Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whole network attempted crypto locker variant


  • Please log in to reply
3 replies to this topic

#1 l5mgmt

l5mgmt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 24 September 2016 - 11:10 AM

Hi all, last night around 8pm/EST almost every one of our servers reported malware 1.exe or 2.exe in temp folders.

 

Unfortunately a few servers had limited a/v on, namely exchange and SQL. We have snapshot backups on the VM's but I thought I would look into it.

 

So what we have is a completely encrypted drive and a boot sector locked asking to email and what the code is. I googled around for this and didnt find any reference to it anywhere.  I dont know if i can attach it here but basically the boot just says this

 

H.D.D. Encrypted, Contact Us for Decryption Key(CRYPTOM27@yandex.com) YOURID: 123181, Enter Key:

 

On the few devices that were infected, the keycode is the same. We put up a gmail account and emailed the above, to try to gain better insight. If I mount the drives in a clean system they come up as RAW unformatted so this isnt like a boot sector virus.

 

Also, this hit a workgroup computer that had its firewall off, and was not part of the domain, it did have the same credentials as the admin account (it was in staging) , so whatever this was, it scanned out and tried to attach to \\ip\c$ or something and drop the file. it didnt look for shares, it went right for C$.

 

 

I thought I would put it up here to help anyone else, including myself, because we did lose a few hours of email data, that I would be willing to put some energy into retrieving. 

 

From Webroot here is the MD5 info

Filename: 2.EXE MD5: 8F19116D16C15678141322520F97979F Pathname: ?:\temp\ File Size: 2.3 MB


Edited by l5mgmt, 24 September 2016 - 11:12 AM.


BC AdBot (Login to Remove)

 


#2 l5mgmt

l5mgmt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 24 September 2016 - 11:53 AM

Sorry everyone after looking back and forth I apparently found the HDDCryptor variant. Okay, so at least I have something other people had before :)

 

It doesnt look like there is any decent removal capacity, does anyone know?



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,813 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:35 PM

Posted 24 September 2016 - 05:25 PM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with confirmation.

All the information we have about this infection is provided in a topic written by Grinler (aka Lawrence Abrams), the site owner of BleepingComputer.Trend Micro also has some information in this blog article.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 l5mgmt

l5mgmt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 24 September 2016 - 06:04 PM

Thanks but since I cant boot the o/s, and the drives come up as RAW in another system, do you have any suggestions to get it up? Maybe I could boot off the Win boot disk and drop to repair .. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users