Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR ransomware:To decrypt contact password3@scryptmail.com


  • Please log in to reply
11 replies to this topic

#1 apitsos

apitsos

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bielefeld
  • Local time:03:33 PM

Posted 02 June 2018 - 03:47 AM

Hi there!
 
By waking up this morning, I realized that two servers and a PC in my office were infected by a ransomware. All I had on my screen was a message saying:

 

To decrypt contact password3@scryptmail.com

enter password: 

 

By a quick research I did I found that this is most probably a MBR ransomware, as when I reboot the computer/server, I got immediately this message.

 

Also By putting a drive as an external on USB docking, I see that the main partition of the drive is on a RAW format and the the system reserved part remains as NTFS.

 

Do you believe I could have some luck to recover my systems? Any help would be much appreciated.

 

 

PS: How can I attach images on this post?



BC AdBot (Login to Remove)

 


#2 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 410 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:33 PM

Posted 02 June 2018 - 04:36 AM

Hi there!
 
By waking up this morning, I realized that two servers and a PC in my office were infected by a ransomware. All I had on my screen was a message saying:

 

To decrypt contact password3@scryptmail.com

enter password: 

 

By a quick research I did I found that this is most probably a MBR ransomware, as when I reboot the computer/server, I got immediately this message.

 

Also By putting a drive as an external on USB docking, I see that the main partition of the drive is on a RAW format and the the system reserved part remains as NTFS.

 

Do you believe I could have some luck to recover my systems? Any help would be much appreciated.

 

 

PS: How can I attach images on this post?

Hello,
Please use a link with wetransfer.com to post an image on this post and any interresting file.

You can also use the third party website of your choice (dropbox, etc...) and Lightshot

Emmanuel



#3 apitsos

apitsos
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bielefeld
  • Local time:03:33 PM

Posted 02 June 2018 - 05:41 AM

Ok. Here is the screenshot.

o6bf5x.jpg



#4 thyrex

thyrex

  • Members
  • 599 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:05:33 PM

Posted 02 June 2018 - 06:28 AM

Please download http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe 

Run program from command line with switchs -qmbr -qmbr

For example,

c:\tdsskiller.exe -qmbr -qmbr

 

Find on system drive folder named TDSSKiller_Quarantine, pack it to archive with password virus, upload onto https://sendspace.com and send download link


Edited by thyrex, 02 June 2018 - 06:29 AM.

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#5 apitsos

apitsos
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bielefeld
  • Local time:03:33 PM

Posted 02 June 2018 - 06:35 AM

Hi thyrex,

 

Thanks a lot for your help. How can I run this from a command line, as I can't even boot on this machine? What is your suggestion?


Edited by apitsos, 02 June 2018 - 06:35 AM.


#6 thyrex

thyrex

  • Members
  • 599 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:05:33 PM

Posted 02 June 2018 - 06:43 AM

You wrote

Also By putting a drive as an external on USB docking, I see that the main partition of the drive is on a RAW format and the the system reserved part remains as NTFS.

 

 

So I understand that you plugged you hard drive to other computer. Or I'm mistaken?


Edited by thyrex, 02 June 2018 - 06:43 AM.

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#7 apitsos

apitsos
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bielefeld
  • Local time:03:33 PM

Posted 02 June 2018 - 06:45 AM

Oh, okay... I thought I should do that on the server/PC itself. Let me try now.
 

Hey... thanks a lot! Apologies for my misunderstanding.



#8 apitsos

apitsos
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bielefeld
  • Local time:03:33 PM

Posted 02 June 2018 - 06:48 AM

Hi again!

 

That was easy. Here is the file: https://www.sendspace.com/file/mrhwwc

 

It is password protected with the word "virus" as requested.

 

Please note that this is one of the drives of the infected systems. I have more drives and I hope the solution you may find would be possible to be applied on all of them... Please let me know if should I do the same for one more drive for comparison reasons.

 

Thanks a lot in advance for your efforts!!!


Edited by apitsos, 02 June 2018 - 06:50 AM.


#9 apitsos

apitsos
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bielefeld
  • Local time:03:33 PM

Posted 02 June 2018 - 07:13 AM

I just realized that I didn't include the log text file located in the root of C drive. So for this reason I repacked and uploaded again. Here is the complete file: https://www.sendspace.com/file/t5tnwa

 

I am so sorry for this mistake. The file is also password protected with the same password mentioned earlier.



#10 thyrex

thyrex

  • Members
  • 599 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:05:33 PM

Posted 02 June 2018 - 08:05 AM

Not seems as MBR Ransomware.

 

I think ransomers used one of legitimate program to encrypt your hard drives.


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#11 apitsos

apitsos
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bielefeld
  • Local time:03:33 PM

Posted 02 June 2018 - 08:12 AM

Any idea of how to find a way to recover my drives?



#12 apitsos

apitsos
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bielefeld
  • Local time:03:33 PM

Posted 02 June 2018 - 09:07 AM

The drives are shown as RAW formatted. Does anyone know if there is a way to make them NTFS and get safely my data back?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users