Rise in Anti-Child Porn Spam Protection Ransomware infections

This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files.

sl.png

ScreenLocker window for ACCDFISA v2.0, There are actually a few different versions of this. ACCDFISA v2.0 HTML file, These can be worded slightly different, and can have different emails to message the virus creator.

There seems to be either a leak of the ACCDFISA v2.0 source, or the creator is mixing up the layout of Ransom Note, Screen Locker, and even the internal code. So far I have found 3 different version of ACCDFISA v2.0 with different contact emails, Ransom Notes, Code, and what is worse is even the method of delivery. The previous ACCDFISA v2.0 mostly only affected servers with RDP enabled with weak security. But the last 2 victims I have been messaging had neither a server or RDP enabled, and claimed to have gotten it either by email or a malicious or hacked site. This makes this older modified infection another top placer for worst encrypting infections because the key is unrecoverable, Restore Points are wiped, the computer is locked down, services are mangled, free space and deleted files are wiped with SDelete, and of course files are encrypted with WinRar SFX AES exe’s.

For informational purposes, the 2 virus creator emails I have found with these variants are brhelpinfo@gmail.com and Dextreme88@gmail.com.

When first run, this program will scan your computer for data files and convert them to password protected RAR .exe files. These password protected data files will be named in a format similar to test.txt(!! to decrypt email id <id> to <Email>@gmail.com !!).exe. It will then use Sysinternal’s SDelete to delete the original files in such a way that they cannot be undeleted using file recovery tools. It will also set a Windows Registry Run entry to start c:\<Random Number>\svchost.exe when your computer starts. This program is launched immediately when you logon and blocks access to your Windows environment. If you boot your computer using SafeMode, Windows Recovery disk, or another offline recovery CD, you can delete or rename the c:\<Random Number>\svchost.exe file in order to regain access to your Windows Desktop. This “lockout” screen will also prompt you to send the hackers the ransom in order to get a passcode for the system lockout screen and for your password protected files.

This variant took 3 hours to completely finish on my VM. I was able to access the key file, and decrypt nearly all files and back them up before shutdown. So if you are lucky enough to see this happening, you should immediately backup the key file on the desktop / in the ProgramData folder.

Sadly, just like the past variants, files cannot be decrypted either without the key, or a backup. If you are reading this infection free I have one question, Have you backed up today?. If not, you better get to it as these types of computer infections are on the rise and definitely here to stay!

The files that this infection creates when it is installed are:

File List:

c:\<Random>\svchost.exe – ScreenLocker / Decrypter

c:\<Random>\howtodecryptaesfiles.htm – RansomNote that all RansomNotes lnk’s point to

c:\ProgramData\fdst<Random>\lsassw86s.exe Encrypter / Main dropper

c:\ProgramData\<Random>\<Random>.dll – Different Numbers and Hashes used by the infection / Also where Temp Key is kept, But removed after completion

c:\ProgramData\<Random>\<Random>.DLLS List of files to be infected by WinRar

c:\ProgramData\<Random>\svchost.exe – WinRar CUI renamed

c:\ProgramData\<Random>\svchost.exe – Sdelete Renamed

c:\ProgramData\svcfnmainstvestvs\stppthmainfv.dll List of Numbers used by the infection

c:\ProgramData\svtstcrs\stppthmainfv.dll List of Numbers used by the infection

c:\Windows\System32\backgrounds2.bmp Renamed ScreenLocker / Decrypter, Used to replace the one in ProgramData if deleted

c:\Windows\System32\lsassw86s.exe Renamed Encrypter / Main dropper, Used to replace the one in ProgramData if deleted

c:\Windows\System32\scsvserv.exe Used to complete mangle / disable services to further lock down computer

c:\Windows\System32\lsassvrtdbks.exe Assists with encryption

c:\Windows\System32\session455.txt Temp Storage used with .BAT file to logoff user account

c:\Windows\System32\decryptaesfiles.html Used to copy to ProgramData

c:\Windows\System32\Sdelete.dll Used to copy Sdelete to ProgramData

c:\Windows\System32\kblockdll.dll Used to Lock desktop

c:\Windows\System32\btlogoffusrsmtv.bat Used to log user off

c:\Windows\System32\default2.sfx Used with winrar to encrypt files

c:\Windows\System32\cfwin32.dll WinRar CUI renamed

%Desktop%\<Random>.Txt – Also contains Decrypt Key, But removed after completion

Registry List:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\<Random>\svchost.exe – Launches ScreenLocker

Please Visit our Computer News Website and Blog

for latest computer repair and online news.

Local and Online Virus removal and computer repairs anytime, anywhere

Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida