Windows Server Image got encrypted.

[Bernard Lim]

Hi, my ext hdd containing my company's server image got encrypted. I tried contacting the people who encrypted my files and i could not get a response from them. I have attached a copy of the ramsomeware note and a sample file. Would appreciate if anyone could help, I'm willing to give some reward for the effort. Thank you so much.

Read Me Please!.HtA Backup_Error-01-01-2018_13-00-10.log.[[email protected]]

[GT500]

ID Ransomware says the bitcoin address is the same as the one used by Phobos, however I don't think that's actually what it is.

Since this appears to be a corporate request, I recommend going through our paid ransomware recovery service, especially since I'm not certain exactly what ransomware you're dealing with yet:
https://www.emsisoft.com/en/ransomware-recovery-services/

[Bernard Lim]

Hi thank you for your response, i followed your link and unfortunately it gave me this message 'Based on your provided information we were able to identify your ransomware as “Phobos“.
Unfortunately, this ransomware can’t be decrypted at all. Please reach out to our friends at Coveware to discuss your options.' 

 

[GT500]

I still don't think it's Phobos, however I will ask for confirmation.

Go ahead and contact Coveware if you haven't already, as they may be able to help if it does turn out to be Phobos.

[Bernard Lim]

Thank you for your help, i hope to hear from you soon. And i'll be contacting coveware as well. Lastly thank you so much for helping.

[Demonslay335]

It's actually GlobeImposter 2.0 (identification on ID Ransomware has been fixed). Same outcome though, only the criminals have the private key(s) to decrypt your files.

Edited April 1, 2021 by Demonslay335