Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Your Hard Drive Is Securely Encrypted


  • Please log in to reply
4 replies to this topic

#1 MisguidedMystery

MisguidedMystery

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 17 May 2016 - 12:14 PM

I have a client with a server that is unable to boot due to ransomware.
 
This is the message that they receive:

"Your hard drive is securely encrypted. To buy password send an email to drake117@sigaint.org with code 1978."

 

a PC attached to the same network has also booted with a similar message but states for free password e-mail same address with same code.

 

Has anyone else experienced this type/variant of ransomware?

 

I found another article that references something similar:

http://www.bleepingcomputer.com/forums/t/603409/encrypted-boot-ransomware-support-topic/

 

Thanks!

 

IMG_9482.jpg


Edited by MisguidedMystery, 17 May 2016 - 12:22 PM.


BC AdBot (Login to Remove)

 


#2 bnxmike

bnxmike

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 21 May 2016 - 02:19 PM

I have a client that just got this message. The only difference being the code. The client is in the process of contact the ransomer (?) to determine what the cost will be. I would love to know if anyone got anything from anon1234anon's link from the post you referenced. I find it odd that the post has not been updated since. 

We have some more information.  This is not a new ransomware.  In our case it was an example of social engineering, gaining remote access, password guessing, sysadmin tools such as PSEXEC, and open source disk encryption tool DiskCryptor (dcrypt.exe).  https://diskcryptor.net/wiki/Main_Page

Basically, the hacker tricked someone into giving him access.  Once he had remote access he stayed silent and guessed the password to an account with domain admin access.  Once he had that he downloaded DiskCryptor and Psexec.  He installed Psexec as a service and copied dcrypt.exe to each computer.  Finally, he used scripting to instruct each computer to perform a full disk encryption operation. I have uploaded screenshots of the hackers staging folder containing his tools (dcrypt.exe + psexesvc.exe) and the decryption tool being used to decrypt the disks here.

https://www.dropbox.com/sh/cxbvrrpyu5u2g5o/AACcHu8Mwae32XbYv8bIH9Q-a?dl=0

 

 



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 21 May 2016 - 02:33 PM

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 JayGruber

JayGruber

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 13 September 2016 - 03:31 AM

Post moved to "Encrypted Boot Ransomware Support & Help Topic."


Edited by JayGruber, 13 September 2016 - 05:16 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 13 September 2016 - 06:47 AM

Ok.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users