xw00t

Member
  • Content Count

    2
  • Joined

  • Last visited

Community Reputation

0 Neutral

About xw00t

  • Rank
    New Member
  1. Thanks for the quick response. I can see that they came in through RDP and I've disallowed that now. I can also see they created a user called "Marcus" and i've disabled that user and changed all administrative user passwords. I also rebooted the system and I can see that the Marcus user is no longer attached. How do I know if the encryption process is still going?
  2. I have a Windows Server 2008 R2 machine that has been infected with a version of CryptOn (possibly 128) but the decryption process could not find a key. I've identified that it was the Cry128 using IDRansom and the corresponding ransom note. I recovered a file from backup that was 2MB in size and dragged it and the corresponding .onion_ encrypted file onto the Cry128.exe file, after 25 minutes it said, "The decryption key for your system could not be found ...." Is there any way I can decrypt this or should I just try restoring from backup? If I restore from backup, won't that include the ransomware? How do I remove it?