phobos Сервер 1С пострадал, все файлы зашифровались...citruse@keemail.me and lime@dr.com

[equitable]

Всех приветствую! Случилась беда и весь сервер стал зашифрован. 1С Базы тоже... Пожалуйста помогите решить данную проблему, заранее огромное спасибо!

Текст письма прикрепляю ниже... адрес - citruse@keemail.me and lime@dr.com

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC.

If you want to restore them, write us to the e-mails: citruse@keemail.me and lime@dr.com  

(for the fastest possible response, write to all 2 mails at once!)

Write this ID at the beginning of your message:

76 3C 7A 6A 45 90 83 C2 77 0F DE 96 FF 37 DA 89 54 48 39 38 DA C2 9A 80 C0 A9 8E 61 C6 06 D4 CB F4 8D C8 D6 A0 80 2C 76 2F D0 66 BE 39 A2 0F 08 5F 23 69 F2 97 10 99 EF 60 AB 17 41 DD 24 87 BA E1 36 18 4A 82 67 16 02 0C 44 BD 50 8B A5 40 3C 05 FF FE FC B3 40 BA AC E2 95 19 C1 70 A9 FC 43 F5 C9 75 F0 7D 1F 28 26 7A CE 39 CD 5F 83 0A 0E 63 7C E3 49 1B 85 70 2D B9 93 93 C1 77 20 D0 9D 3A 80 B9 5B 4D ED FD A3 93 2F 26 78 78 65 3C CD EB 4E 5A A9 99 E2 25 AD 17 8B 91 E1 B9 63 E6 5E FF C2 24 F1 8E 7F AA 65 07 78 51 B1 A5 B0 41 E8 D4 57 1C 59 6C 34 AB 3A 32 95 49 33 75 0B 69 87 68 BD C5 67 46 F7 47 5B 44 E2 EB 4F 58 BD A6 D4 F1 1E 4B 67 01 58 49 DF 72 8E CB 3C C0 AF 68 FE 65 64 3D 30 43 4C 3E CA DA 02 0A F1 84 C6 D7 60 B4 F9 53 ED 63 33 2F 0E 7B AD 17 18 82 00 5D 6A

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee

• Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

• The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
  https://localbitcoins.com/buy_bitcoins
  Also you can find other places to buy Bitcoins and beginners guide here:
  http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!

• Do not rename encrypted files.
• Do not try to decrypt your data using third party software, it may cause permanent data loss.
• Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

[equitable]

 

 

Прикрепляю архив с зашифрованным файлом маленьким и письмом. Спасибо за помощь заранее!

Пароль на архив virus

virus.rar

Изменено 4 июля, 2022 пользователем equitable

[Sandor]

Здравствуйте!

 

К сожалению, расшифровки этой версии вымогателя нет.

Вы не прикрепили логи Farbar Recovery Scan Tool. Они нужны для помощи в очистке от возможных следов и для анализа уязвимых мест.

[equitable]

Addition.txtFRST.txt

[Sandor]

@equitable

• Отключите до перезагрузки антивирус.
• Выделите следующий код:

