Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Business Server Ransomware - HELP SOS (EnTeR c0d3 / kotypot@inbox.lv)


  • Please log in to reply
36 replies to this topic

#1 helpwithransomware

helpwithransomware

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 06 December 2017 - 06:33 PM

Hi all,

 

I have a server running Windows 2003 that has been infected with ransomware.

 

The ransomware ID tool did not come up with any ID.

It does seem to be an encrypting ransomware that has overwritten the master boot record.

Windows boots for a second, but immediately goes to the ransom screen.

I cannot go any further. Maybe I could take out the hard drive and try to access it somehow, but I have no experience in booting hard drives.

 

The attacker gives email address kotypot@inbox.lv and demands 350 USD in bitcoin

 

I have ordered bitcoin to my account and waiting for it to clear in case I must go with the last-ditch option of paying up.

 

I am not sure what to do. Any advice is greatly appreciated.

 

I took a photo of the ransom screen: https://drive.google.com/open?id=1dswuYT1AXYcXH_eMAYKhOWWaXed_d38s


Edited by helpwithransomware, 07 December 2017 - 11:42 AM.


BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,563 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 PM

Posted 06 December 2017 - 06:47 PM

Welcome :)

 

You are not providing much information. Are you able to boot in Safe mode?

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

Edited by JSntgRvr, 06 December 2017 - 07:08 PM.

Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 jjcmiller

jjcmiller

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 07 December 2017 - 10:45 AM

Have the same thing infection, windows server 2008 r2.   Server wont boot, just boots up to the screen that he has posted above. 

Just tried to boot off of a server 2008 cd and get the same message.


Edited by jjcmiller, 07 December 2017 - 11:02 AM.


#4 helpwithransomware

helpwithransomware
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 07 December 2017 - 10:52 AM

In the hopes that the attacker might honor his ransom, we transferred the Bitcoin.

But as I expected, no response.

Thus I strongly advise against sending any payments to this attacker.

 

I am saddened to find out that this has affected others, but it is good that we will be able to share information.



#5 jjcmiller

jjcmiller

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 07 December 2017 - 12:22 PM

I booted off a windows 10 thumbdrive and ran bootrec /fixboot and fixmbr and rebooted logged into windows now and scanning with malwarebytes.   



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,563 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 PM

Posted 07 December 2017 - 12:47 PM

We always recommend not to pay the ransom, as if unidentified, the ransomware may be a hoax. Windows 2003 and 2008 works as XP, unless you have an installation CD to create a bootable device that can help us see the internals of the system. There isn't that much we can do.

Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,329 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:08 PM

Posted 07 December 2017 - 04:10 PM

Haven't seen that screen for a ransomware before. Interesting how it seems like it is interjecting the original Dell boot screen, as the copyright and such is still seen between the ransom text.

 

Are any files actually encrypted, can they be opened fine? If you find any suspicious files, or can obtain a copy of the infected MBR, please submit that here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 helpwithransomware

helpwithransomware
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 07 December 2017 - 04:43 PM

I have not been able to look in the computer drive at all, due to not being able to get past the boot screen/ransom screen.

As uploading an encrypted file is a method of investigating further, I am led to believe there is a way to look into the computer drive contents despite the ransom screen blocking boot up.

But I do not have any experience doing so.

 

I have a windows 10 reinstallation disk that I was able to boot from, but out of fear of doing something irreversible, I did not proceed.


Edited by helpwithransomware, 07 December 2017 - 04:43 PM.


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,563 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 PM

Posted 07 December 2017 - 05:41 PM

I have a windows 10 reinstallation disk that I was able to boot from, but out of fear of doing something irreversible, I did not proceed.

 

Let me consult that with the developer of FRST. Is that CD version 32bit or 64bit?


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 helpwithransomware

helpwithransomware
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 07 December 2017 - 05:46 PM

It is a 64 bit Windows 10 reinstallation CD.

The other issue I'm unsure about is OS authentication.

From what I understand, reinstallation CDs work because the product key is somehow hardwired into the computer.

In my case, I have a completely different OS, so I don't see how I could be allowed to successfully install Windows 10 without a product key.

 

Edit: To further clarify, the Windows 10 reinstallation CD I have came from machines that came preloaded with Windows 7 Pro 64bit.

Because of this, I do not have a Windows 10 product key. But maybe I am wrong? Is it possible that my product keys that came with the machine will also work for the Windows 10 installation?


Edited by helpwithransomware, 07 December 2017 - 05:51 PM.


#11 sharebc

sharebc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 07 December 2017 - 06:50 PM

Got a call from a client with this as well this morning.  Their's is also a Server 2003 (albeit virtualized).  I will be going on-site tomorrow.  

 

Am I understanding correctly that jjcmiller fixed the MBR with a Win10 Installation disk to get his system bootable?  Would that same process work on Server 2003?  If I booted from the Server 2003 disks or recovery disk, could this operation be successful?  

 

I will be copying the .vmdk files from the datastore before I attempt anything and can attempt to mount the disk copies (in my case, they had 3 .vmdks for this server) on a different VM to tell if the files are actually encrypted.  If they are not, I'll report back and possibly be able to upload the MBR from the C:\ .vmdk for analysis.

 

Any additional information, help, tips are appreciated and I will monitor this thread.  Thanks in advance to everyone who contributes.  I hate this stuff.



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,563 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 PM

Posted 07 December 2017 - 06:56 PM

Don't run commands that may hurt your computer. Server 2003 is like XP. Only have a Recovery Console, not an environment as Windows 10. I don't know if booting to a command prompt with a Windows 10 CD and running FRST from a USB flash drive may produce a scan report, or hurt your computer. I am waiting from an answer.


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,329 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:08 PM

Posted 07 December 2017 - 07:25 PM

XP was before bootrec was a thing, that started with the Vista-era kernel. The XP/Server '03 equivalent is apparently bootcfg in the Windows Recovery Environment (aka Win RE), which just messes with boot.ini. Looks like it's basically the same commands, but you have to have a Server '03 disc around.

 

https://neosmart.net/wiki/bootcfg/

 

I've never messed with the command myself (only used bootrec a lot with Vista+), so proceed with caution and only do it on a backup of the virtual hard disk.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,563 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 PM

Posted 08 December 2017 - 01:21 PM

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

To enter System Recovery Options from the Advanced Boot Options:

  • Boot with The Windows 10 CD and reach the Command prompt.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • Troubleshooting -> Advanced Options -> Command prompt
  • Select Command Prompt

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 helpwithransomware

helpwithransomware
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 08 December 2017 - 03:28 PM

Some good news:

 

We have established that this is not an encrypting ransomware. Which means, ***DO NOT PAY THE RANSOM***

Likely it has only corrupted the MBR, but we will know more after further investigation.

 

We were able to recover our database files through cmd after booting from a Windows 10 pro 64 bit reinstallation CD.

 

I will update with exact details of the process soon (maybe in a few days) as well as a FRST scan report.


Edited by helpwithransomware, 08 December 2017 - 03:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users