Server hack (ransom ware)

I have attached a photo of a  server, is there a way to know which ransom ware it is infected with? And if someone knows a way to recover the server. Thanks.
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
the disk MBR is encryption and preboot sector of the hdd is replaced to show the message. As I posted there is petya decryption tool - see this and you need another machine and plug the encrypted hdd to it for analysis
Once you have the encrypted drive attached to a working computer, simply download Fabian Wosar's Petya Sector Extractor and save it to your desktop. Once saved, extract it and execute the PetyaExtractor.exe program. Once the program starts it will scan all of the removable and fixed drives on your computer for ones that contain the Petya Ransomware bootcode.  When it detects the drive, it will automatically select it and display a screen...
No guarantee it may be petya and worth the try if you are going to do it manually. I do suggest you make a clone and work on the clone. Regardless note that petya also has a companion that does file encryption...I will not be surprised if the hdd is decrypted and boot into the OS ...
Is that what you get when you boot up the computer?  If so, not a lot you can do.  Do you have daily backup of the server?

Last resort, you can attached each hard drives on another computer equipped with Malware Bytes then scan each one.  Let MB detect and fix the problem.  Of course it goes without saying that you do this on a test machine so you won't have to worry about the malware spreading.
ctuprAuthor Commented:
I have already tried that, the external backup HD and the internal HD's are not recognize in nay kid of PC (windows, mac and Linux) every time I put one of those in another PC I get the message to format the drive.  This is similar to the Petya ransom ware in some ways but I cannot figure out which one it is. Still thanks for your comment.
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Just start your RAID controller's utility and remove the disks from the array. Then create new arrays and restore your system from your backups. There is no point in trying to find out what has encrypted your system, you wouldn't be able to do anything about it when you knew that anyway.
ctuprAuthor Commented:
There are no backups, only backup was on the external drive which seems to be encrypted in a similar way. This is new client, they did not have any real IT assistance. Still if someone has seen this before and has been able to identify the name of the ransom ware it will be very helpful. Thanks.
rindiConnect With a Mentor Commented:
There is nothing in there apart from an email. With that info you can't tell what it was that encrypted the system.

If there are no backups you will have to setup the OS from scratch, as well as the data.
ctuprAuthor Commented:
Well I will wait to see if anyone else has seen this before and has any solution. Thanks for your answers.
Thomas Zucker-ScharffConnect With a Mentor Systems AnalystCommented:
you can id the variant only if you can upload either a file or the ransom note.  Check out these two sites:

I have an extensive collection of links about ransomware on my site:

and a list of variants and links to information about them at:
btanConnect With a Mentor Exec ConsultantCommented:
I highly suspect it is Petya ransomware or its recent variant as they are the main culprit that does the HDD encryption. The idransom online is good but you do not have access to your encrypted files now so hard to upload sample. I do suggest recover data from your backup instead of paying ransom after contacting that disposable email contact by the cybercriminal.

See also this

It is important to note that there is a lot of bad information on the web about how how to fix your computer when it has been encrypted by Petya.  Many of these sites state that you can use the FixMBR command or repair your MBR to remove the infection. Though this will indeed remove the lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible.  Only repair the MBR if you do not care about any lost data and want to reinstall Windows.

As already stated, there is currently no way to decrypt your drive for free at this time. Researchers are analyzing this ransomware, though, so it may be possible in the future. But I also saw recently on below on possible to decrypt though I cannot sure it applies to your case...Ransomware variant is really evolving fast

The actual contents of the user's files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. Using data recovery tools to reconstruct files might be possible, but it is not guaranteed to work perfectly and would be time-consuming.

Fortunately, resorting to that method is no longer necessary, and neither is paying Petya's authors. Someone using the online handle leostone devised an algorithm to crack the key needed to restore the MFT and recover from a Petya infection.

Computer experts from the popular tech support forum confirmed that the technique works, but it requires extracting some data from an affected hard drive: 512 bytes starting at sector 55 (0x37h) with an offset of 0 and an 8-byte nonce from sector 54 (0x36) offset 33 (0x21).
Another suggested move to simplify.. Hopefully it helps
However, because the infected computer can no longer boot into Windows, using the tool requires taking out the affected hard drive and connecting it to a different computer where the tool can run. An external, USB-based hard drive docking station can be used.

The data extracted by the tool must be inputted into a Web application created by leostone that will use it to crack the key. The user must then put the affected hard drive back into the original computer, boot from it, and input the key on the ransom screen displayed by Petya.
The link of the tool that is online
ctuprAuthor Commented:
The petya app it's not able to see teh disk. Since there is  no backup I'm still looking for anything that would help.
btanExec ConsultantCommented:
The experts has suggested the solution and means since the HDD is encrypted as shared. Get the HDD decrypted then check further on the encrypted file using idransom or cyber sheriff.

Eventually recommendation if attempt is futile, continue to still establish clean machine and get data from backup as last resort.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.