Instructions for users affected by Trojan.Encoder.12544
June 28, 2017
Trojan.Encoder.12544 spreads by exploiting the SMB v1 vulnerability - MS17-010 (CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148), which can be leveraged using the NSA "ETERNAL_BLUE" exploit. TCP ports 139 and 445 are used to disperse the Trojan. This “remote code execution” vulnerability enables attackers to remotely infect targeted computers.
To regain access to Windows, you need to recover the MBR (you can use the standard procedure in the Recovery Console and launch bootrec.exe /FixMbr).
You can also restore the boot record using Dr.Web LiveDisk — create a bootable CD or USB drive, boot up from that media, launch the Dr.Web scanner, check the compromised hard drive for viruses, and choose Cure for all the infected files.
After that disconnect your PC from the network, boot up, and apply the patch MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.
- Then install Dr.Web, establish a connection to the Internet, update the virus databases, and run a full system scan.
The Trojan replaces the MBR (Master Boot Record), and schedules and executes a system restart task. After that the OS won't boot up because the Master Boot Record has been compromised. Data starts being encrypted as soon as the system restart is scheduled. A separate AES key is generated for each drive. The key persists in the memory until the disk is completely encrypted. It is encrypted using a public RSA key and then deleted. If the MBR is replaced successfully, the MFT file is also encrypted once the system restarts. The file contains information about all the files on an NTFS drive. Once all these procedures are complete, the data can only be recovered using a private key. Therefore, without that key no files can be recovered.
As of now, decryption is not available. Our analysts are researching the problem and looking for a solution. We will notify you once a final determination has been made.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.