New Polish ransomware encrypts files "not possible to break with the aes-256 algorithm"

Our sources of information about social engineering attacks are very often readers themselves, but sometimes it happens that obtaining any data from a non-technical person that would help in identifying the virus and warning the rest of the readers is more difficult than you think. We will not be fawning over the lack of knowledge of such people, nor will we write the guides "how to save an attachment on the desktop and add a file to the archive, protecting the data with a password". Just (this time) without technical data about malware, we will try to warn against the "Polish ransomware", for which the free decrypter is not yet available and it is not known if it will ever be created.

At the moment, we managed to get only the encrypted files and the message displayed by the ransomware in a text file:

$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-

P_o_l_s_k_i – – r_a_n_s_o_m_w_a_r_e

Masz problem ze znalezieniem potrzebnych danych ? Nie możesz otworzyć swoich dokumentów? Po otworzeniu ważnych plików widzisz tylko nic nie mówiący, dziwny ciąg znaków?

Twoje istotne pliki zostały zaszyfrowane !

Twoje zdjęcia, dokumenty, bazy danych, zostały zaszyfrowane nie mozliwym do zlamania algorytmem aes-256

Metody tej do szyfrowania zawartosci dokumentów uzywaja sluzby wywiadowcze I wojsko.

$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$

Gdy to czytasz proces jest zakończony, wytypowane pliki zostały zaszyfrowane a sam program usunięty z twojego komputera. Odzyskac twoje dane mozna tylko przy pomocy dedykowanego programu deszyfrującego, wraz z jednorazowym kluczem wygenerowanym unikalnie dla ciebie!

Dwa pliki odszyfrujemy bez opłaty aby nie być gołosłownymi, za pozostałe będziecie państwo musieli zapłacić 100$

Aby odzyskać pliki skontaktuj się z nami pod adresem: Hc9 @ 2.pl lub Hc9 @ goat.si

Radzimy decydować się szybko, 4 dni od zaszyfrowania opłata zostanie podniesiona do 200$.

$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-$$-

Kontaktujac sie z nami pamietaj aby podac id-komputera I date

DANE IDENTYFIKACYJNE: IP=publiczny_adres_IP_ofiary ID=identyfikator_ofiary Data=godzina_i_data_zaszyfrowania

Polish cybercriminals can follow AVLab so we do not hide the IP address and identifier in order not to identify the victim.

Most likely, the scam message concerned the payment of a bill for electricity or telephone, payment of an outstanding invoice, bailiff or pre-court payment request. Regardless of the form of forcing the opening of an attachment or downloading the "invoice" from a remote server, nowadays you need to pay special attention to everything.

We have repeatedly reported - because it is always worth remembering - how to protect data from encryption. Here are some basic and advanced tips for users with varying degrees of technical knowledge.

Antivirus programs are a very effective way to protect yourself against ransomware (which requires thought), but only those that are characterized by a unique approach to protection and specialized functions in blocking ransomware. We include company products (alphabetical order):

Arcabit. For a preventive fight against ransomware and in case something did not succeed, we recommend a solution from Arcabit. This Polish provider of security solutions has developed a special SafeStorage mechanism that allows you to restore files after encryption. True, simple and effective? Fast and trouble-free data recovery is possible even when the ransomware is completely undetectable to the antivirus engine (so in a situation where the virus is not detected and blocked), and also when encrypted files are located in network locations . No less important is the blocking malicious scripts - ta A simple, but extremely powerful, method of works in practice .

Bitdefender. In addition to the fact that Bitdefender has one of the best antivirus engines on the market, if we add 500 million protected users (almost the same as Kaspersky Lab and Eset put together) and the popularity of technology Bitdefender among other manufacturers (F-Secure, G Data, BullGuard, Arcabit, Emsisoft, eScan, Immunet, Qihoo, Quich Heal, ThreatTrack, TrustPort and others), in effect we get top-class solution with effectiveness confirmed not only by tests, but above all by the opinions of satisfied customers.

Comodo . We have no objections to protecting programs in stable versions from Comodo. What's more, performance is also amazing - it is one of the better-optimized security packages. In the hands of the conscious user of Comodo Internet Security 10 and Comodo Cloud Antivirus, guarantee a very high risk security level . And above all, this automatic sandbox, which is the bane of malware authors.

