I'm going a little loopy trying to identify the ransomware infected on a server, so any help here would be appreciated. The files have been converted to .z .zz and .zzz files. These are located in a folder named "3590F75ABA9E485486C100C1A9D4FF06ZZZZZZZZ.Z....ZZ". With many folders with names like, "Z......Z.....Z.Z" and "Z...Z...ZZZZZZZZ". The file names in the folders all have a similar naming structure.
There is also a backup file (41GB in size) on the drive that I'm 99% sure wasn't there before. Unfortunately the shadow copies are no longer available to confirm and due to the misguided owner of said server, backups are not an option. The infection was caused by a hole in the RDP security which has now been fixed.
There was a text file left in the drive and on the desktop named KEY BACKUP.txt, which I've included in my attached files.
Tried running the cryptosearch program on the files and it can find them when looking for Teslacrypt V3 and 4 files. So I tried using the ESET decryption tool for these but it was unable to locate files encrypted by Teslacrypt.
Running through the ID ransomware site I get the message:
Unable to determine ransomware.
Please make sure you are uploading a ransom note and encrypted sample file from the same infection.
This can happen if this is a new ransomware, or one that cannot be currently identified automatically.
You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.
Please reference this case SHA1: b6cdd2a0567ea571abe80c6485a769b4102c51b9
Link to files:
Many thanks for any help offered. Let me know if you need anymore information from me