Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown MBR/MFT/full disk encryption ransomware?


  • Please log in to reply
3 replies to this topic

#1 mytechnerdca

mytechnerdca

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto, Ontario, Canada
  • Local time:08:41 PM

Posted 26 March 2017 - 03:26 PM

Hi,

A client's Windows file server was infected over night Thursday to Friday last week. It appears to have encrypted either the MBR (although I believe it is a GPT drive), MFT, or the full disk. It doesn't seem to really match Mamba, Petya, or safe-data.ru, so I'm a little at a loss after searching here and with Google. Additionally this is a 2 disk RAID 1 mirrored array, so while I can pull the drive and scan it on another computer, I haven't yet and don't want to do anything before I know what it is or how to clean it. Thankfully we have data backups.

 

I can't upload an image, but I took a picture of what loads imediately after POST here: https://drive.google.com/open?id=0B3GLLOzic2EeS1ZJdkpWZHlhREVXajZLaXVScWRoT3RZVjA0

 

It just says:

to decrypt contact w500@scryptmail.com

enter password:

 

There are no instructions on what to do other than email that address, there's no unique ID number to send or anything.

 

Has anyone seen this before?

 

How did they get infected, was it from a client PC on the network accessing the two network shares from the server. The users insist it wasn't something they did, although that's the only thing that likely caused this, and are the client PC's at risk?

 

Thanks.


Edited by mytechnerdca, 26 March 2017 - 08:11 PM.


BC AdBot (Login to Remove)

 


#2 mytechnerdca

mytechnerdca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto, Ontario, Canada
  • Local time:08:41 PM

Posted 27 March 2017 - 05:38 PM

got a response from the criminals after contacting them, they wanted the public IP of the computer, which I gave them and they sent back the following reply:

 

Hi,

Yes we have your password

WAN IP 3389 (RDP port, but should not have been open as we don't use RDP and it should be closed on the router) HOSTNAME

 

Please send your donation to address BITCOIN ADDRESS (can provide if requested)

4 bitcoins.

Have a nice day.

 

 

I can't believe they want 4 bitcoins which is over $5500 Canadian, last time I dealt with a malware issue for a client, they wanted 0.5 bit coins which was about C$500.

 

so any ideas what this thing is and can it be decrypted without paying?



#3 Just_One_Question

Just_One_Question

  • Members
  • 1,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:41 AM

Posted 28 March 2017 - 06:41 AM

somewhat off-topic
Yes. Pay $5500 Canadian to a better hacker than them. Locate them. Find them. Go to them. Beat them. Take their money and their devices. Get back & continue living your life. From time to time call them and tell them what sissy bit**es they were.

#4 54M33R

54M33R

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 28 March 2017 - 09:24 AM

Assuming the client is Windows including assuming only the Master Boot Record and perhaps the data is overwritten or not you could try using the Windows Recovery Disk to open a command prompt and type, bootrec /fixmbr This will again overwrite your Master Boot record to something usable to be able to boot into Windows again.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users