It all started when I got to the office on Monday morning. Half the files on the server are encrypted!
Up until this point I identified which PC was attacked (our storage server through RDP - on a nonstandard port), yet all I managed to find was a Bitcoin miner (Trojan.Win64.BitMin.ft) through a scan with Kaspersky. The actual ransomware was never detected. I performed a manual search in the system and used ESET, Malwarebytes and Norton - nothing!
Now for the fun part...
It encrypted any file it could access. Here is one example of an encrypted file name:
Asset Register Final.xlsx.id-YYYYYYYYYY_[email@example.com].830s7
Each folder also has a file named ### DECRYPT MY FILES ###.txt
*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: firstname.lastname@example.org
Your personal ID: YYYYYYYYYY
I just censored the personal ID.
https://id-ransomware.malwarehunterteam.com detects this as Dharma(based on the email address), however the ransom note points to Nemesis. It is not either of these since the file name does not contain the .dharma/.nemesis/.wallet extensions
The decryptors for CryptON, Cry9, Cry128, Crysis and Rakkhni do not work.
The encrypted and unencrypted files are exactly the same size. I played around in the hex editor and it is clear that only the file header is encrypted. In an xls file I can still see the data. Copying/manipulating the header allowed me to open and repair one of the .xls files and actually see the spreadsheets and entries - though it took an hour.
I found the miner under C:\Users\<user>\Videos\Intel
Under C:\Users\<user>\Videos I found the ransomware's background image
Inside this folder I also found something interesting...
The log files show Kaspersky Endpoint Security suffered a critical error around the time of the malware infection. This was on a "Limited" user account.
Edited by Ruben-e, 30 May 2017 - 03:28 AM.