Jump to content
  • Announcements

    • Rodion Nagornov

      Долгое сохранение сообщений || Delays while posting (click here to read the full text RU/EN)   09/20/2017

      Due to some technical reasons visual delays are possible while message sending. Actually your message is published immediately - just interface works long. In such case, please, do not re-send your message immediately! Press F5 to reload the page and check if your message/topic is published. || По техническим причинам возможно визуально долгое отправление сообщений на форуме. Фактически ваше сообщение публикуется мгновенно - долго отрабатывает графика. В случае подобной ситуации, пожалуйста, сначала обновите страницу (F5) и проверьте, появилось ли ваше сообщение. Не пытайтесь сразу отправить его заново.
myousufhk

Arena Ransomware

Recommended Posts

One of our server is infected with arena ransomware. It encrypt files with .arena extension. I try to collect GSI report but when I plugin my usb to the server it encrypt the GSI utility also.

The server has Kaspersky Security 10 for Windows and databases are up to date, anti-cryptor also running. Kaspersky detect some viruses but did not stop ransomware to encrypt files.

What are the precautions to block these types of ransomware? I'll post screenshot later.

Same thing happens to other candidate in this forum but the extension was .aleta. Please see the link below:

 

Share this post


Link to post

My question still not answered. I have latest version of Kaspersky Security 10 for Windows Server installed (special package for servers), real-time protection running, databases are also up to date and special component Anti-Cryptor is also running. With all these things up and running I got attacked by ransom-ware and Kaspersky did not stop ransom-ware to execute, Why? And also tell me in future Can Kaspersky will be able to block this arena ransomware?

Attached a zip file that contains virus report, screenshot of last database update and also some ransomware encrypted file. This is the only and maximum information that I can provide you. Encrypted zipped file password:  y2c3@d4

 

Infected Server.rar

Share this post


Link to post
2 hours ago, myousufhk said:

My question still not answered. I have latest version of Kaspersky Security 10 for Windows Server installed (special package for servers), real-time protection running, databases are also up to date and special component Anti-Cryptor is also running. With all these things up and running I got attacked by ransom-ware and Kaspersky did not stop ransom-ware to execute, Why? And also tell me in future Can Kaspersky will be able to block this arena ransomware?

Attached a zip file that contains virus report, screenshot of last database update and also some ransomware encrypted file. This is the only and maximum information that I can provide you. Encrypted zipped file password:  y2c3@d4

 

Infected Server.rar

Hello,

in order to investigate the issue please post your question here - https://forum.kaspersky.com/index.php?/forum/19-virus-related-issues/

Thank you.

 

Share this post


Link to post
12 часов назад, myousufhk сказал:

My question still not answered. I have latest version of Kaspersky Security 10 for Windows Server installed (special package for servers), real-time protection running, databases are also up to date and special component Anti-Cryptor is also running. With all these things up and running I got attacked by ransom-ware and Kaspersky did not stop ransom-ware to execute, Why? And also tell me in future Can Kaspersky will be able to block this arena ransomware?

Attached a zip file that contains virus report, screenshot of last database update and also some ransomware encrypted file. This is the only and maximum information that I can provide you. Encrypted zipped file password:  y2c3@d4

 

Infected Server.rar

Hi,

We provided your files to our specialists, we will inform you as soon as we have any new information.

Thank you!

Share this post


Link to post

Hi,

Files was encrypted by Trojan-Ransom.Win32.Crusis, unfortunately we cannot decrypt these files. Our products can detect this ransomware with System Watcher and standart components with PDM:Trojan.Win32.Generic verdict.

Please also note that, according to our data, the attackers are using RDP selection of passwords to gain access to the victim machine and manually start the cipher. To avoid re-infection, we recommend to install a strong password for RDP.

Thank you!

Share this post


Link to post

Hi, I have been infected with .Arena Ransomware, I payed the ransom and were able to decrypt and recover my files.

I have the encrypted files, the decryptor tool, the hash, and the decrypted files.

I'd like to provide this data to help create a decryption tool. Please let me know where to send this information or contact me via glovagnini@hotmail.com

Regards!

Share this post


Link to post
1 hour ago, glovagnini said:

Hi, I have been infected with .Arena Ransomware, I payed the ransom and were able to decrypt and recover my files.

I have the encrypted files, the decryptor tool, the hash, and the decrypted files.

I'd like to provide this data to help create a decryption tool. Please let me know where to send this information or contact me via glovagnini@hotmail.com

Regards!

Hello.

Your eagerness to help is greatly appreciated! We have forwarded this information to our anti-malware research team. Please expect further information soon.

Thank you.

Share this post


Link to post
En 23/11/2017 a las 11:56, glovagnini dijo:

Hi, I have been infected with .Arena Ransomware, I payed the ransom and were able to decrypt and recover my files.

I have the encrypted files, the decryptor tool, the hash, and the decrypted files.

I'd like to provide this data to help create a decryption tool. Please let me know where to send this information or contact me via glovagnini@hotmail.com

Regards!

For all those asking for the decryptor tool I received from the kidnappers, here is the file:
https://drive.google.com/open?id=1zulSwUmM2gx8w7lYsfWF1wFsW8qFtr6m
 

Apparently the tool first searches for the HASH KEY inside the same infected machine, and when it finishes obtaining the hash, it uses it to decrypt the files.


Anyway, I think the tool only works on my system, unless you have been atacked by the same hacker. In my case the hacker used the email address support@decrypt.ws

Good luck!

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×