igeoorge 26 Posted December 15, 2019 Posted December 15, 2019 Friends good night. I come to you for help trying to decrypt my server. Today, 14/12, around 17h all my files, everything inside the server was encrypted. There is currently a whole year's work in there. I don't know what to do. I already contacted the person who did this by email, she charged me 2bitcoin. I am from Brazil and unfortunately I do not have $ 59 thousand reais. Can anybody help me?
SHSPVR 123 Posted December 15, 2019 Posted December 15, 2019 Friends good night. I come to you for help trying to decrypt my server. Today, 14/12, around 17h all my files, everything inside the server was encrypted. There is currently a whole year's work in there. I don't know what to do. I already contacted the person who did this by email, she charged me 2bitcoin. I am from Brazil and unfortunately I do not have $ 59 thousand reais. Can anybody help me? Sorry bud you may as well just wipe format those harddrive lean keep off line back up, so what new download software or web site was you running before this happen ?.
tdiguy 99 Posted December 15, 2019 Posted December 15, 2019 This sort of ransomware is very difficult to remediate, the most obvious solution is to wipe the drive completely and start over from backups. Some older ransomware left the decryption key on the drive, but of course its encrypted. There is no good solution for this after the fact unless you have a backup. On that note, if you do backups one thing to be sure to do is to run a manual backup and keep it offline. Often times ransomware like this will encrypt everything connected to the machine including mapped drives.
igeoorge 26 Posted December 15, 2019 Author Posted December 15, 2019 Sorry bud you may as well just wipe format those harddrive lean keep off line back up, so what new download software or web site was you running before this happen ?. Hi, No new programs on the machine. Nothing recent. The last time I had something installed on it was an executable. His name is rClone. It serves to facilitate sending files to the cloud. It is as if the ransomware is already in the machine, but "unconscious". On the pc files there were no unusual programs, all programs were known.
igeoorge 26 Posted December 15, 2019 Author Posted December 15, 2019 Esse tipo de ransomware é muito difícil de corrigir, a solução mais óbvia é limpar a unidade completamente e começar de novo a partir de backups. Alguns ransomwares antigos deixaram a chave de descriptografia na unidade, mas é claro que foram criptografados. Não existe uma boa solução para isso após o fato, a menos que você tenha um backup. Na mesma nota, se você fizer backups, deve executar um backup manual e mantê-lo offline. Muitas vezes, um ransomware como esse criptografa tudo conectado à máquina, incluindo unidades mapeadas. Hi friend, Unfortunately I have no backup. I tried to do system restore but ransomware deleted all saved restores. Thank you for the tips. From now on I will be more careful. And indeed, I will exit Windows. I am setting up my server again on Linux. I lost about 18TB of files. Basically a year of downloads.
tdiguy 99 Posted December 15, 2019 Posted December 15, 2019 Hi friend, Unfortunately I have no backup. I tried to do system restore but ransomware deleted all saved restores. Thank you for the tips. From now on I will be more careful. And indeed, I will exit Windows. I am setting up my server again on Linux. I lost about 18TB of files. Basically a year of downloads. Ouch, thats rough. Unless you are already familiar with other flavors of linux ubuntu lts versions are easy to work with and have a good deal of community support.
Jdiesel 1431 Posted December 15, 2019 Posted December 15, 2019 Sorry to hear about your situation. There is not much you can do about it other that using it as a learning experience. Things you can do to minimize the chance in the future are obviously back important files offsite using a snapshot system. This way if your files do get encrypted older unencrypted versions won't be overwritten during a scheduled backup. For files that are just too large to backup (media files) you should keep them in a folder and share that is read only. This means that you will have to manually login with an account that has the proper permissions when you need write access but it will prevent rouge apps from changing files. The big thing is read only shares, by giving devices on your network write access to your shares anyone of those devices could be compromised and put your data at risk.
igeoorge 26 Posted December 15, 2019 Author Posted December 15, 2019 Ouch, thats rough. Unless you are already familiar with other flavors of linux ubuntu lts versions are easy to work with and have a good deal of community support. I always tried to use Linux, but always a program or game would go back to Windows. I always had admiration for him, some distributions are really beautiful. I will use CentOS on a VPS. I will not use local machine anymore.
igeoorge 26 Posted December 15, 2019 Author Posted December 15, 2019 Sorry to hear about your situation. There is not much you can do about it other that using it as a learning experience. Things you can do to minimize the chance in the future are obviously back important files offsite using a snapshot system. This way if your files do get encrypted older unencrypted versions won't be overwritten during a scheduled backup. For files that are just too large to backup (media files) you should keep them in a folder and share that is read only. This means that you will have to manually login with an account that has the proper permissions when you need write access but it will prevent rouge apps from changing files. The big thing is read only shares, by giving devices on your network write access to your shares anyone of those devices could be compromised and put your data at risk. Yes, my bride and I even cried, very sad, a lot of lost work. I will definitely try your tips. Thank you very much.
rwyarbrough 8 Posted December 15, 2019 Posted December 15, 2019 Are the files REALLY encrypted? I have seen a few of these that really didn't encrypt the files, they just renamed them with a random file name and changed the extension to .enc or something similar. You might also try McAfee, Symantec, or one of the other major anti-virus program manufactures to see if they can find the ransomware and remove it. I work for McAfee - The free tool "McAfee Ransomware Recover (Mr2)" might help - no guarantees... https://www.mcafee.com/enterprise/en-us/downloads/free-tools/ransomware-decryption.html
igeoorge 26 Posted December 15, 2019 Author Posted December 15, 2019 Yes, they really are encrypted. I tried to change extension, rename, put in another machine, tried several things. I can already remove the ransomware, but I need some program to figure out the key and thus decrypt the file.
