Hi All,
My friend's windows 2016 server at her dental office was recently hit by a ransomware claiming to have encrypted the drives using diskcryptor (version 1.1 was indeed installed). I see that the data drive and an external drive has now become raw, and many files in the c drive have disappeared.
I found out how they got into the server but that's been plugged, and some windows components were tampered with but that's fixed with a windows 2016 iso file and dism/sfc commands. Installed lots of tools to scan for malware, rootkits, and viruses but didn't find any.
According to the articles I found (like https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hddcryptor-mamba-ransomware-returns-to-encrypt-disk-and-network-files), the ransomware is supposed to reboot and encrypt the c drive and pop up a message about how to pay them. Event logs show that the server was indeed rebooted, but the c drive seems to be ok.
I used resource hacker to look into the dll files in the diskcryptor 1.1 installation directory, but did not find the ransom message or anything out of the ordinary like the article above says.
Several questions:
1. might be off topic... what is the best way to setup a recovery for the windows system in case when we would be hit by the ransom message? for instance what is the best way to check if they inserted something into the mbr? I can use HDhacker to backup the boot sector and mbr, but if it's already been changed then there's no point.
2. is there a way to check if the c drive has been full encrypted, partially encrypted, or not encrypted at all?
3. the intel tpm service is failing to start. would that be something related? BITS also stops automatically if I try to start the service.
4. maybe the best way forward is to examine the external drive to see if it's actually encrypted? I'm going to copy the diskcryptor 1.1 that they've installed into a sandboxed environment and connect the drive to it.
Thanks!
My friend's windows 2016 server at her dental office was recently hit by a ransomware claiming to have encrypted the drives using diskcryptor (version 1.1 was indeed installed). I see that the data drive and an external drive has now become raw, and many files in the c drive have disappeared.
I found out how they got into the server but that's been plugged, and some windows components were tampered with but that's fixed with a windows 2016 iso file and dism/sfc commands. Installed lots of tools to scan for malware, rootkits, and viruses but didn't find any.
According to the articles I found (like https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hddcryptor-mamba-ransomware-returns-to-encrypt-disk-and-network-files), the ransomware is supposed to reboot and encrypt the c drive and pop up a message about how to pay them. Event logs show that the server was indeed rebooted, but the c drive seems to be ok.
I used resource hacker to look into the dll files in the diskcryptor 1.1 installation directory, but did not find the ransom message or anything out of the ordinary like the article above says.
Several questions:
1. might be off topic... what is the best way to setup a recovery for the windows system in case when we would be hit by the ransom message? for instance what is the best way to check if they inserted something into the mbr? I can use HDhacker to backup the boot sector and mbr, but if it's already been changed then there's no point.
2. is there a way to check if the c drive has been full encrypted, partially encrypted, or not encrypted at all?
3. the intel tpm service is failing to start. would that be something related? BITS also stops automatically if I try to start the service.
4. maybe the best way forward is to examine the external drive to see if it's actually encrypted? I'm going to copy the diskcryptor 1.1 that they've installed into a sandboxed environment and connect the drive to it.
Thanks!