ESET. Antivirus from ESET is a robust packet that protects users from various network attack vectors and against a wide range of malware. Also, as usual, we have no objections to performance - it's still nice to work with an anti-virus, which during the rest takes a small amount of RAM and only a few percent of the processor's time. Eset's products have already repeatedly proved in our tests that the firewall module often constituting the last line defense can be the one that will determine the blocking of the threat or malicious hacker activity.

Kaspersky Lab. The products of this company have Anti-Cryptor module that can restore files after a ransomware attack. This is of great importance for individual users who do not have to worry that when their antivirus fails, they will not be able to recover data. What's more, consumer and business solutions are equipped with the constantly developed System Control module, which allows detection of unknown threats (including ransomware), as well as the withdrawal of actions performed by malware, if it occurs to them. This module was able to detect WanchCry threat, for example, before anti-virus databases were updated. Kaspersky Lab, as the sixth company in the world, has recently been included in the CVE Numbering Authorities (CNA) list by the non-profit organization MITRE Corporation, which operates the Common Vulnerabilities and Exposures (CVE) system that identifies vulnerabilities. Kaspersky Lab gained the status of CNA in recognition of the expert knowledge of its research team and the ongoing process of improving the security of its own products. And it is not without significance free antivirus - Kaspersky Free .

SecureAPlus. UniversalAV scanning technology works fantastically as a mechanism to effectively detect a variety of threats, including intrusive and annoying Adware. Protection that appeals to antivirus engines in the cloud is one of the identification elements of SecureAPlus software. What's more, SecureAPlus can be a a powerful tool in the fight against malware . The program works very briskly and does not cause performance problems.

SpyShelter. The second program-stronghold of Polish production in this list. SpyShelter Firewall is able to completely replace antivirus software . In the area of ​​operation of the operating system, the SpyShelter Firewall in the hands of security practitioners and advanced users is an almost unbreakable stronghold. And all this at a reasonable price. & Nbsp; SpyShelter can detect much earlier and more sophisticated threats than traditional antivirus software.

Quich Heal. A producer from India who already has a official distribution in Poland . During the tests carried out by AVLab, Quick Heal products were characterized by very good protection against attacks using vulnerabilities in the software

. Quick Heal Total Security is an interesting offer for common-sense security supporters. Users, but also administrators, will find very similar protection characteristics in this product. An undoubted advantage of Quick Heal are the ISO 9001, ISO 20000 and ISO 27001 certifications. This is important information for private and public entities, which expect the supplier to confirm the effectiveness of mechanisms ensuring data security as well as the professional provision of technical support services.

Advanced Tips

If the user does not run any scripts on the system, for their own security should consider disabling system programs (wscript.exe and cscript.exe) located in the C: \ Windows \ System32 location. To do this, just add the value "Enabled" to the "Settings" key and set it to "0":

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings

No less important may be deactivating PowerShell scripts, which are very often used by hackers and malware (users do not even realize how many applications PowerShell has in the hands of malware and hacker authors). Disabling the Powershell.exe interpreter is possible for Windows 10 Pro users in the local group policy editor (gpedit.msc -> Windows components).

Another good practice is to use AppLocker blocker and add a rule that prevents running scripts with the extension. "ps1" (that is, PowerShell scripts executable files), as well as permanent blocking of other scripts and unsigned applications. These settings can be selected to individual needs. We recommend activating AppLocker only for advanced Windows users.

Let's also remember that it's not enough to be vigilant to protect yourself and only visit trusted sites. "Trusted" sites can be hacked just like over 1000 Polish websites that infect computers visiting them with malware.

For more information on combating ransomware, please refer to the article: " Duel of producers : which solution will work with the fight against ransomware? "

Situation without an exit?

If you are in a dead end situation, you do not have a backup and you need to recover your files, then:

  • You can use the id-ransomware portal, which in most cases correctly verifies the type of encryption virus and searches for the decryptor on your own.
  • If public methods do not bring the expected results, contacting us , you can ask for help in decrypting files (service this is payable).


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.