail attachment w/a malicious macro included. Also this sample ran the macro at document close time. Further research yielded that a favorite source for Eking ransomware is Proton sourced e-mails. Of note: Quote Pbobos uses AES (Advanced Encryption Standard) CBC (Cipher Block Chaining) mode as its encryption algorithm for encrypting files. In my analysis, this variant of Phobos does not use the built-in Crypto APIs for AES that Windows provides, but implements its own AES function. A couple of examples: Quote September 30, 2020 update: Twitter post >> Extension: .eking Compound extension: .id [XXXXXXXX-3003]. [DavidsHelper@protonmail.com] .eking Test results: VT + VMR Quote October 21, 2020 update: Forum topic >> Extension: .eking Email: qirapoo@firemail.cc, dozusopo@tutanota.com Telegram: @zahxet Note: info.txt https://id-ransomware.blogspot.com/2017/10/phobos-ransomware.html Edited November 16, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts