TheFallenAngel 0 Posted October 18, 2016 Report Share Posted October 18, 2016 Hi there, My Server 2012 R2 got infected today by a Ransomware. No one ever opens files on it so it is strange how it happened but this is what comes up: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Your files are encrypted! Your personal ID: 084343326424307468284028156558470083141882099660579123823813253911259211617343905644081598918783990658308228393801571546846250830333094448548786332447640822051322841041923417168665471376564438826488317461602498821581300955414797490478551074299384054796365816144906570028502623555654754194447491846004057590744448311437909010404128010327440492388296924992972794220432731537823953683495057373297980882118274834923085451961361568507411921918941017736526412519371230392925152005151651034342341537131033983463462781743033051008934672014111901288831137274708863307186525474081631345304441248008396001501273734623338029790991 Your documents, photos, databases, important data were encrypted. Data recovery is required decipherer. To get the interpreter should send an email to [email protected]. Next, you need to pay for the interpreter. In a response letter you will receive the address of Bitcoin-wallet to which you want perform the transfer of funds in the amount of 1 Bitcoin . After transfering the money you necessarily receive decryptor. Do not attempt to restore their files by third-party programs. It will be useless. If you have no Bitcoin Create a wallet Bitcoin: https://blockchain.info/ru/wallet/new Get cryptocurrency Bitcoin: https://localbitcoins.com/buy_bitcoins About Bitcoin: http://www.coindesk.com/information/what-is-bitcoin/ When the transfer is confirmed, you will get the decryption files for your computer. After start-interpreter program, all your files will be restored. Attention! Do not attempt to remove the program or run the anti-virus tools Attempts to self-decrypting files will result in the loss of your data Decoders are not compatible with other users of your data, because each user's unique encryption key --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This is the content of a file How to restore files.hta these files are now in almost every folded on C drive. All encrypted files have extension .encrypted. I ran Malwarebytes Premium and found 3 files that it removed. Possibly the reason why the EEK did not find anything? I also tried to manualy find and delete 3410 of those How to restore files.hta files.. Now I desperately need help with decrypting my files! scan_161017-212602.txt FRST.txt Addition.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 19, 2016 Report Share Posted October 19, 2016 This could be Globe or Globe2. Globe decrypter: https://decrypter.emsisoft.com/globe Globe2 decrypter: https://decrypter.emsisoft.com/globe2 Link to post Share on other sites
Kevin Zoll 309 Posted October 24, 2016 Report Share Posted October 24, 2016 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
TheFallenAngel 0 Posted November 7, 2016 Author Report Share Posted November 7, 2016 This could be Globe or Globe2. Globe decrypter: https://decrypter.emsisoft.com/globe Globe2 decrypter: https://decrypter.emsisoft.com/globe2 Hi Kevin, Thank you for the suggestion! Unfortunately both decrypters were unsuccessful The updated version of the Trend Micor's Decryptor did not work either, so must be some new ransomeware version.. Based on the extension I am not even sure if it's a Globe.. Any help will be greatly appreciated! (all required information and files are attached to the OP) Link to post Share on other sites
Kevin Zoll 309 Posted November 7, 2016 Report Share Posted November 7, 2016 Try the Apocalypse and ApocalypseVM decryption tools. Apocalypse: https://decrypter.emsisoft.com/apocalypse ApocalypseVM: https://decrypter.emsisoft.com/apocalypsevm 1 Link to post Share on other sites
TheFallenAngel 0 Posted November 10, 2016 Author Report Share Posted November 10, 2016 Kevin, THANK YOU - the ApocalypseVM decrypter WORKED! You could add in the write up the file names: How to restore files.hta and the email: [email protected] so others could find it Link to post Share on other sites
Kevin Zoll 309 Posted November 10, 2016 Report Share Posted November 10, 2016 Kevin, THANK YOU - the ApocalypseVM decrypter WORKED! You could add in the write up the file names: How to restore files.hta and the email: [email protected] so others could find it I'll suggest that the write up be updated to refelct that. Link to post Share on other sites
Kevin Zoll 309 Posted November 10, 2016 Report Share Posted November 10, 2016 I would like to get some logs and see if I can find the ransomware installer on the server. The tool developer would like to get a copy if it can be located. For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop. For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Double-click to run it. When the tool opens click Yes to the disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Link to post Share on other sites
TheFallenAngel 0 Posted November 11, 2016 Author Report Share Posted November 11, 2016 I would like to get some logs and see if I can find the ransomware installer on the server. The tool developer would like to get a copy if it can be located. For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop. For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Double-click to run it. When the tool opens click Yes to the disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. The server is now rebuilt and I can not do this any longer. BUT I do have all those files originally attached to my Original post above. On another note - do you know how would that ransomeware get on my server 2012 R2 considering it is not a domain server, no one opens emails or runs things directly on it.. I read somewhere that someone got in trough RDP but I hope that's not the case since I use non-standard port and pretty secure password.. SO how does that ransomeware get onto the machine (what ways there are)? Cheers, Alex Link to post Share on other sites
Kevin Zoll 309 Posted November 11, 2016 Report Share Posted November 11, 2016 It may have been an RDP attack. Make sure RDP is configure correctly on the server. If it was an RDP attack, then the installer would not be on the system any longer. It would have been deleted after encryption. Your FRST logs give no indication how the system was compromised or that the installer is still present. Link to post Share on other sites
Recommended Posts