rwyarbrough 8 Posted December 15, 2019 Posted December 15, 2019 (edited) but I need some program to figure out the key and thus decrypt the file. Try McAfee's free tool McAfee Ransomware Recover (Mr2) then. Can't hurt... https://www.mcafee.com/enterprise/en-us/downloads/free-tools/ransomware-decryption.html Edited December 15, 2019 by rwyarbrough
chef 3810 Posted December 15, 2019 Posted December 15, 2019 (edited) I have been exactly where you are last year. Don't pay those SOB's. You can recreate your server. For me I ended up formatting everything and starting over. It about two months of solid work. I also purchased Sofos home AV, and closed all ports except for two I use. It is unfortunate that this has happened to you. It angered me to no end when it happened to me last year. The screen shot you posted looks identical to the one that got me. Edited December 15, 2019 by chef
igeoorge 26 Posted December 15, 2019 Author Posted December 15, 2019 Try McAfee's free tool McAfee Ransomware Recover (Mr2) then. Can't hurt... https://www.mcafee.com/enterprise/en-us/downloads/free-tools/ransomware-decryption.html I'll test right now, thank you very much.
igeoorge 26 Posted December 15, 2019 Author Posted December 15, 2019 I have been exactly where you are last year. Don't pay those SOB's. You can recreate your server. For me I ended up formatting everything and starting over. It about two months of solid work. I also purchased Sofos home AV, and closed all ports except for two I use. It is unfortunate that this has happened to you. It angered me to no end when it happened to me last year. The screen shot you posted looks identical to the one that got me. This is really very painful, I was sweating cold when I realized. If only I had some money to pay, but I don't have it. What would be "SOBs"?
rwyarbrough 8 Posted December 15, 2019 Posted December 15, 2019 My fingers are crossed big time and praying hard this will work for you. Keep us posted... 1
chef 3810 Posted December 15, 2019 Posted December 15, 2019 (edited) This is really very painful, I was sweating cold when I realized. If only I had some money to pay, but I don't have it. What would be "SOBs"? SOB is a sware word abbreviation.If the McAfee things doesn't work, you'll just have to start over my friend. Edited December 15, 2019 by chef
SHSPVR 123 Posted December 15, 2019 Posted December 15, 2019 This is really very painful, I was sweating cold when I realized. If only I had some money to pay, but I don't have it. What would be "SOBs"? Your talk about 15k that a hell lot money and even then I just pass and start over and yup as chef said
igeoorge 26 Posted December 15, 2019 Author Posted December 15, 2019 (edited) My fingers are crossed big time and praying hard this will work for you. Keep us posted... The program has information for 4 types of: shade, stamped, wildfire, muhstik I tested the 4, but without success. I searched google for images of each of them and unfortunately did not find similar to mine. I'm leaving a small encrypted file attached. If anyone can, please let me know. https://www.mediafire.com/file/sudmr6vxz8yuvx1/poster.jpg.id-8EF55676.%5B1btc@qbmail.biz%5D.bitx/file Edited December 15, 2019 by igeoorge
rwyarbrough 8 Posted December 15, 2019 Posted December 15, 2019 SOB is a sware word abbreviation. chef called them "Son's of Female Dogs!" of course using the less "flattering" form of the word meaning female dogs... Think of the old Nazareth Song "Hair of The Dog" If the McAfee things doesn't work, you'll just have to start over my friend. That's why I'm rooting for the tool to work. Otherwise it's back to square one... I hope there is a special place in Hell for people that do these kinds of things that are so emotionally harmful to people...
igeoorge 26 Posted December 15, 2019 Author Posted December 15, 2019 I am a Christian and in my religion I have learned to forgive people. I have no hatred or anger of those who did it, I just ask God to come into these people's lives so they can stop doing it. I look at the picture and I feel like crying. 2
rwyarbrough 8 Posted December 15, 2019 Posted December 15, 2019 I'm leaving a small encrypted file attached. If anyone can, please let me know. https://www.mediafire.com/file/sudmr6vxz8yuvx1/poster.jpg.id-8EF55676.%5B1btc@qbmail.biz%5D.bitx/file Reach out to McAfee with that sample. They would be interested in having it so they could enhance the tool. Submitting a sample instructions List of different Ransomware Note that this link talks about what types of ransomware one of the McAfee products detects - It isn't an all inclusive list, but it does list some of the major types of ransomware with their description.. Let me know if there is anything I can do to help. In the meantime come Monday morning I'll ping a few folks to see what your next steps might be...
rwyarbrough 8 Posted December 15, 2019 Posted December 15, 2019 I am a Christian and in my religion I have learned to forgive people. I have no hatred or anger of those who did it, I just ask God to come into these people's lives so they can stop doing it. I look at the picture and I feel like crying. Well spoken. I am also a Christian and as such we must forgive. It is a testimony of your maturity as a Christian that you can have already forgiven this evil deed. Yes they need God in their lives and I sincerely hope first and foremost that those who perpetrated this find God and stop being evil, apologize to you personally and make it right - but since we all have our own wills and some will not turn from their evil ways and turn to the Lord - if they don't - then be it a right thought or wrong thought - that special place in Hell should get some more souls added to it. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now