Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBS 2011 attacked by ransomware


  • This topic is locked This topic is locked
9 replies to this topic

#1 johnlynch_55

johnlynch_55

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 09 February 2017 - 12:47 PM

Hello all and I am glad to be a new member to this site.

 

I had my Small Business Server 2011 attacked by ransomware, however at first we thought that the server had some sort of other failure as it was hung. After a reboot, the server still did not boot. We then utilized the MS repair disk, in which the repair disk was not able to repair the system, then we rebuilt all of the windows 2008R2 server files and then, it booted up. At that point we realized all of files were encrypted with some sort of ransomware. All of the file directories had a ransom note attached. We believe it is Xorist. We loaded an anti-malware and it appears that the virus was destroyed from the server rebuild. Apparently the backup is also infected.

If anyone has any good suggestions to recover these files, it would be greatly appreciated.
Many thanks in advance for any help,
john

Edited by hamluis, 09 February 2017 - 12:55 PM.
Moved from Win Server to Ransomware - Hamluis.


BC AdBot (Login to Remove)

 


#2 toofarnorth

toofarnorth

  • Members
  • 379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 AM

Posted 09 February 2017 - 01:08 PM

Hello

I am sorry that your server got hit.

Are you sure its the xorist ransomware that hit you?
To be sure you could upload the ransomnote and one encrypted file on this webpage to verify

https://id-ransomware.malwarehunterteam.com/


Good news if it is xorist. It should be decryptable with a free tool from Emsisoft
https://decrypter.emsisoft.com/xorist

User manual found here:
https://decrypter.emsisoft.com/howtos/emsisoft_howto_xorist.pdf


Before running the tool I would back up the server!

After recovering I would review passwords and remote access methods.
Especially if you enable RDP directly to the server itself

Better to use TSGateway function which will tunnel RDP over HTTPS

Keep us updated on how it goes!

 

tfn



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 AM

Posted 09 February 2017 - 01:19 PM

What is the name of your ransom note?

Uploading both encrypted files and ransom notes together at ID Ransomware for assistance with identification and confirmation provides a more positive match and helps to avoid false detections. ID Ransomware will also let you know if there is a known way of decrypting your files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 johnlynch_55

johnlynch_55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 09 February 2017 - 01:55 PM

Hello

I am sorry that your server got hit.

Are you sure its the xorist ransomware that hit you?
To be sure you could upload the ransomnote and one encrypted file on this webpage to verify

https://id-ransomware.malwarehunterteam.com/


Good news if it is xorist. It should be decryptable with a free tool from Emsisoft
https://decrypter.emsisoft.com/xorist

User manual found here:
https://decrypter.emsisoft.com/howtos/emsisoft_howto_xorist.pdf


Before running the tool I would back up the server!

After recovering I would review passwords and remote access methods.
Especially if you enable RDP directly to the server itself

Better to use TSGateway function which will tunnel RDP over HTTPS

Keep us updated on how it goes!

 

tfn

Thanks tfn,

I did the ID-ransomware as you suggested before my original post, and it was identified as Xorist. I then tried to utilize the Emsisoft decrypter tool, however it appears the tool pops up a 'no key found' window. I have tried the tool on the encrypted server, both 32 and 64 Win 7 pro non effected machines, and also on non non effected app 2008R2 sp1 server. Same thing everytime, 'no key found' window that pops up...

Let me know if I am missing something, as it appears to be straight forward after downloading the tool.



#5 johnlynch_55

johnlynch_55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 09 February 2017 - 03:00 PM

What is the name of your ransom note?

Uploading both encrypted files and ransom notes together at ID Ransomware for assistance with identification and confirmation provides a more positive match and helps to avoid false detections. ID Ransomware will also let you know if there is a known way of decrypting your files.The ransom note 

The ransom note:

 

All your important files were encrypted on this computer.
You can verify this by click on see files an try open them. 
 
Encrtyption was produced using unique public key RSA-4096 generated for this computer. 
 
To decrypted files, you need to otbtain private key. 
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 48 hours after encryption completed.
 
To retrieve the private key, you need to pay 7  bitcoins
 
Bitcoins have to be sent to this address: 1Hxq9SJobRG8xZc2h4hN9xaaga2jFBiYqQ
 
After you've sent the payment send us an email to : DecryptFilesCorporation@tutanota.com  with subject : DECRYPT-ID-63100222
If you are  not familiar with bitcoin you can buy it from here :
SITE 1 : www.coinbase.com
SITE 2 : www.bitstamp.net
 
After we confirm the payment , we send the private key so you can decrypt your system.
 
Hopefully this helps some...
 
Thanks,
john


#6 NemesisRansomware

NemesisRansomware

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 09 February 2017 - 03:06 PM

7 btc....lol.

 

rsa-4096 can be cracked fairly easy.
sample malware there is available?


#7 johnlynch_55

johnlynch_55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 09 February 2017 - 03:55 PM

 

7 btc....lol.

 

rsa-4096 can be cracked fairly easy.
sample malware there is available?

 

Many thanks for the encouragement, Hopefully I can find some tools that can help me. I have both an infected/encrypted file and the same file not infected, however I do not know how to attach any files on this site. Feel free to contact directly at klynch@mysunnyhill.net if you would like to peek at what I have,

Again thanks,

 

john



#8 johnlynch_55

johnlynch_55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 09 February 2017 - 03:56 PM

 

 

7 btc....lol.

 

rsa-4096 can be cracked fairly easy.
sample malware there is available?

 

Many thanks for the encouragement, Hopefully I can find some tools that can help me. I have both an infected/encrypted file and the same file not infected, however I do not know how to attach any files on this site. Feel free to contact directly at klynch@mysunnyhill.net if you would like to peek at what I have,

Again thanks,

 

john

 

Sorry, my Email is jlynch@mysunnyhill.net

john



#9 Guest_AES-NI_*

Guest_AES-NI_*

  • Guests
  • OFFLINE
  •  

Posted 09 February 2017 - 04:21 PM

 

7 btc....lol.

 

rsa-4096 can be cracked fairly easy.
sample malware there is available?

 

crack me my software))) ok?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 09 February 2017 - 04:38 PM

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Fabian Wosar created the Emsisoft Decrypter for Xorist and is subscribed to that topic so he may be able to help.

Repost your findings and ransom note in the above topic, then upload an original file and the encrypted one here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to the support topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users