Jump to content

Eking ransomware

Recommended Posts

Our company's server was encypted with Eking ransomware just this past Friday. Asks us to contact samerver1@tutanota.com to decrypt it and pay in bitcoin...All of the database files were renamed to the following:

file name.pdf.id[AB76B4A0-3053].[samerver1@tutanota.com].eking

It was running Windows Server 2012r2 which acted interesting in the morning prior to the attack. Logged in via remote desktop to find Eset protection logged out and a Windows update requirement. Logged in to Eset business account, ran the update on antivirus and Windows, then restarted the server. It was alright until couple of hours later all files got encrypted.

Is there anyway to get the files back apart from contacting the idiots who did it and risking to pay the ransom. Any tool or advice that can help us would be appreciated.

Link to comment
Share on other sites

  • Administrators

Files were probably encrypted by Filecoder.Phobos. This encryption is typically performed by attackers who gain access via RDP and disable antivirus in order to run the ransomware. To start off, please provide me with:
1, Logs collected with ESET Log Collector (if ESET is not running, install EFSW 7.2 over the current version to preserve existing logs)
2, A couple of encrypted Office documents.
3, The ransowmare note with payment instructions.

Link to comment
Share on other sites

Fortinet performed a deep analysis of Eking - aka Phobos - ransomware here: https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware .

No real surprise in that this sample was a Word .doc assumed e-mail attachment w/a malicious macro included. Also this sample ran the macro at document close time. Further research yielded that a favorite source for Eking ransomware is Proton sourced e-mails.

Of note:


Pbobos uses AES (Advanced Encryption Standard) CBC (Cipher Block Chaining) mode as its encryption algorithm for encrypting files. In my analysis, this variant of Phobos does not use the built-in Crypto APIs for AES that Windows provides, but implements its own AES function.

A couple of examples:



September 30, 2020 update: 
Extension: .eking
Compound extension: .id [XXXXXXXX-3003]. [DavidsHelper@protonmail.com] .eking
Test results: VTVMR




October 21, 2020 update:
Extension:  .eking
Email: qirapoo@firemail.cc, dozusopo@tutanota.com
Telegram: @zahxet
Note: info.txt


Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...