Jump to content

"How to restore files.hta" files in every folder and encrypted files with extention .encrypted


Recommended Posts

Hi there,

My Server 2012 R2 got infected today by a Ransomware. No one ever opens files on it so it is strange how it happened but this is what comes up:

 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Your files are encrypted!
Your personal ID:
084343326424307468284028156558470083141882099660579123823813253911259211617343905644081598918783990658308228393801571546846250830333094448548786332447640822051322841041923417168665471376564438826488317461602498821581300955414797490478551074299384054796365816144906570028502623555654754194447491846004057590744448311437909010404128010327440492388296924992972794220432731537823953683495057373297980882118274834923085451961361568507411921918941017736526412519371230392925152005151651034342341537131033983463462781743033051008934672014111901288831137274708863307186525474081631345304441248008396001501273734623338029790991
Your documents, photos, databases, important data were encrypted.
Data recovery is required decipherer.
To get the interpreter should send an email to [email protected].
Next, you need to pay for the interpreter. In a response letter you will receive the address of Bitcoin-wallet to which you want        perform the transfer of funds in the amount of 1 Bitcoin .

After transfering the money you necessarily receive decryptor. Do not attempt to restore their files by third-party programs. It will be useless.

If you have no Bitcoin
When the transfer is confirmed, you will get the decryption files for your computer.
After start-interpreter program, all your files will be restored.
Attention!
  • Do not attempt to remove the program or run the anti-virus tools
  • Attempts to self-decrypting files will result in the loss of your data
  • Decoders are not compatible with other users of your data, because each user's unique encryption key

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

This is the content of a file How to restore files.hta these files are now in almost every folded on C drive. All encrypted files have extension .encrypted.

I ran Malwarebytes Premium and found 3 files that it removed. Possibly the reason why the EEK did not find anything? I also tried to manualy find and delete 3410 of those How to restore files.hta files..

 

Now I desperately need help with decrypting my files! :(

 

scan_161017-212602.txt

FRST.txt

Addition.txt

Link to post
Share on other sites
  • 2 weeks later...

This could be Globe or Globe2.

Globe decrypter: https://decrypter.emsisoft.com/globe

Globe2 decrypter: https://decrypter.emsisoft.com/globe2

Hi Kevin,

 

Thank you for the suggestion! Unfortunately both decrypters were unsuccessful :(

The updated version of the Trend Micor's Decryptor did not work either, so must be some new ransomeware version.. Based on the extension I am not even sure if it's a Globe..

 

Any help will be greatly appreciated!

 

(all required information and files are attached to the OP)

Link to post
Share on other sites

I would like to get some logs and see if I can find the ransomware installer on the server. The tool developer would like to get a copy if it can be located.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

I would like to get some logs and see if I can find the ransomware installer on the server. The tool developer would like to get a copy if it can be located.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

The server is now rebuilt and I can not do this any longer. BUT I do have all those files originally attached to my Original post above.

On another note - do you know how would that ransomeware get on my server 2012 R2 considering it is not a domain server, no one opens emails or runs things directly on it.. I read somewhere that someone got in trough RDP but I hope that's not the case since I use non-standard port and pretty secure password.. SO how does that ransomeware get onto the machine (what ways there are)?

 

Cheers,

Alex

Link to post
Share on other sites

It may have been an RDP attack. Make sure RDP is configure correctly on the server.

If it was an RDP attack, then the installer would not be on the system any longer. It would have been deleted after encryption. Your FRST logs give no indication how the system was compromised or that the installer is still present.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...