xw00t

Server 2008 CryptOn Infection : Cry128.exe Didn't Work : Please Help

Recommended Posts

I have a Windows Server 2008 R2 machine that has been infected with a version of CryptOn (possibly 128) but the decryption process could not find a key. I've identified that it was the Cry128 using IDRansom and the corresponding ransom note. I recovered a file from backup that was 2MB in size and dragged it and the corresponding .onion_ encrypted file onto the Cry128.exe file, after 25 minutes it said, "The decryption key for your system could not be found ...."

Is there any way I can decrypt this or should I just try restoring from backup?

If I restore from backup, won't that include the ransomware? How do I remove it?

Share this post


Link to post
Share on other sites

If your backup was made after you were infected...then ya, i guess it would include the ransomware.  And I guess it depends on how  the ransomware got in the first place.  

If your file pairs have 36 bytes difference in size, then you prolly have Cry36 or similar.  Least that's what us victims are calling it.  We're  here.  But ransomware ID says ours is Cry9, even though it isn't.  Doesn't mention 128.

Either way, I haven't heard that decryptor working for anyone that has our variation types.  So I there's nothing to do for it at the moment.  If you can get your files back from a backup, I think you should.  If you can't restore from a backup image, wipe the drive and do a new OS install.  Cause there's a lotta holes that they open up in tcp/firewall settings.  Not to mention the bitcoin miner they install.

Share this post


Link to post
Share on other sites

Thanks for the quick response.

I can see that they came in through RDP and I've disallowed that now. I can also see they created a user called "Marcus" and i've disabled that user and changed all administrative user passwords. I also rebooted the system and I can see that the Marcus user is no longer attached.

How do I know if the encryption process is still going?

Share this post


Link to post
Share on other sites

I'm really not sure how to know if it's still going.  If you go to the thread I mentioned though, you can look for the tcp/firewall settings that were changed on some users.  You can also see the register for the bitcoin miner it installed.

Emsisoft had a free Emergency Kit here .  It has a command line utility that can be run from DOS.  You can usually get into DOS from Recovery Mode menus before startup.  F8 works most times...but systems are different when it comes to that stuff.

I used Easus Data recovery to get some files off my C, then just reformatted mine.  Not really good enough to go around plugging up holes after they made swiss cheese out of it.

Share this post


Link to post
Share on other sites

In general if you have a backup, I would restore it. After the server has been compromised, it is probably best to reinstall it. You never know what they did to the system and there are lots of very subtle backdoors they may have placed on the system. Better to be safe than sorry.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.