Solved

Server hack (ransom ware)

Posted on 2016-07-29
11
57 Views
Last Modified: 2016-08-22
I have attached a photo of a  server, is there a way to know which ransom ware it is infected with? And if someone knows a way to recover the server. Thanks.
server-hack.jpg
0
Comment
Question by:ctupr
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 13

Expert Comment

by:Wayne88
ID: 41734987
Is that what you get when you boot up the computer?  If so, not a lot you can do.  Do you have daily backup of the server?

Last resort, you can attached each hard drives on another computer equipped with Malware Bytes then scan each one.  Let MB detect and fix the problem.  Of course it goes without saying that you do this on a test machine so you won't have to worry about the malware spreading.
0
 

Author Comment

by:ctupr
ID: 41735003
I have already tried that, the external backup HD and the internal HD's are not recognize in nay kid of PC (windows, mac and Linux) every time I put one of those in another PC I get the message to format the drive.  This is similar to the Petya ransom ware in some ways but I cannot figure out which one it is. Still thanks for your comment.
0
 
LVL 87

Expert Comment

by:rindi
ID: 41735015
Just start your RAID controller's utility and remove the disks from the array. Then create new arrays and restore your system from your backups. There is no point in trying to find out what has encrypted your system, you wouldn't be able to do anything about it when you knew that anyway.
0
 

Author Comment

by:ctupr
ID: 41735018
There are no backups, only backup was on the external drive which seems to be encrypted in a similar way. This is new client, they did not have any real IT assistance. Still if someone has seen this before and has been able to identify the name of the ransom ware it will be very helpful. Thanks.
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 125 total points (awarded by participants)
ID: 41735060
There is nothing in there apart from an email. With that info you can't tell what it was that encrypted the system.

If there are no backups you will have to setup the OS from scratch, as well as the data.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:ctupr
ID: 41735082
Well I will wait to see if anyone else has seen this before and has any solution. Thanks for your answers.
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 125 total points (awarded by participants)
ID: 41735105
you can id the variant only if you can upload either a file or the ransom note.  Check out these two sites:

https://id-ransomware.malwarehunterteam.com/
https://www.nomoreransom.org/

I have an extensive collection of links about ransomware on my site:

http://thomaszuckerscharff.com

and a list of variants and links to information about them at:

http://thomaszuckerscharff.com/ransomware-citation-library-from-zotero/alphabetical-list-of-malware-variants/
1
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41735412
I highly suspect it is Petya ransomware or its recent variant as they are the main culprit that does the HDD encryption. The idransom online is good but you do not have access to your encrypted files now so hard to upload sample. I do suggest recover data from your backup instead of paying ransom after contacting that disposable email contact by the cybercriminal.

See also this

It is important to note that there is a lot of bad information on the web about how how to fix your computer when it has been encrypted by Petya.  Many of these sites state that you can use the FixMBR command or repair your MBR to remove the infection. Though this will indeed remove the lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible.  Only repair the MBR if you do not care about any lost data and want to reinstall Windows.
http://www.bleepingcomputer.com/news/security/petya-ransomware-skips-the-files-and-encrypts-your-hard-drive-instead/

As already stated, there is currently no way to decrypt your drive for free at this time. Researchers are analyzing this ransomware, though, so it may be possible in the future. But I also saw recently on below on possible to decrypt though I cannot sure it applies to your case...Ransomware variant is really evolving fast

The actual contents of the user's files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. Using data recovery tools to reconstruct files might be possible, but it is not guaranteed to work perfectly and would be time-consuming.

Fortunately, resorting to that method is no longer necessary, and neither is paying Petya's authors. Someone using the online handle leostone devised an algorithm to crack the key needed to restore the MFT and recover from a Petya infection.

Computer experts from the popular tech support forum BleepingComputer.com confirmed that the technique works, but it requires extracting some data from an affected hard drive: 512 bytes starting at sector 55 (0x37h) with an offset of 0 and an 8-byte nonce from sector 54 (0x36) offset 33 (0x21).
http://www.bleepingcomputer.com/news/security/petya-ransomwares-encryption-defeated-and-password-generator-released/
Another suggested move to simplify.. Hopefully it helps
However, because the infected computer can no longer boot into Windows, using the tool requires taking out the affected hard drive and connecting it to a different computer where the tool can run. An external, USB-based hard drive docking station can be used.

The data extracted by the tool must be inputted into a Web application created by leostone that will use it to crack the key. The user must then put the affected hard drive back into the original computer, boot from it, and input the key on the ransom screen displayed by Petya.
The link of the tool that is online

https://petya-pay-no-ransom.herokuapp.com
2
 

Author Comment

by:ctupr
ID: 41735967
The petya app it's not able to see teh disk. Since there is  no backup I'm still looking for anything that would help.
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41736130
the disk MBR is encryption and preboot sector of the hdd is replaced to show the message. As I posted there is petya decryption tool - see this and you need another machine and plug the encrypted hdd to it for analysis
Once you have the encrypted drive attached to a working computer, simply download Fabian Wosar's Petya Sector Extractor and save it to your desktop. Once saved, extract it and execute the PetyaExtractor.exe program. Once the program starts it will scan all of the removable and fixed drives on your computer for ones that contain the Petya Ransomware bootcode.  When it detects the drive, it will automatically select it and display a screen...
http://www.bleepingcomputer.com/news/security/petya-ransomwares-encryption-defeated-and-password-generator-released/
No guarantee it may be petya and worth the try if you are going to do it manually. I do suggest you make a clone and work on the clone. Regardless note that petya also has a companion that does file encryption...I will not be surprised if the hdd is decrypted and boot into the OS ...
0
 
LVL 61

Expert Comment

by:btan
ID: 41760710
The experts has suggested the solution and means since the HDD is encrypted as shared. Get the HDD decrypted then check further on the encrypted file using idransom or cyber sheriff.

Eventually recommendation if attempt is futile, continue to still establish clean machine and get data from backup as last resort.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Samba is the de-facto standard program (or, more correctly: suite of programs) that UNIX and Linux systems use to share files with Microsoft Windows (and more recently, Mac OS-X) systems. Currently, there are 2 common versions of Samba available,…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now