RansomWare disk encryption

[AceVA]

a customer who has OS Windows server 2012 R2 and was running Malwarebytes Premium and Clamwin antivirus had this come up this morning when they turned on the server.  They have several computers that connect by RDP.  Within last several days several of the RDP clients could not log in and at least one was removed while others had been disabled in server user section.  I was able to enable and add one user back and was running a MB scan when the system shut down and this happened.

any ideas of how to remove?  there is a separate disk that contains the data files

 

[AdvancedSetup]

Hello @AceVA

Very sorry for the delay. It looks like your topic was overlooked. In the future please send me or one of the Techbench admins a private message if no one has replied within 24 hours to one of your posts. 

This is the Mamba (HDDCryptor) infection and there is no known way to decrypt that I'm aware of. You can remove the hard drive and set it aside in the hopes that a decryptor may be found at some time in the future and put in a new hard drive and install Windows. Otherwise, I'd recommend that you remove all partitions and then reinstall Windows. Then work with your client on both active protection as well as a valid backup solution that does not stay connected.

As a side note, Malwarebytes Premium is not supported on any Server OS.

Here is a link with a little more information for you.

https://www.bleepingcomputer.com/forums/t/635823/mamba-ransomware-boot-encryption-srv123scryptmailcom/#entry4148697

Thank you and if there is something else I can assist you with please let me know.

Ron

 

Edited December 29, 2018 by AdvancedSetup
Updated information