Link to home
Create AccountLog in
Avatar of alonig1
alonig1

asked on

AES-NI ransomware on windows server 2008

Does someone have any experience with  AES-NI ransomware on windows server 2008?

What is the best way to fix it?

(I have online backup)
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Go to http://idransomware.malwarehunterteam.com and upload a copy of one encrypted file and/or the ransom note file. If there's currently a known decrypt app, that will tell you where to get it. If there's no decrypt app, you'll have to restore your files from backup.
Avatar of alonig1
alonig1

ASKER

link not working.
SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of alonig1

ASKER

I'm trying to remove with spy hunter everything crashes it's on the DC.

What can I do?
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of alonig1

ASKER

I'm trying to sfc command.

I think it only encrypt the data files not the AD and everything.

Do I need really to re-install everything?
I guess you could try malwarebytes and see if it kills the encryptor. Then do some extensive testing to see if your forest is corrupted...

It is very poor practice to try and clean a critical server like that, but you can try...

How can you be sure it didn't add other malware?

It probably at a minimum killed your sysvol and group policies.
So was this just a domain controller or were you doing other things with it too?
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I know my system has 4 domain controllers, across 2 main sites and 4 satellites. None of the domain controllers do anything else, and 2 are virtualized. They DO NOT talk to the outside world except the primary which can reach outside to keep the clock synced. And they are all backed up daily. They don't even get updates from outside, but from an internal WSUS server.

AD is a very critical element and once it breaks bad, you have to start over without good backups.

I also agree with the virtualization recommendation... It is a bit expensive to dedicate a server to just a domain controller, but a virtual server is fairly cheap to do... You can host several virts on a reasonable chassis...
Sufficient advice given
I had problems with this ransomware, and I managed to recover some files with a help of  ShadowExplorer and this guide. But all recovered files are very old :(