Phobos ransomware thru Malwarebytes Premium (Infected)

[MrWashingToad]

Had updated copy of Malwarebytes Premium (lifetime license user) installed on Windows Server 2008r2. Note this is a personal server, not a business server, I just have software I use requiring the use of Windows Server base code in order to run stuff I need.

Last I did on server on Friday March 29th was go ahead and let Skype update. Then logged out my RDP session.
Go to login this morning, Monday April 1st, and the RDP won't connect. Walk over to the system console and login manually locally, and it pops up with 'Phobos Ransomware', and was encrypting files.
I immediately checked all other computers on network, and ensured all shared drives were no longer shared, initiated Malwarebytes 3 full scans, and then Norton Antivirus full system scans on all computers. The  only computer I don't have Norton also installed on, is that server - b/c I can't afford their overpriced 'Endpoint solutions' software for servers, so I have been using ClamWin free antivirus. Which has worked OK, since I don't open anything I don't make myself, nor go to websites that are sketchy.

Following the Malware Removal topic:
Malwarebytes 3 is already installed, but was encrypted on the computer.
Tried installing from a USB drive, however it wants to restart computer instead of installing the software.
Tried installing to the USB drive, same thing.

Current antivirus let infection thru, I ALREADY had Malwarebytes Premium running and updated on the computer -  this ALSO let in the ransomware.

Have not attempted temp file cleaners.

Farbar recovery information:

Attached. Made sure to click and add the other items as well.

 

Copying the files to USB, I snagged what I could to see if I could get a hit. I did on the ProcessHacker 2 files. Malwarebytes Premium on my normal workstation let them thru with no problems. Norton AV scan identified them, but recommended exclusion.
Threat identified as: Hacktool.ProcHack!g1 

Have attached those files as well for additional information.

Addition.txt FRST.txt Shortcut.txt Process Hacker 2.zip PS.zip encrypted stuff.zip

[MrWashingToad]

Ok, nearly a full 48 hours now, and no replies at all, thanks -  really feel like I'm being helped.

I've attempted multiple times to get Malwarebytes and Malwarebytes Chameleon to load correctly, but they all fail install; OR, install, but do not allow premium features (real time protection) to turn on. 
Have checked with the MalwareHunterTeam website, uploaded the .hta ransom note there, and it came back as 1) Dharma, and 2) Phobos. Additionally, all the files are labeled as 'FRENDI' files, and are labeled ID-C602BF82.[withdirimugh1982@aol.com].Frendi.

I've located a hidden folder under the C drive that I didn't make, it has 2 files in it and is labeled: 
C:\Recovery\36db1731-fe3f-11e7-8c3b-fd77c61fa398\
file 1: boot.sdi.ID-C602BF82.[withdirimugh1982@aol.com].Frendi  [3,865KB]
file2: Winre.wim.ID-C602BF82.[withdirimugh1982@aol.com].Frendi [165,213KB]

I have done nothing to the original hard drive. I removed it from the hardware, and used a computerless disk imager to image that drive to a spare hard drive, and am playing with the clone in order to attempt installations. 

I've also reached out to CoveWare, and had a chat with one of their staff. I have provided them download links to the recovery files, and other info as well, however, since I'm not a business, and just a personal user - they won't take me on as a customer, but I've provided them everything in hopes I can get an decryptor program, or at least help them recover for someone else.

[AdvancedSetup]

Hello @MrWashingToad

I'm very sorry. It looks like your topic was overlooked. Do you still need help with this issue?

Thank you

Ron

 

[MrWashingToad]

Indeed. I tried multiple times to get Malwarebytes to run in the full Premium mode (as I stated previously, the system was running Malwarebytes Premium when this occurred, and has a lifetime license, was updated on Friday (attack occurred sometime over weekend).

I have attached the other logs I could provide above.

Note - I WAS able to get the infected drive imaged to another drive, so now I can play with it whilst keeping the original data drive safe.

However, as this happened during a weekend backup run, it corrupted all local copies of my data on that computer, the network attached storage drive backups, AND the online backup as that was set to run at the end of the backup sequence.

[AdvancedSetup]

The data itself as you know is encrypted. Currently, there is no way to recover those files except by paying the ransomware author or restoring from backup. Every once in a while a public key is found or published. You can always store your drive away in the hopes that sometime in the future a key may be posted.

Phobos Ransomware
https://www.bleepingcomputer.com/forums/t/688649/phobos-ransomware-help-topic-phobos-phoboshta/

I can assist you in cleaning up the computer, but you might be better off doing an FDisk, Format, and reinstall of Windows.

If you'd like assistance though in trying to clean up this computer please let me know.

Yes, as most security Analysts have been saying for a while now, one should never keep their backup drive connected. Once a backup is done the drive or connection should be removed. This recommendation has been listed here since 2013

Backup Software

 

[MrWashingToad]

Then not much I can do at this point except wait for justice to find them, and hope the unlock keys are done, then.

[AdvancedSetup]

Since this issue is resolved the topic will now be closed to prevent others from posting here.

If you need assistance please start your own new topic and someone will be happy to assist you.

Thanks

 

[AdvancedSetup]

Ransomware detection and recovering your files from OneDrive
https://support.office.com/en-ie/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f