A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12605  by Flamef
 Tue Apr 10, 2012 8:32 pm
A "new" kind of ransomware has been spawned.
The first one http://www.bleepingcomputer.com/forums/topic446111.html
It was pwned by xilytol and some other guys,they were able to find the unlock codes etc.

But,a new variant(from the same author) has been released http://www.bleepingcomputer.com/forums/topic449398.html
The author pretenders that,there is no solution for this new variant.
Hope EP_X0FF/Xylitol is able to do something!
Btw,if you have any samples,please attach.

His words:
Hi all, and specially hello to Fabian :)

Im the author.

Guys, I have considered my previous mistakes and wrote new unbleepable version.

and im answer for some your questions:

>Unfortunately, at this time there is no method to create the passcodes, though one may be created in
the future.

Yes, may be in the future, after
~66,282,862,563,751,221,625,826,507,369,649,000,000,000,000,000,000,000,000 years

Now password wich has been sended to us has been deleted using sdelete (in previsious using simple
delete and you can recover it in some cases and then generated passcode to decrypt).

To decrypt second part of files (minimal part) here is using another password (yes, Fabian can make
generated it, but it cant help)

Trying to catch password from process monitor? :) Yes, you can but it will be second password for
minimal part of files. First Password are succesefully sended to us and SDELETED. You cant catch it
using procmon because your screen locked :) Locker is used for protect this :) After screen unlocked
there is another password (it sdelete original password after decrypt majority files, you cant catch
this moment NEVER, beacause it sdeleted from HDD before reboot(it does not matter is this cold or hot
reboot) (password is in memory when decrypting files) and to delete screen locker you must reboot in
any ways).

Also first password is generated randomly. Unable to generate same in any ways.

sample of first password: s#u_1kEWt=dGo4qLf*vkEDPdOvkvTSVHu_1rWnd2ah=TSd&(Tu
sample of second password: Fww*wrFwVFwwL$wqr*FwwL$wqr*

Your files wich has been encrypted has been deleted using Sdelete also. (and backups has been deleted
using Sdelete also).

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give
you confidence that once deleted with SDelete, your file data is gone forever.

read official doc here: http://technet.microsoft.com/en-us/sysi ... s/bb897443

Im interesting how do you going to get this password? This is UNREAL :)

The password is 50 characters long using 77 sybmols including letters,numbers and special symbols.

This is 77 to 50 degrees and this is 211123345230697322404794315881e+94 combinations.
To bruteforce if your brute software brute 10000 passwords per second it will be take up to:
65687022485656026733869199236174e+86 years.

Use your brain and calc.exe if you dont believe me.

Possible when the aliens arrive, they decipher your files using the blasters :)

About: these files are not actually encrypted but are password protected RAR files.

And what encrytion using winrar? - Answer: AES. Google it.

>I'm loving the whole "Don't even try to remove this" bits. I actually giggled reading the whole thing.
You can tell (well it's obvious to me) that they've never taken a college english class their entire
life. BIG CLUE THERE!

LOL :) About my english - sorry Im from Mars. Marsians attacks :) Piu Piu :)

And im using big chain of servers to work and writing here. You will never know from wich country acctually im.
 #12612  by EP_X0FF
 Wed Apr 11, 2012 6:54 am
Cool story.

The only one 100% effective way against encoders - sensitive data backups.
 #12614  by EP_X0FF
 Wed Apr 11, 2012 7:25 am
He is quoting some script-kiddie, who is playing in ransomware "gangsta". Starting from
Hi all, and specially hello to Fabian
. In context there are sdelete mentions ("sdeletes" also all backups seems to be immediatelly even from CD/DVD disks), AES (must be something related to winrar) and "yeahh" passwords with over9000 lengths. UFO, aliens and blasters included too.
 #12651  by Fabian Wosar
 Thu Apr 12, 2012 8:42 pm
I attached samples for the 4 major variants released since ACCDFISA first appeared in the wild in case someone is interested. The malware is quite simple (for example registry changes are performed using reg.exe since the author most likely has no idea how to do them himself, same is true for network changes which are performed using netsh.exe instead of using the Windows APIs) but effective enough to make a profit for its authors. So I doubt they will stop anytime soon.
Attachments
Password: infected
(2.14 MiB) Downloaded 251 times
 #12669  by Blaze
 Fri Apr 13, 2012 9:31 am
Anyone knows why it's called ACCDFISA ?

Is it AES encryption or is the RSA encryption algorithm being used ? (like the GPcode ransom)

Looks more indeed like a skiddie job, but as Fabian stated, if it's effective enough ...