Решена без расшифровки Trigona ransomware attack

[Madowax]

Good afternoon, on the evening of December the 13th our server was attacked by Trigona Ransomware, sadly the ISCSI backup partition was mounted, backups are performed during the night, so the whole backup partition has also been encrypted. I'm going to attach few encrypted documents, the ransom note and the Farbar Log taken from a windows pe recovery enviroment. The attacker requested something like 3 BTC to deliver the keys, sadly our company can't pay such amount of money.
Thanks in advance for any help you can provide.

Добрый день, вечером 13 декабря наш сервер был атакован Trigona Ransomware, к сожалению, раздел резервного копирования iSCSI был смонтирован, резервное копирование выполняется в течение ночи, поэтому весь раздел резервного копирования также был зашифрован. Я собираюсь приложить несколько зашифрованных документов, записку о выкупе и журнал Farbar, взятый из среды восстановления windows pe. Злоумышленник запросил что-то около 3 BTC за предоставление ключей, к сожалению, наша компания не может заплатить такую сумму.

Заранее спасибо за любую помощь, которую вы можете оказать.

Переведено с помощью www.DeepL.com/Translator (бесплатная версия)

 

[Sandor]

Здравствуйте!

Некоторое время подождите, попробуем определить тип вымогателя.
Но скорее всего расшифровки нет. А в системе нужно кое-что исправить, если не планируете переустановку.

 

[Madowax]

I will reinstall on different hard drives and keep these ones for future decryption, it might be useful for you to know that the ransomware ignores some system folders to keep the machine running.

Я переустановлю на разные жесткие диски и сохраню эти для будущей расшифровки. Возможно, вам будет полезно знать, что программа-вымогатель игнорирует некоторые системные папки, чтобы сохранить работоспособность машины.

 

[Sandor]

I will reinstall on different hard drives and keep these ones for future decryption

It is clear.

Unfortunately there is no known method to decrypt. I suppose you've already seen this description.

 

[Madowax]

It is clear.

Unfortunately there is no known method to decrypt. I suppose you've already seen this description .

I have found this file on a computer which might have started the infection. NTUSER.pol

I found this file on a computer that could have started the infection. NTUSER.pol

 

[Sandor]

No it is not. This is well known system file.

 

[Madowax]

No it is not. This is well known system file.

It was in the list of restricted file in frst.log of the infected computer and the contents mentioned file encryption. I guess it is normal, never opened it.
thanks for your help and for your time.
Best regards

Он был в списке запрещенных файлов в frst.log зараженного компьютера, и в его содержимом упоминалось шифрование файла. Думаю, это нормально, я никогда не открывал его.
Спасибо за вашу помощь и за ваше время.
С наилучшими пожеланиями

 

[Sandor]

This file

C:\Intel\svhost.exe

is most suspect as ransome.
And in my opinion your system was compromised by manual intrusion with a high probability.
So it will be a good idea to change all administrator passwords.

 

[Madowax]

I will attach files from this second PC for your reference. Maybe they can help you help others. The suspect_exe_2.zip contains C:\Intel\svhost.exe from the server (password is virus)
.

 

[Madowax]

This file

is most suspect as ransome.
And in my opinion your system was compromised by manual intrusion with a high probability.
So it will be a good idea to change all administrator passwords.

I will change the passwords for safety, it is quite strange however since the admin password is very complex and 16 chars long, never used for anything else.
Thanks again

 

[Sandor]

Please do NOT attach malware to your messages. You can upload this file to VirusTotal and get us link to its result.

 

[Madowax]

VirusTotal Link: 248e7d2463bbfee6e3141b7e55fa87d73eba50a7daa25bed40a03ee82e93d7db

 

[Madowax]

Please do NOT attach malware to your messages. You can upload this file to VirusTotal and get us link to its result.

VirusTotal Link: 248e7d2463bbfee6e3141b7e55fa87d73eba50a7daa25bed40a03ee82e93d7db

 

[Madowax]

Please do NOT attach malware to your messages. You can upload this file to VirusTotal and get us link to its result.

This is the Tor Browser Decryptor Tool from 15th of December. It was possible to download it back then. Maybe it could be useful to you.

 

[Madowax]

The above attachment is simply the tool without keys file, of course without the keys it is unable to decrypt anything, I have no keys file as you already know.

 

[Sandor]

Yes and this is the problem, I mean - the key.

 

[Madowax]

Yes and this is the problem, I mean - the key.

Yep, it is just for completeness.