dishiestquilll

Hi thank you for your reply. The thing is the windows is a vps which runs on my unraid server. The attacker had access to my unraid shares due to a network share that was still attached to said vps. Because of this he was able to also encrypt the windows vps vdi file (the actuall harddrive of the windows vps). I really dont care about the windows vps and the files on the vps at all since i created it so a friend (who i trust) of mine could configure some servers on my network via rdp (annoying nat situation). I was going to remove it a few days later after creation anyway. As a result i removed the windows vps because i coulldnt even restart it and actually had to reinstall my unraid server aswell since the attacker encrypted pretty much everything vps startup related. I did backup all the encrypted files and put them in a zip file hoping a decryption tool will be available in the future. And i protected every share on my unraid server aswell! So, this thread can be closed, the problem is not solved but i will wait untill a tool is released at some point in the future. Thank you for your time to assist me 👍

Hi, I've finaly found a few of those .ini files you requeusted even though they are not in the locations you mentioned. I've eventually found one in C:\Users/AppData/Local/Microsoft/Windows/WinX The results have been attached ini-files.txt

Hi, Thank you for your response! I do not have any type of backup of my files on my unraid server and i do not care for the windows vps at all. I was going to remove it soon anyway. I could not find those ini files in the locations you mentioned..

Added additonal log files. Addition_28-10-2019 14.21.21.txt FRST_28-10-2019 14.21.21.txt

Hi! This morning it has come to my attention that my unraid server's files were all encrypted and the extension renamed to .id[DE53FD61-2489].[isafeyourdata@protonmail.com].deuce After some research i found out that this was done by a ransomware virus called Phobos. I've added the malware scan log as an attachment. The attacker gained access through remote desktop on a vps with windows installed where a network share to a unraid server share was still attached. This vps was created for testing purposes and was going to be removed at a later date hence why i used a very simple password. The vps's virtual disk file is encrypted aswell so i cannot reboot the vps. I couldn't find any free decryption tools and wanted to ask for help here. I don't mind removing the vps but obviously i do want all my files restored :) Any help would be very much appreciated. scan.txt