Ransomware
#7
Hello,

Thank you for the replies. I'll provide as much information as I can so you can understand this is legitimate.

On arriving at work Monday morning and putting monitor screens on we were greeted with a ransomware message on the screens. Further checking revealed how severe this was. We had a number of actual servers and some VM's as well as a number of clients kept switched on for access.

Backups went firstly to a file servers which was also duplicated. Each server had its own backup drive and also backed up to a synology NAS box. They used Diskcryptor to encrypt all the drives on the network including all the server backup drives. The only drive they could not encrypt was the synology which was attached to AD. They used there gained network credentials to access the NAS delete the volume, then recreate the volume then factory default the drive which is how we found it. We know this because Synology remoted into the drive and recovered it from the factory default state and we then recovered the log file.

The perpetrators were in touch via a secure email and to prove who they were offered a few keys. These were for just OS based drives so they knew it what not really benefit us. The keys given were between 8 and 11 digits. I do not have a name for this attack the nearest is "Mamba" although this attack varied to mamba in they actually used Diskcryptor on each PC as was not wrapped in their own tools but as was mentioned you would expect a script to generate the passwords although we have been unable to locate one so far. We will know more if we can access the drives hopefully.

The information given is very helpful. I can use DD to extract any parts of the disk but any help in formatting the correct hashcat command to attempt to brute force this would be appreciated.

Thank you

Ian


Messages In This Thread
Ransomware - by galeforce9 - 12-13-2018, 07:07 PM
RE: Ransomware - by Mem5 - 12-13-2018, 07:56 PM
RE: Ransomware - by philsmd - 12-13-2018, 08:06 PM
RE: Ransomware - by galeforce9 - 12-13-2018, 08:12 PM
RE: Ransomware - by philsmd - 12-13-2018, 09:12 PM
RE: Ransomware - by Xanadrel - 12-14-2018, 12:07 AM
RE: Ransomware - by galeforce9 - 12-14-2018, 10:52 AM
RE: Ransomware - by philsmd - 12-14-2018, 11:06 AM
RE: Ransomware - by galeforce9 - 12-14-2018, 11:30 AM
RE: Ransomware - by Banaanhangwagen - 12-14-2018, 11:38 AM
RE: Ransomware - by galeforce9 - 12-14-2018, 01:05 PM
RE: Ransomware - by Nubbin - 12-17-2018, 05:58 PM
RE: Ransomware - by galeforce9 - 12-17-2018, 11:02 PM
RE: Ransomware - by Banaanhangwagen - 12-21-2018, 08:42 AM