I haven't been able to find much info on this. I work for a non profit and they have 2 vm's running server 2012 r2 on a hyper-v core.
Today I came in and found a ransom-ware notice installed on both VMs saying:
All your files were encrypted with strong algorithm AES256 and unique key.
Do not worry, all your files in the safety, but are unavailable at the moment.
To recover the files you need to get special decryption software and personal key.
You can contact us:
Primary Email: firstname.lastname@example.org
Reserve Email: email@example.com
Your Personal ID: [removed]
Please use public mail service like gmail or yahoo to contact us, because your messages can be not delivered.
For fast communication, you can write to us in Jabber: firstname.lastname@example.org
How to register a jabber account: http://www.wikihow.com/Create-a-Jabber-Account
You have 3 working days to contact us, otherwise recovering may be harder for you.
The notice was saved on c:\ as Decryption Instructions.txt and put into a registry file in Winlogon > legalnoticetext
The files are encrypted with a .access_denied extension.
Not all files were encrypted - I think it was running on an account with non admin access.
I have VM backups from before we got hit. I am restoring them now as a clone with no network however I want to make sure that the restored VM's are not infected.
Any help would be appreciated.