Was the system that was hit a server? Does it have any remote capability such as RDP, TeamViewer, or an exposed JBoss program? Just going over some common vectors of attack for the variant I'm suspecting this may be. Possible they manually attacked the server and deleted any trace of the malware.
P.S. I fixed the bug with ID Ransomware and was able to retrieve the files you uploaded; silly default chmod made the files invisible to me, lol.
Our entire environment was hit.. over 100 servers and over 100 desktop/laptops... One of our servers does run JBoss on it, and that particular server actually appeared to have been compromised where someone was logging in using one of our domain admin accounts and they installed teamviewer and a few other apps. We thought we had that under control a few weeks ago, but then boom here we are. I checked to see if the user had logged in again, and once again they had logged in again, but this time they had created a new local account and ran Hyena to figure out all our machine names/etc... Sadly, all the stuff we did to prevent them from connecting again didn't help. Even resetting the passwords/etc. I'm not 100% sure the ransomware came from that particular instance, but having stuff like Hyena installed, and reports left behind of all our machine names makes me think it probably is related.
Weird. Did you see the contents of the unreg.bat.encryptedRSA you uploaded? Looks like RSA data, but I think it would need a key to decrypt. I'll play with it, but I'm not sure if it's useful or not at this point.
I may have found a sample using a string from that file. Can you search for a "jingakonz.exe" on the system? It was submitted to Malwr today. I'll be decoding it here shortly to see if it matches.
I'll check on this jingakonz.exe tomorrow. I never really looked at the encrypted files... but I did forget that on every single machine, under sys32 folder, there is a publickey in there with the computer name in the filename. It may help to determine whats going on.. or at least to help identify this for other forums members going forward.
Ok, I confirmed the sample, the ransom note and file extension match yours. The RSA bit I mention above is embedded in encrypted files, and has to be decrypted with their RSA key to get the AES key that encrypts the file. I forgot this variant does that. Definitely a variant of MIKOPONI/Sam. No solution at this time I'm afraid.
They definitely had access to your server. This ransomware is manually ran with command line arguments; they pass the public key to it through an XML file. It does delete itself with a batch file afterwards.
More details in my analysis in another topic: http://www.bleepingcomputer.com/forums/t/607818/encedrsa-ransomware-support-and-help-topic-help-decrypttxt/#entry3957811
Yeah I was afraid of that.. also we did notice btc64.exe on some machines and I think there was a del.bat left behind on some machines.
I really appreciate everything you've done thus far. Hopefully we get a fix on this soon... we have a lot of upset employees around here lol
**EDIT** - I checked your other post and it made me think this - If by chance the encryption key file was backed up with our Appassure snapshot software, do you think you could use that file to generate something to decrypt the files? Let me know... I doubt it would have grabbed it, and it would be a needle in a haystack, but I think it would be worth the while to see. Also, do you have any clues where the key would have been stored during this process? I would assume that it would most likely be stored in the same folders that were used for the del.bat, sqldelt.exe, and whatever else...?
Edited by rclinard, 29 March 2016 - 10:31 PM.