Hi all, last night around 8pm/EST almost every one of our servers reported malware 1.exe or 2.exe in temp folders.
Unfortunately a few servers had limited a/v on, namely exchange and SQL. We have snapshot backups on the VM's but I thought I would look into it.
So what we have is a completely encrypted drive and a boot sector locked asking to email and what the code is. I googled around for this and didnt find any reference to it anywhere. I dont know if i can attach it here but basically the boot just says this
H.D.D. Encrypted, Contact Us for Decryption Key(CRYPTOM27@yandex.com) YOURID: 123181, Enter Key:
On the few devices that were infected, the keycode is the same. We put up a gmail account and emailed the above, to try to gain better insight. If I mount the drives in a clean system they come up as RAW unformatted so this isnt like a boot sector virus.
Also, this hit a workgroup computer that had its firewall off, and was not part of the domain, it did have the same credentials as the admin account (it was in staging) , so whatever this was, it scanned out and tried to attach to \\ip\c$ or something and drop the file. it didnt look for shares, it went right for C$.
I thought I would put it up here to help anyone else, including myself, because we did lose a few hours of email data, that I would be willing to put some energy into retrieving.
From Webroot here is the MD5 info
Filename: 2.EXE MD5: 8F19116D16C15678141322520F97979F Pathname: ?:\temp\ File Size: 2.3 MB
Edited by l5mgmt, 24 September 2016 - 11:12 AM.