A Clients Server was running AVAST Email Server Security latest version and Malwarebytes update and scanning every night
last Sunday server was attached by a drive by ransomeware virus Anti-Child Porn Spam Protection. This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files. The hackers then require you to send them a Moneypak, PaySafeCard, or Ukash card for values ranging from $500 - 1,000 USD in order to get the password for your files.

Now all users data files are zipped looking like the access this file
"customer.mdb(!! to decrypt email id 1795229374 to uksechelp@gmail.com !!).exe "
know how to decrypt these files !!!

malware removers are notified, it may take hours before they arrive so be patient

Hi are you able to access the server in safe mode ? What is the OS for this system, and is it 32 or 64 bit

Hi

I had the same thing last Sunday

Server was hijacked and all data appears to be encrypted using RAR and AES encryption.

Take a look here

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection/

It seems the variant I have is newer than what is listed.

End Result had to use a pe disk to access server drives and saved all encrypted data to an external drive and wipe server was running sbs2003 now running as file server 2008
got back 60% data from password protected nas drive but the other all other data is still encrypted!!! with damm password

Sorry to hear about your lost files. I read a little on the net about this malware; apparently the attacker
logs onto the target computers manually through Remote Desktop. Once on, they can disable any active
A/V and plant their malware directly. A couple of points were made, the files cannot be decrypted without the
passwords. Some businesses have been paying the ransom. Secondly, it was advised to change the port of
Remote Desktop, since the initial attack appears to be a scan for open RDP ports (port 3389) -
after which they get logon credentials through brute force.

Can anybody at Avast comment on this attack, and possible prevention methods?

Can anybody at Avast comment on this attack, and possible prevention methods?

Win32:Ransom-AFS [Trj], Win32:Ransom-AFT [Trj], Win32:Ransom-AFU [Trj]

virus update history http://www.avast.com/en-no/virus-update-history

Essexboy can help if you answer/follow his advice…

I haven’t been attacked myself, this malware seems to target businesses.
This is a case where prevention is everything, once the attacker gets access to the target system
the AV is disabled, your files are encrypted, and you’re locked out when you next try and log in.

The AV may help with the locked out situation, and clear up any residual malware, but the damage has
been done. You’ve lost your files, and in some cases, the backup too. I read about a medical
group that lost their patient medical and billing records. The backups, which were accessible through the
target computer were also deleted!

Hi there,i am really sorry but you got attacked but a very nasty ransomware.This malware is very aggresive,unlike the previous versions of this malware,it uses so many 3rd party dll’s that it is almost impossible to get your files back w/o paying.
This video is a POSSIBLE solution http://www.youtube.com/watch?v=2LBStddWA2w .I never tried it but it’s worth watching,it might solve your problem.You can find more info here http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/.I think Fabian from Emsisoft made a decrypt tool,but i can’t find it atm.If you search you will find it though.Sorry for not providing much help,but i really can’t now.

:o So Far no one has been able to break the passwords on the files which were encrypted by the Ransomeware ???

you still have not replyed to essexboys questions

well Months later we still cannot unlock data files safe mode / normal mode did not work or data was on a second hard drive the c:\ was not accessable and our backup drive was a mapped drive to a Nas Bax and our backups were screwed also . so server is now wiped and company is running but i still would like to unencrypt the files :-[

There is still no progress on decrypting the files, normally Kaspersky is quite good at this, but they are still stumped

Rogueamp did a video on this. (I think) He also had a tool that could help decrypt the files.
Video: http://www.youtube.com/watch?v=kMmHZ8FOfcY

This is cmoing from an unproffesional IT guy. So this information may not even be relavent. If it is Great, but again, don’t take this advice seriously until someone like essex says it has merrit to it.

And just a word to the Avast Team. Pass this on: Your Product is GREAT! I also love that you guys promote other AV’s such as Kaspersky. One of the desicions on why I chose Avast over something like Kaspersky. Keep it up!

It could be worth a try, although how effective it is I am not sure. The results appear to be mixed from my research, but nothing ventured nothing gained

Decryption instructions
4. Download the decryption tool from http://tmp.emsisoft.com/fw/decrypt_mb…
5. Open a command prompt window and navigate to the directory with the decrypt_mblblock.exe file
6. Run it with however many drives you have mounted (e.g.: decrypt_mblblock.exe C:\ D:\ E:)
7. You can also add options to delete the encrypted files (/del) or to not pause the window (/np)