Server hack (ransom ware)

Posted on 2016-07-29
Last Modified: 2016-08-22
I have attached a photo of a  server, is there a way to know which ransom ware it is infected with? And if someone knows a way to recover the server. Thanks.
Question by:ctupr
  • 4
  • 3
  • 2
  • +2
LVL 14

Expert Comment

ID: 41734987
Is that what you get when you boot up the computer?  If so, not a lot you can do.  Do you have daily backup of the server?

Last resort, you can attached each hard drives on another computer equipped with Malware Bytes then scan each one.  Let MB detect and fix the problem.  Of course it goes without saying that you do this on a test machine so you won't have to worry about the malware spreading.

Author Comment

ID: 41735003
I have already tried that, the external backup HD and the internal HD's are not recognize in nay kid of PC (windows, mac and Linux) every time I put one of those in another PC I get the message to format the drive.  This is similar to the Petya ransom ware in some ways but I cannot figure out which one it is. Still thanks for your comment.
LVL 88

Expert Comment

ID: 41735015
Just start your RAID controller's utility and remove the disks from the array. Then create new arrays and restore your system from your backups. There is no point in trying to find out what has encrypted your system, you wouldn't be able to do anything about it when you knew that anyway.

Author Comment

ID: 41735018
There are no backups, only backup was on the external drive which seems to be encrypted in a similar way. This is new client, they did not have any real IT assistance. Still if someone has seen this before and has been able to identify the name of the ransom ware it will be very helpful. Thanks.
LVL 88

Assisted Solution

rindi earned 125 total points (awarded by participants)
ID: 41735060
There is nothing in there apart from an email. With that info you can't tell what it was that encrypted the system.

If there are no backups you will have to setup the OS from scratch, as well as the data.
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.


Author Comment

ID: 41735082
Well I will wait to see if anyone else has seen this before and has any solution. Thanks for your answers.
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 125 total points (awarded by participants)
ID: 41735105
you can id the variant only if you can upload either a file or the ransom note.  Check out these two sites:

I have an extensive collection of links about ransomware on my site:

and a list of variants and links to information about them at:
LVL 62

Assisted Solution

btan earned 250 total points (awarded by participants)
ID: 41735412
I highly suspect it is Petya ransomware or its recent variant as they are the main culprit that does the HDD encryption. The idransom online is good but you do not have access to your encrypted files now so hard to upload sample. I do suggest recover data from your backup instead of paying ransom after contacting that disposable email contact by the cybercriminal.

See also this

It is important to note that there is a lot of bad information on the web about how how to fix your computer when it has been encrypted by Petya.  Many of these sites state that you can use the FixMBR command or repair your MBR to remove the infection. Though this will indeed remove the lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible.  Only repair the MBR if you do not care about any lost data and want to reinstall Windows.

As already stated, there is currently no way to decrypt your drive for free at this time. Researchers are analyzing this ransomware, though, so it may be possible in the future. But I also saw recently on below on possible to decrypt though I cannot sure it applies to your case...Ransomware variant is really evolving fast

The actual contents of the user's files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. Using data recovery tools to reconstruct files might be possible, but it is not guaranteed to work perfectly and would be time-consuming.

Fortunately, resorting to that method is no longer necessary, and neither is paying Petya's authors. Someone using the online handle leostone devised an algorithm to crack the key needed to restore the MFT and recover from a Petya infection.

Computer experts from the popular tech support forum confirmed that the technique works, but it requires extracting some data from an affected hard drive: 512 bytes starting at sector 55 (0x37h) with an offset of 0 and an 8-byte nonce from sector 54 (0x36) offset 33 (0x21).
Another suggested move to simplify.. Hopefully it helps
However, because the infected computer can no longer boot into Windows, using the tool requires taking out the affected hard drive and connecting it to a different computer where the tool can run. An external, USB-based hard drive docking station can be used.

The data extracted by the tool must be inputted into a Web application created by leostone that will use it to crack the key. The user must then put the affected hard drive back into the original computer, boot from it, and input the key on the ransom screen displayed by Petya.
The link of the tool that is online

Author Comment

ID: 41735967
The petya app it's not able to see teh disk. Since there is  no backup I'm still looking for anything that would help.
LVL 62

Accepted Solution

btan earned 250 total points (awarded by participants)
ID: 41736130
the disk MBR is encryption and preboot sector of the hdd is replaced to show the message. As I posted there is petya decryption tool - see this and you need another machine and plug the encrypted hdd to it for analysis
Once you have the encrypted drive attached to a working computer, simply download Fabian Wosar's Petya Sector Extractor and save it to your desktop. Once saved, extract it and execute the PetyaExtractor.exe program. Once the program starts it will scan all of the removable and fixed drives on your computer for ones that contain the Petya Ransomware bootcode.  When it detects the drive, it will automatically select it and display a screen...
No guarantee it may be petya and worth the try if you are going to do it manually. I do suggest you make a clone and work on the clone. Regardless note that petya also has a companion that does file encryption...I will not be surprised if the hdd is decrypted and boot into the OS ...
LVL 62

Expert Comment

ID: 41760710
The experts has suggested the solution and means since the HDD is encrypted as shared. Get the HDD decrypted then check further on the encrypted file using idransom or cyber sheriff.

Eventually recommendation if attempt is futile, continue to still establish clean machine and get data from backup as last resort.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SQL Server TSQL script 11 25
Software to shutdown Windows servers 4 62
Cloud / Hybrid file storage & collaboration 5 66
Migrate data to new Mac OS X server 3 53
Problem: Windows 32bit running out of paging space. Solution: Add additional page files on separate partitions. Background: By default Windows creates only one page file on the partition you install Windows on. You may know that the maximu…
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now