Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Server hack (ransom ware)

Posted on 2016-07-29
Medium Priority
Last Modified: 2016-08-22
I have attached a photo of a  server, is there a way to know which ransom ware it is infected with? And if someone knows a way to recover the server. Thanks.
Question by:ctupr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
LVL 18

Expert Comment

ID: 41734987
Is that what you get when you boot up the computer?  If so, not a lot you can do.  Do you have daily backup of the server?

Last resort, you can attached each hard drives on another computer equipped with Malware Bytes then scan each one.  Let MB detect and fix the problem.  Of course it goes without saying that you do this on a test machine so you won't have to worry about the malware spreading.

Author Comment

ID: 41735003
I have already tried that, the external backup HD and the internal HD's are not recognize in nay kid of PC (windows, mac and Linux) every time I put one of those in another PC I get the message to format the drive.  This is similar to the Petya ransom ware in some ways but I cannot figure out which one it is. Still thanks for your comment.
LVL 88

Expert Comment

ID: 41735015
Just start your RAID controller's utility and remove the disks from the array. Then create new arrays and restore your system from your backups. There is no point in trying to find out what has encrypted your system, you wouldn't be able to do anything about it when you knew that anyway.
Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.


Author Comment

ID: 41735018
There are no backups, only backup was on the external drive which seems to be encrypted in a similar way. This is new client, they did not have any real IT assistance. Still if someone has seen this before and has been able to identify the name of the ransom ware it will be very helpful. Thanks.
LVL 88

Assisted Solution

rindi earned 500 total points (awarded by participants)
ID: 41735060
There is nothing in there apart from an email. With that info you can't tell what it was that encrypted the system.

If there are no backups you will have to setup the OS from scratch, as well as the data.

Author Comment

ID: 41735082
Well I will wait to see if anyone else has seen this before and has any solution. Thanks for your answers.
LVL 30

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 500 total points (awarded by participants)
ID: 41735105
you can id the variant only if you can upload either a file or the ransom note.  Check out these two sites:


I have an extensive collection of links about ransomware on my site:


and a list of variants and links to information about them at:

LVL 65

Assisted Solution

btan earned 1000 total points (awarded by participants)
ID: 41735412
I highly suspect it is Petya ransomware or its recent variant as they are the main culprit that does the HDD encryption. The idransom online is good but you do not have access to your encrypted files now so hard to upload sample. I do suggest recover data from your backup instead of paying ransom after contacting that disposable email contact by the cybercriminal.

See also this

It is important to note that there is a lot of bad information on the web about how how to fix your computer when it has been encrypted by Petya.  Many of these sites state that you can use the FixMBR command or repair your MBR to remove the infection. Though this will indeed remove the lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible.  Only repair the MBR if you do not care about any lost data and want to reinstall Windows.

As already stated, there is currently no way to decrypt your drive for free at this time. Researchers are analyzing this ransomware, though, so it may be possible in the future. But I also saw recently on below on possible to decrypt though I cannot sure it applies to your case...Ransomware variant is really evolving fast

The actual contents of the user's files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. Using data recovery tools to reconstruct files might be possible, but it is not guaranteed to work perfectly and would be time-consuming.

Fortunately, resorting to that method is no longer necessary, and neither is paying Petya's authors. Someone using the online handle leostone devised an algorithm to crack the key needed to restore the MFT and recover from a Petya infection.

Computer experts from the popular tech support forum BleepingComputer.com confirmed that the technique works, but it requires extracting some data from an affected hard drive: 512 bytes starting at sector 55 (0x37h) with an offset of 0 and an 8-byte nonce from sector 54 (0x36) offset 33 (0x21).
Another suggested move to simplify.. Hopefully it helps
However, because the infected computer can no longer boot into Windows, using the tool requires taking out the affected hard drive and connecting it to a different computer where the tool can run. An external, USB-based hard drive docking station can be used.

The data extracted by the tool must be inputted into a Web application created by leostone that will use it to crack the key. The user must then put the affected hard drive back into the original computer, boot from it, and input the key on the ransom screen displayed by Petya.
The link of the tool that is online


Author Comment

ID: 41735967
The petya app it's not able to see teh disk. Since there is  no backup I'm still looking for anything that would help.
LVL 65

Accepted Solution

btan earned 1000 total points (awarded by participants)
ID: 41736130
the disk MBR is encryption and preboot sector of the hdd is replaced to show the message. As I posted there is petya decryption tool - see this and you need another machine and plug the encrypted hdd to it for analysis
Once you have the encrypted drive attached to a working computer, simply download Fabian Wosar's Petya Sector Extractor and save it to your desktop. Once saved, extract it and execute the PetyaExtractor.exe program. Once the program starts it will scan all of the removable and fixed drives on your computer for ones that contain the Petya Ransomware bootcode.  When it detects the drive, it will automatically select it and display a screen...
No guarantee it may be petya and worth the try if you are going to do it manually. I do suggest you make a clone and work on the clone. Regardless note that petya also has a companion that does file encryption...I will not be surprised if the hdd is decrypted and boot into the OS ...
LVL 65

Expert Comment

ID: 41760710
The experts has suggested the solution and means since the HDD is encrypted as shared. Get the HDD decrypted then check further on the encrypted file using idransom or cyber sheriff.

Eventually recommendation if attempt is futile, continue to still establish clean machine and get data from backup as last resort.

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question