I am the IT Admin for a small network, running a windows WSE2012r2 server. Users came in this morning and found all data files had been encrypted showing makdonalds@india.com.xtb at the end and have lost all their file extension/associations.
I have read the ransomware thread and am posting the txt file attachments here, and certainly appreciate any assistance!
We have good data backups that look to be intact from Friday, and have a system backup from 4/16 that we can restore if need be, just trying to see what other options we have. I am working remote, so anything I can do from here without a site visit would be great.
I will post a reply that contains additional files that were shown listed below.
Looks like user zc was the culprit, he probably just opened an e-mail without looking. This is a totally new variant but it appears to have left the dropper behind with an easy name.
I would like a copy of that if possible, if so then the FRST fix will place a zipped copy on the desktop could you upload that to a sharing site for me to collect
Otherwise I am afraid you will need to do a backup restore
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
zip: C:\Windows\System32\Payload_c.exe
CMD: del /F /Q /S "C:\How to decrypt your files.HTML"
CMD: del /F /Q /S "C:\How to decrypt your files.PNG"
CMD: del /F /Q /S "C:\.How to decrypt your files.URL"
CMD: del /F /Q /S "C:\How to decrypt your files.txt"
HKLM\...\Run: [svihvbja] => C:\Windows\System32\Payload_c.exe
IFEO\sethc.exe: [Debugger] cmd
R5 silsvc; <===== ATTENTION: Locked Service
Task: {FE8902EF-CDAD-45A5-9915-F860FAF48B81} - System32\Tasks\Microsoft\Windows\Windows Server Essentials\BPA Scheduled Scan => powershell.exe -EncodedCommand SQBuAHYAbwBrAGUALQBXAHMAcwBCAHAAYQBTAGMAYQBuAA== -NoLogo -NoProfile -NonInteractive
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
First off, thank you for your prompt reply and time. It is greatly appreciated and noted.
I have attached the fixlog.txt file. I am searching for the payload_c.exe file, but it seems they have run a cleanup and forced a restart of the server. I’m looking to see if there are any other remnants I can offer.
I removed the original share, zipped and pw protected the file and reshared. I have sent EssexBoy the pw. If I need to send to others let me know, I don’t want to post it publicly to minimize risk of redistribution.
Guys, I have a similar problem, but my customer files just changed to something like this: AF12A25FB6485E1CBB0ABBF5FC6EF87A.locky
Can I use this same decrypting method?
Thanks,
Fernando
Attached is a screen capture of the email we received from the Hijacker. We have chosen to restore the server system and data from backup, which occurred Friday Night at 8pm, seemingly before the initial exploit of the payload early Saturday morning. I have deleted the odd zc admin account, it looks like it was created from an IE frame java exploit on a user login back around 3/18 and decided now was the time to act for some trigger reason.
I think I have the system clean, is there anything else I should run/rerun to verify?