Ransomware ACCDFISA

Forum for analysis and discussion about malware.
Posts: 65
Joined: Thu Jul 07, 2011 6:06 pm

Tue Apr 10, 2012 8:32 pm

A "new" kind of ransomware has been spawned.
The first one http://www.bleepingcomputer.com/forums/topic446111.html
It was pwned by xilytol and some other guys,they were able to find the unlock codes etc.

But,a new variant(from the same author) has been released http://www.bleepingcomputer.com/forums/topic449398.html
The author pretenders that,there is no solution for this new variant.
Hope EP_X0FF/Xylitol is able to do something!
Btw,if you have any samples,please attach.

His words:
Hi all, and specially hello to Fabian :)

Im the author.

Guys, I have considered my previous mistakes and wrote new unbleepable version.

and im answer for some your questions:

>Unfortunately, at this time there is no method to create the passcodes, though one may be created in
the future.

Yes, may be in the future, after
~66,282,862,563,751,221,625,826,507,369,649,000,000,000,000,000,000,000,000 years

Now password wich has been sended to us has been deleted using sdelete (in previsious using simple
delete and you can recover it in some cases and then generated passcode to decrypt).

To decrypt second part of files (minimal part) here is using another password (yes, Fabian can make
generated it, but it cant help)

Trying to catch password from process monitor? :) Yes, you can but it will be second password for
minimal part of files. First Password are succesefully sended to us and SDELETED. You cant catch it
using procmon because your screen locked :) Locker is used for protect this :) After screen unlocked
there is another password (it sdelete original password after decrypt majority files, you cant catch
this moment NEVER, beacause it sdeleted from HDD before reboot(it does not matter is this cold or hot
reboot) (password is in memory when decrypting files) and to delete screen locker you must reboot in
any ways).

Also first password is generated randomly. Unable to generate same in any ways.

sample of first password: s#u_1kEWt=dGo4qLf*vkEDPdOvkvTSVHu_1rWnd2ah=TSd&(Tu
sample of second password: Fww*wrFwVFwwL$wqr*FwwL$wqr*

Your files wich has been encrypted has been deleted using Sdelete also. (and backups has been deleted
using Sdelete also).

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give
you confidence that once deleted with SDelete, your file data is gone forever.

read official doc here: http://technet.microsoft.com/en-us/sysi ... s/bb897443

Im interesting how do you going to get this password? This is UNREAL :)

The password is 50 characters long using 77 sybmols including letters,numbers and special symbols.

This is 77 to 50 degrees and this is 211123345230697322404794315881e+94 combinations.
To bruteforce if your brute software brute 10000 passwords per second it will be take up to:
65687022485656026733869199236174e+86 years.

Use your brain and calc.exe if you dont believe me.

Possible when the aliens arrive, they decipher your files using the blasters :)

About: these files are not actually encrypted but are password protected RAR files.

And what encrytion using winrar? - Answer: AES. Google it.

>I'm loving the whole "Don't even try to remove this" bits. I actually giggled reading the whole thing.
You can tell (well it's obvious to me) that they've never taken a college english class their entire

LOL :) About my english - sorry Im from Mars. Marsians attacks :) Piu Piu :)

And im using big chain of servers to work and writing here. You will never know from wich country acctually im.
User avatar
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation

Wed Apr 11, 2012 6:54 am

Cool story.

The only one 100% effective way against encoders - sensitive data backups.
Ring0 - the source of inspiration
User avatar
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation

Wed Apr 11, 2012 7:12 am

I understand nothing...
User avatar
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation

Wed Apr 11, 2012 7:25 am

He is quoting some script-kiddie, who is playing in ransomware "gangsta". Starting from
Hi all, and specially hello to Fabian
. In context there are sdelete mentions ("sdeletes" also all backups seems to be immediatelly even from CD/DVD disks), AES (must be something related to winrar) and "yeahh" passwords with over9000 lengths. UFO, aliens and blasters included too.
Ring0 - the source of inspiration
User avatar
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Wed Apr 11, 2012 2:37 pm

And also two hard-boiled eggs.
Posts: 209
Joined: Sun Mar 14, 2010 6:35 am

Wed Apr 11, 2012 3:21 pm

http://www.bleepingcomputer.com/forums/topic449398.html - last post, LOL, someone payed the ransom, maybe an accdfisa stooge - hmmm post vanished.
With all these 3rd party libraries used, obviously a fantastic coder :?

edit: update
User avatar
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am

Wed Apr 11, 2012 5:08 pm

nullptr wrote:http://www.bleepingcomputer.com/forums/topic449398.html - last post, LOL, someone payed the ransom, maybe an accdfisa stooge - hmmm post vanished.
The user said the ransom holder was friendly and helpful. :o
Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany

Thu Apr 12, 2012 8:42 pm

I attached samples for the 4 major variants released since ACCDFISA first appeared in the wild in case someone is interested. The malware is quite simple (for example registry changes are performed using reg.exe since the author most likely has no idea how to do them himself, same is true for network changes which are performed using netsh.exe instead of using the Windows APIs) but effective enough to make a profit for its authors. So I doubt they will stop anytime soon.
You do not have the required permissions to view the files attached to this post.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
User avatar
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am

Fri Apr 13, 2012 9:31 am

Anyone knows why it's called ACCDFISA ?

Is it AES encryption or is the RSA encryption algorithm being used ? (like the GPcode ransom)

Looks more indeed like a skiddie job, but as Fabian stated, if it's effective enough ...
Post Reply