New ACCDFISA Protection Center ransomware called Malware Protection

A new variant of the ACCDFISA Protection Center ransomware has been released called Malware Protection. The malware developers target Windows servers and appear to hack them in order to install the software. Once the Malware Protection ransomware is installed, it will lock you out of computer and create password-protected RAR archives out of your data that you can no longer access unless you pay a $300 ransom. When installed, the Malware Protection ransomware will scan your computer for all files using certain file extensions and will use the command line RAR program to turn them into a password protected RAR archive. These files will be renamed with the .aes extension and are supposed encrypted with the AES encryption. You will then be prompted to pay a ransom in order to get the decryption key to restore your files. The decryption key starts with aes987156 and then the password for the RAR files is appended to it. The decrypt.exe program will read through the list of encrypted files and extract them to the proper location using the RAR password. In the past version of this malware, there have been some cases reported that the decrypt process actually deleted the files, so once you have the RAR password it is suggested that you use a manual method restore the files. A manual method using a batch file can be found in the How to remove and decrypt the ACCDFISA Protection Program guide. The files that this infection installs can be found in the following locations:

C:\decrypt lock\decrypt.exe C:\how to decrypt aes files.lnk %System%\csrss32.exe %System%\csrss64.exe %System%\svschost.exe C:\security lock\svchost.exe C:\decrypt lock\decrypt.exe C:\ProgramData\system files\ntbavtnjs.bat C:\ProgramData\system files\vpkswnhisp.dll C:\ProgramData\mssupport\aes256crypter.exe

As these are 32-bit programs, if you are using an x64 version of Windows, they will be installed in the C:\Windows\SysWOW64 folder instead. This infection will also create a service with the Display Name User Profile Services and a Service Name of ProfSvcs. Some people have reported that they have found the aes256crypter.exe process running. This is a command line RAR program and if you see it running you may be able to launch Sysinternals Procmon and look for Process Start operation for one of the above files. Double-click that line and you can see the command line used to start it. If the process was for aes256crypter.exe, there is a good chance the password will be shown on that line. I hope this helps those of you struggling with this. If you have any other information to share, please let us know here.

Hello,

Thanks for all the tips. We have had a number of clients affected with both variants. All these clients had kaspersky installed! Does anyone know the source of these infections? Is it via email/web/RDP or manual?

Thanks
Nihar

Hi, my client got hit with this on Sunday. It has encrypted most of the file share data.

Do we have a full unlock password yet?

For the moment, it looks like I was able to remove the virus with malware removal software. (Not sure if I'm allowed to type the name here.)

What I'm left with is a server that can't run key services any longer, like Backup Exec, SQL services, MTA Stacks and others.

Email and internet are working once I changed the adapter to the right IP info.

Thanks.

Yeah you can mention AV programs. Thanks for mentioning the IP address changes. I forgot to mention that in the original writeup.

There is no default unlock password as of yet.

Maybe this is what has been exploited?

http://technet.microsoft.com/en-us/security/bulletin/ms12-020

SuperAntiSpyware seemed to clear the threats.

It's just now trying to deal with the aftermath of the encrypted files and the services that won't start.

At this point I know of no universal rar password or a way to generate it. I have asked some people to further look at it. If i hear back I will let everyone know here.

Day 2 after running SuperAntiSpyware, the server seems to be clear of current threats.

I'm dealing with the aftermath of services not being able to start due to Data Execution Prevention errors.

The SQL Server (BKUPEXEC) service terminated with service-specific error 17113 (0x42D9).

In regards to no rar password, I had to install Backup Exec on a workstation (broken on server) and restore file share data to a USB drive... until I know the server is clear of malware.

I know this sucks. We are still trying to figure this one out. Those who are infected, if you can, hold off on paying the ransom for a little bit while we work on this.

Does paying the ransom even work? I'm also on day 2 of this I really really dont want to have to rebuild this server.

As I posted in this thread (which it would seem has migrated here): http://www.bleepingcomputer.com/forums/topic446008.html

I've been working on this since Monday night. The decision was made to rebuild yesterday, and I currently sit here still trying to pull backup files from Carbonite. So here's your baseline of "what if I had just rebuilt from the get go?" The answer is, my customer is still production down. Carbonite definitely saved the day here, but their downloads come in chunks, so it's a slow recovery. This is a bad one.

One other plug for a total rebuild is that if you've physically partitioned your data (os files on the C:\ drive and data files on the D:\ drive), all you're really up against is a couple hours to reinstall the OS and setup whatever shares you had. Your data shouldn't be touched. Again, that only applies to a PHYSICAL partition different. (Mine was a PERCS100 software based Raid, so they were only virtual partitions, which were eaten alive by the rebuild.) That also doesn't address those whose files were actually encrypted.

I just don't understand how people can be so terrible...

im now stuck in a reboot loop on my server now. As of monday I was able to boot into safe mode after modifying the boot.ini file now I am no longer able to do even that. I can still boot to miniXP but that's it.

Just to add to my first post, I was able to delete the decrypt.exe file by booting off a Bart-PE CD with RAID drivers.
Once I deleted the decrypt.exe file, I was able to log into the server and run Super AntiSpyware to remove the malicious items.

Good news! If you are still struggling with the encrypted files you can send me your reference # and I will be able to send you a password for your RAR files.

Thanks to Arief of Emsisoft for helping with this.

Please Help

Can you help me with the aes encryption password? What information do I need to provide?