Business Server Ransomware - HELP SOS (EnTeR c0d3 / kotypot@inbox.lv)

Hi all,

I have a server running Windows 2003 that has been infected with ransomware.

The ransomware ID tool did not come up with any ID.

It does seem to be an encrypting ransomware that has overwritten the master boot record.

Windows boots for a second, but immediately goes to the ransom screen.

I cannot go any further. Maybe I could take out the hard drive and try to access it somehow, but I have no experience in booting hard drives.

The attacker gives email address kotypot@inbox.lv and demands 350 USD in bitcoin

I have ordered bitcoin to my account and waiting for it to clear in case I must go with the last-ditch option of paying up.

I am not sure what to do. Any advice is greatly appreciated.

I took a photo of the ransom screen: https://drive.google.com/open?id=1dswuYT1AXYcXH_eMAYKhOWWaXed_d38s

Edited by helpwithransomware, 07 December 2017 - 11:42 AM.

Welcome

You are not providing much information. Are you able to boot in Safe mode?

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Make sure that under Optional Scans, there is a checkmark on Addition.txt.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The tool will also produce another log (Addition.txt ). Please attach this to your reply.

Edited by JSntgRvr, 06 December 2017 - 07:08 PM.

Have the same thing infection, windows server 2008 r2.   Server wont boot, just boots up to the screen that he has posted above. 

Just tried to boot off of a server 2008 cd and get the same message.

Edited by jjcmiller, 07 December 2017 - 11:02 AM.

In the hopes that the attacker might honor his ransom, we transferred the Bitcoin.

But as I expected, no response.

Thus I strongly advise against sending any payments to this attacker.

I am saddened to find out that this has affected others, but it is good that we will be able to share information.

I booted off a windows 10 thumbdrive and ran bootrec /fixboot and fixmbr and rebooted logged into windows now and scanning with malwarebytes.   

Haven't seen that screen for a ransomware before. Interesting how it seems like it is interjecting the original Dell boot screen, as the copyright and such is still seen between the ransom text.

Are any files actually encrypted, can they be opened fine? If you find any suspicious files, or can obtain a copy of the infected MBR, please submit that here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

I have not been able to look in the computer drive at all, due to not being able to get past the boot screen/ransom screen.

As uploading an encrypted file is a method of investigating further, I am led to believe there is a way to look into the computer drive contents despite the ransom screen blocking boot up.

But I do not have any experience doing so.

I have a windows 10 reinstallation disk that I was able to boot from, but out of fear of doing something irreversible, I did not proceed.

Edited by helpwithransomware, 07 December 2017 - 04:43 PM.

I have a windows 10 reinstallation disk that I was able to boot from, but out of fear of doing something irreversible, I did not proceed.

 

Let me consult that with the developer of FRST. Is that CD version 32bit or 64bit?

It is a 64 bit Windows 10 reinstallation CD.

The other issue I'm unsure about is OS authentication.

From what I understand, reinstallation CDs work because the product key is somehow hardwired into the computer.

In my case, I have a completely different OS, so I don't see how I could be allowed to successfully install Windows 10 without a product key.

Edit: To further clarify, the Windows 10 reinstallation CD I have came from machines that came preloaded with Windows 7 Pro 64bit.

Because of this, I do not have a Windows 10 product key. But maybe I am wrong? Is it possible that my product keys that came with the machine will also work for the Windows 10 installation?

Edited by helpwithransomware, 07 December 2017 - 05:51 PM.

Got a call from a client with this as well this morning.  Their's is also a Server 2003 (albeit virtualized).  I will be going on-site tomorrow.  

Am I understanding correctly that jjcmiller fixed the MBR with a Win10 Installation disk to get his system bootable?  Would that same process work on Server 2003?  If I booted from the Server 2003 disks or recovery disk, could this operation be successful?  

I will be copying the .vmdk files from the datastore before I attempt anything and can attempt to mount the disk copies (in my case, they had 3 .vmdks for this server) on a different VM to tell if the files are actually encrypted.  If they are not, I'll report back and possibly be able to upload the MBR from the C:\ .vmdk for analysis.

Any additional information, help, tips are appreciated and I will monitor this thread.  Thanks in advance to everyone who contributes.  I hate this stuff.

Don't run commands that may hurt your computer. Server 2003 is like XP. Only have a Recovery Console, not an environment as Windows 10. I don't know if booting to a command prompt with a Windows 10 CD and running FRST from a USB flash drive may produce a scan report, or hurt your computer. I am waiting from an answer.

XP was before bootrec was a thing, that started with the Vista-era kernel. The XP/Server '03 equivalent is apparently bootcfg in the Windows Recovery Environment (aka Win RE), which just messes with boot.ini. Looks like it's basically the same commands, but you have to have a Server '03 disc around.

https://neosmart.net/wiki/bootcfg/

I've never messed with the command myself (only used bootrec a lot with Vista+), so proceed with caution and only do it on a backup of the virtual hard disk.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

To enter System Recovery Options from the Advanced Boot Options:

• Boot with The Windows 10 CD and reach the Command prompt.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• Troubleshooting -> Advanced Options -> Command prompt
• Select Command Prompt

Once in the Command Prompt:

• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Some good news:

We have established that this is not an encrypting ransomware. Which means, ***DO NOT PAY THE RANSOM***

Likely it has only corrupted the MBR, but we will know more after further investigation.

We were able to recover our database files through cmd after booting from a Windows 10 pro 64 bit reinstallation CD.

I will update with exact details of the process soon (maybe in a few days) as well as a FRST scan report.

Edited by helpwithransomware, 08 December 2017 - 03:29 PM.