Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mamba Ransomware Boot Encryption (srv123@scryptmail.com)


  • Please log in to reply
4 replies to this topic

#1 torresfvr

torresfvr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 27 December 2016 - 07:11 PM

Hi Guys and Gals

 

I have a client who has had a server compromised on Christmas day. I am unsure how it managed to get UAC access to the server because RDP has security rights and a previous ransomware (August 2015) was limited to a workstation only (share was recovered from backup)

 

The server seems to have been drive encrypted (RAID 0) similar to Truecrypt/Bitlocker

 

The server backup was on two external usb drives - as backup storage they do not show up in windows explorer. Now one is showing blank and one is showing RAW on another computer. I have run a 'repair' but cannot pick any system images which it should have.

 

I cannot located this ransomware on ID ransomware, I think closet thing might be Petya

 

The hackers printed out 250 copies on the printer of the following:

-------------------

 

Please be advised that your network is hacked.
 
Your server is enrypted with full disk encryption software.
 
That means that you cannot recover any data without password.
 
Your backups also encrypted.
 
To receive the key please donate 5 bitcoins.
 
Our contact mail is srv123@scryptmail.com
 
------------------

 

 

Also, this is the screenshot at boot:

https://postimg.org/image/l0h62g8nn/

 

On replying to them the amount has increased to 9 bitcoins.

 

Appreciate any help and I'm game if any further info required

 

Sincerely,

 

Embarassed and Angry



BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 28 December 2016 - 07:44 AM

There are several ransomware variants which affect the MBR to include Petya, GoldenEye, HDDCryptor (Mamba), Encrypted Boot Ransomware (safe-data.ru) and Satana Ransomware.
 
Any files that are encrypted with Goldeneye Ransomware (rebranded Petya-Mischa combo) will have a random 8 character extension (i.e. .uDz2j8mv) appended to the end of the encrypted data filename and leave files (ransom) notes named YOUR_FILES_ARE_ENCRYPTED.TXT as explained here. Goldeneye also modifies the user's hard drive Master Boot Record MBR) with a custom boot loader.

HDDCryptor (Mamba) is a ransomware variant that rewrites a computer's MBR (Master Boot Record) boot sectors and locks users out of their PCs similar to Petya and Satana. All the information we have about this infection is provided in this BC news article: HDDCryptor Ransomware Overwrites Your MBR Using Open Source Tools

Encrypted Boot Ransomware (safe-data.ru) modifies the Master Boot Record (MBR) of your computer and displays a message stating that your computer's hard drives were encrypted and unless you pay the ransom you will not be able to access your files. The infected hard drives are not actually encrypted...they are just not available until you enter a password. The infection typically will move the infected hard drives MBR to another location and install a new MBR that displays a message stating that the hard drives were encrypted. The message also states that you need to visit a certain web site to receive help or send an email with a code in order to buy a password. There is more information in this BC news article: New infection ransoms your computer with fake encryption message (safe-data.ru).

Satana Ransomware installs a bootlocker and fixing the MBR will allow the victim to boot back into Windows again but still leaves the files encrypted. Any files that are encrypted with Satana Ransomware will be renamed to <email>__<filename> and leave files (ransom notes) named !satana!.txt. More information in this BC news article: Satana Bootkit Encrypts your files and then locks you out of Windows
 
Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:09 PM

Posted 28 December 2016 - 03:19 PM

Looks like they used DiskCryptor, known as Mamba ransomware. You can read more here.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 PM

Posted 28 December 2016 - 04:22 PM

More information in these news articles.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 SamuelPiterson

SamuelPiterson

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 07 January 2017 - 09:44 AM

Hi all,

 

My company PC's has been infected at 28 dec.

 

Attackers infected about 20 servers and demand 25 bitcoins.

 

Unfortunately all backups also were encrypted.

 

Than attackers reduce the price to 10 bitcoins.

 

I was afraid that I will not receive any password but my company has no choice so

we decided to pay. After payment they give us a password "WinterSnow2086"

 

I'm not sure that they use the same password everywhere but maybe it helps someone.

 

We decrypted all data except one server but it is still better than lose all the data.

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users