  Start::
  2022-07-04 03:00 - 2022-07-04 03:00 - 000007593 _____ C:\Users\Public\Read Me Please!.Hta
  2022-07-04 03:00 - 2022-07-04 03:00 - 000007593 _____ C:\Read Me Please!.Hta
  2022-07-04 01:17 - 2022-07-04 01:17 - 000006720 _____ C:\Program Files\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\SSASTELEMETRY\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\SQLTELEMETRY\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\SQLSERVERAGENT\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\SQL Server Distributed Replay Controller\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\SQL Server Distributed Replay Client\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\sannikov\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\sannikov\Downloads\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\sannikov\Documents\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\sannikov\Desktop\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\sannikov\AppData\Local\Temp\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\Public\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\Public\Downloads\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\Public\Documents\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\Public\Desktop\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\MSSQLServerOLAPService\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\MSSQLSERVER\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\MSSQLLaunchpad\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\MSSQLFDLauncher\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\MsDtsServer140\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\Default\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\Classic .NET AppPool\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\bizhanova\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\bizhanova\Downloads\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\bizhanova\Documents\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\bizhanova\Desktop\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\bizhanova.ITCNEOTERM\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\bizhanova.ITCNEOTERM\Downloads\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\bizhanova.ITCNEOTERM\Documents\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\bizhanova.ITCNEOTERM\Desktop\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\Administrator\Desktop\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\1CUSER\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\.NET v2.0\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Users\.NET v2.0 Classic\Read Me!.hTa
  2022-07-04 01:16 - 2022-07-04 01:16 - 000006720 _____ C:\Program Files (x86)\Read Me!.hTa
  2022-07-04 00:47 - 2022-07-04 00:47 - 000006720 _____ C:\Users\SSISScaleOutMaster140\Read Me!.hTa
  2022-07-04 00:39 - 2022-07-04 00:39 - 000006720 _____ C:\Users\USER1C\Read Me!.hTa
  2022-07-04 00:39 - 2022-07-04 00:39 - 000006720 _____ C:\Users\SSISTELEMETRY140\Read Me!.hTa
  2022-07-04 00:39 - 2022-07-04 00:39 - 000006720 _____ C:\Users\SSISScaleOutWorker140\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\Администратор\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\Администратор\Downloads\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\Администратор\Documents\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\Администратор\Desktop\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\zholobov\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\zholobov\Downloads\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\zholobov\Documents\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\zholobov\Desktop\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\USR1CV8\Read Me!.hTa
  2022-07-04 00:38 - 2022-07-04 00:38 - 000006720 _____ C:\Users\USR1CV8\AppData\Local\Temp\Read Me!.hTa
  2022-07-04 00:12 - 2022-07-04 00:12 - 000006720 _____ C:\Users\Администратор.WIN-E091NF41R8T\Read Me!.hTa
  2022-07-04 00:12 - 2022-07-04 00:12 - 000006720 _____ C:\Users\Администратор.WIN-E091NF41R8T\Downloads\Read Me!.hTa
  2022-07-04 00:12 - 2022-07-04 00:12 - 000006720 _____ C:\Users\Администратор.WIN-E091NF41R8T\Documents\Read Me!.hTa
  2022-07-04 00:12 - 2022-07-04 00:12 - 000006720 _____ C:\Users\Администратор.WIN-E091NF41R8T\Desktop\Read Me!.hTa
  2022-07-04 00:12 - 2022-07-04 00:12 - 000006720 _____ C:\Users\Администратор.WIN-E091NF41R8T\AppData\Local\Temp\Read Me!.hTa
  2022-07-04 00:11 - 2022-07-04 00:11 - 000006720 _____ C:\Users\Read Me!.hTa
  2022-07-04 00:11 - 2022-07-04 00:11 - 000006720 _____ C:\Read Me!.hTa
  2022-07-04 00:11 - 2022-07-04 00:11 - 000006720 _____ C:\ProgramData\Read Me!.hTa
  FirewallRules: [{C021A315-A283-45A6-9BC2-EDE2F796C53B}] => (Allow) C:\Users\Администратор.WIN-E091NF41R8T\Downloads\AnyDesk.exe => Нет файла
  FirewallRules: [{72995C08-BB22-450A-8CCB-50ABEBEF554F}] => (Allow) C:\Users\Администратор.WIN-E091NF41R8T\Downloads\AnyDesk.exe => Нет файла
  FirewallRules: [{61C0C09E-9C66-4344-A741-7C6BBC05A966}] => (Allow) C:\Users\Администратор.WIN-E091NF41R8T\Downloads\AnyDesk.exe => Нет файла
  FirewallRules: [{7E4348F8-1F0C-4A71-95DB-967D454AA6A8}] => (Allow) C:\Users\Администратор.WIN-E091NF41R8T\Downloads\AnyDesk.exe => Нет файла
  FirewallRules: [{EF8B834A-1177-4D1A-9443-FCCF14C5541C}] => (Allow) LPort=475
  FirewallRules: [{5C7152DE-EA96-47B6-82BA-D6147BB3F3C6}] => (Allow) LPort=475
  FirewallRules: [{98960691-BAEF-4F04-8C63-273FE6139929}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => Нет файла
  FirewallRules: [{51FC1948-B75C-4D2E-B76E-DB982B492E3D}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => Нет файла
  FirewallRules: [{FDA661DE-C9D2-42A3-80CE-53E1C0271519}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => Нет файла
  FirewallRules: [{BB815664-17B2-45CC-AF97-B84B8114198C}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => Нет файла
  FirewallRules: [{6A9768D0-E138-42E9-88E6-2E5CE5860060}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => Нет файла
  FirewallRules: [{25EC4796-7ED8-48BA-AE45-CF817DA72F3F}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => Нет файла
  End::

   

• Скопируйте выделенный текст (правой кнопкой - Копировать).
• Запустите FRST (FRST64) от имени администратора.
• Нажмите Исправить (Fix) один раз (!) и подождите. Программа создаст лог-файл (Fixlog.txt). Прикрепите его к своему следующему сообщению.

Компьютер перезагрузите вручную.

Подробнее читайте в этом руководстве.

 

Смените пароли администраторов и на RDP.