Instructions for users affected by Trojan.Encoder.12544
June 28, 2017
Trojan.Encoder.12544 spreads by exploiting the SMB v1 vulnerability - MS17-010 (CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148), which can be leveraged using the NSA "ETERNAL_BLUE" exploit. TCP ports 139 and 445 are used to disperse the Trojan. This “remote code execution” vulnerability enables attackers to remotely infect targeted computers.
To regain access to Windows, you need to recover the MBR (you can use the standard procedure in the Recovery Console and launch bootrec.exe /FixMbr).
You can also restore the boot record using Dr.Web LiveDisk — create a bootable CD or USB drive, boot up from that media, launch the Dr.Web scanner, check the compromised hard drive for viruses, and choose Cure for all the infected files.
After that disconnect your PC from the network, boot up, and apply the patch MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.
- Then install Dr.Web, establish a connection to the Internet, update the virus databases, and run a full system scan.
The Trojan replaces the MBR (Master Boot Record), and schedules and executes a system restart task. After that the OS won't boot up because the Master Boot Record has been compromised. Data starts being encrypted as soon as the system restart is scheduled. A separate AES key is generated for each drive. The key persists in the memory until the disk is completely encrypted. It is encrypted using a public RSA key and then deleted. If the MBR is replaced successfully, the MFT file is also encrypted once the system restarts. The file contains information about all the files on an NTFS drive. Once all these procedures are complete, the data can only be recovered using a private key. Therefore, without that key no files can be recovered.
As of now, decryption is not available. Our analysts are researching the problem and looking for a solution. We will notify you once a final determination has been made.
Your opinion counts
Sign in or register to comment on our news posts and take advantage of other benefits available to registered users. You will be awarded one Dr.Webling per comment. You can exchange your Dr.Weblings for gift certificates that can be used to purchase Dr.Web at a discount.