An interesting case came into the office, about a ransomware attack that involved, 5 different business all the same small town. We have a client from one of the businesses, that refused to pay the ransom and was looking for another way out.
We were happy to give her one.
ACCDFISA v2.0 – a variant of the ACCDFISA Protection Program virus, is a ransomware-type infection that locks your computer screen and encrypts your files. It is a typical scam claiming that your computer was blocked due to illegal activities detected on your system, spam, and other malicious activities. In particular, the virus generates a legitimate-looking notification, as part of a Anti-Child Porn Spam Protection program, informing the computer’s owner that his/her computer is being used to spread child pornography-related spam throughout the web. The notification continues by explaining that due to these illegal activities, the computer has been blocked, and all the data on it has been encrypted.
Even though the notification states that the computer’s files have been encrypted with an AES encryption algorithm, the virus actually, compresses the files in RAR format and password-protects the archive.
Each affected file is transformed into .exe file bearing the name of the original file name, IR number and perpetrator’s email address.
We were able to by-pass the archiving feature, since we found that, when ACCDFISA v2.0 attacked, it would zip up the infected files then delete the originals. Running data recovery software that allowed us to recovery deleted files we were able to bring back all of the infected files to their previous state before the infection.
What is of note, is that 4 other business in the relatively small town also got infected with the ransom, a $5000 extortion attempt for each of the business all around the same time.
They were advised to pay the ransom, and unless you have no other choice, we advised against this since there is no guarantee that the extortionists will unlock your files or may even ask for more money, once they have received your first payment.
We discovered early on that the original ACCDFISA had been decrypted and that there were solutions to be found on how to get your data back. However, this was ACCDFISA v2.0 and the vulnerabilities had been patched. ACCDFISA v2.0 was quite a different beast from the original and finding a weak point in the code was likely to be a more arduous task. Using specific scanning tools, we were able to perform a scan of the drive, find weak points in the code and allow a full recovery of the encrypted files for our client.
Each ransomware attack is different from every other, with sometimes slight variations making quite the difference. Here at CDR we are committed to finding the best solutions for whatever problems may arise. Its an ongoing battle, but one that we are committed to help you fight.
So if you find yourself the victim of such an attack, know that you have options, and there are people out there who can help. Best of luck and stay safe out there.