A client's Windows file server was infected over night Thursday to Friday last week. It appears to have encrypted either the MBR (although I believe it is a GPT drive), MFT, or the full disk. It doesn't seem to really match Mamba, Petya, or safe-data.ru, so I'm a little at a loss after searching here and with Google. Additionally this is a 2 disk RAID 1 mirrored array, so while I can pull the drive and scan it on another computer, I haven't yet and don't want to do anything before I know what it is or how to clean it. Thankfully we have data backups.
I can't upload an image, but I took a picture of what loads imediately after POST here: https://drive.google.com/open?id=0B3GLLOzic2EeS1ZJdkpWZHlhREVXajZLaXVScWRoT3RZVjA0
It just says:
to decrypt contact email@example.com
There are no instructions on what to do other than email that address, there's no unique ID number to send or anything.
Has anyone seen this before?
How did they get infected, was it from a client PC on the network accessing the two network shares from the server. The users insist it wasn't something they did, although that's the only thing that likely caused this, and are the client PC's at risk?
Edited by mytechnerdca, 26 March 2017 - 08:11 PM.