Jump to content

Anigma Malware

MegaSource
 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Maurice Naggar

Maurice Naggar

Posted
Posted

Hi :welcome: I will guide you. This is just a starter step. 

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

This operating system is reported to be Microsoft Windows Server 2008 R2 Standard  Service Pack 1 (X64)
Question: Are you in a company, corporation, private or public Organization ?
Otherwise, is this your own personal system ?
Other question: Are you having any sort of persistent recurring notices for payment for ransomware ? just have to ask.

Other than the temp folder, so far, I only see a few INI files that show with the ".ini.anigma"

Link to post
Share on other sites
MegaSource

MegaSource

Posted
  • Author
Posted

This is a private office running medical billing software. I am their technical adviser.

Last Friday, they were hit with a crypto (Ransom.crysis) virus, but did not receive a decryption message. I cleaned what I could and Malwarebytes cleaned the system. No notice of payment or ransomeware.

I reinstalled the medical software and restored a backup. This morning, they reported the .anigma extension on all their data files.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

A .ini file is just a text-type file that may have some user preference setting. For example, A common use of the Desktop.ini file is to assign a custom icon or thumbnail image to a folder. There is some oddity here that a few of these files have the appended .anigma on the file-names.

That aside, if as you say, which you do say, their real data files have that .anigma extension than that would tend to be a encrypting ransomware. If indeed it is a encrypting ransomware, then we here have no tools to decrypt the ransomware. We here can help to see that there are no "active" remainders of malware infection. We just cannot decrypt any encrypted files.

I did suggest ( and highly so) to run the MBAR anti-rooykit tool. just as I listed above.

 

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

You need to know that encrypting ransomwares do self-delete after they have done their deed. Thus, typically, there are no leftover active remains of the pest itself. Thus, Malwarebytes can report "no threats" present and active.
BUT the Malwarebytes report you provided at the top, did report there is one EXE threat that you did not mark with a tick-mark for removal.

 

 Save any on-going work or edits.  Close all web browsers.

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

Then click on Quarantine  button.
Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

After you get caught up with the preceding posts of mine ^^^^ above 

Adding note to gather up additional detail on this infection.

Please look the "P: drive" and on your Documents folder & or Desktop  & in the location where the .anigma files are for some file or files with named like "Readme"   and attach a copy.
Note:  Some of the "ransom note" files can have names similar to

_readme.txt
_openme.txt
_open_.txt
README.txt
HOW TO DECRYPT YOUR DATA.txt
Readme to restore your files.txt
Decryption instructions.txt
FILES ENCRYPTED.txt
Files encrypted!!.txt
 

Look for similar names on Desktop & under Documents.  Attach 2 of those if possible.

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted (edited)

Uploaded that file to https://id-ransomware.malwarehunterteam.com

No luck. Site cannot find a near match to known families of ransomware. If you can try to upload a different ransom note to id-ransomware it may have some luck. For now, one can speculate that the ransomware here -seems to be similar to- volcano / insanecrypt variant of ransomware.

Have you run a scan with Malwarebytes on each system like I noted before? results ?

The best way to recover the users damaged datasets is from a known clean recent system image backup / full backup. Otherwise, wipe the systems and rebuild all from scratch.

You should do some readings about ransomware at Bleepingcomputer forum ( who keep an active collection about various ransomware)
https://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/

If these systems had had licensed-paid Malwarebytes apps installed, prior to the first infection, it would have stopped the ransomware. Also read this on Malwarebytes Blog https://blog.malwarebytes.com/detections/ransom-crysis/ 

Given that these systems are used in commerce and are using Windows business operating system, they should have had Malwarebytes Endpoint Protection installed and activated.

Also read this section ""Ransomware mitigations"" on Malwarebytes blog
https://blog.malwarebytes.com/threat-intelligence/2022/05/ransomware-april-2022-review/

Edited by Maurice Naggar
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.