MegaSource Posted May 17, 2022 ID:1515915 Share Posted May 17, 2022 Files primarily on the P: drive (Physical drive) have been changed by adding .anigma to the end of the files. Please advise FRST_17-05-2022 11.12.25.txt Addition_17-05-2022 11.12.25.txt Link to post Share on other sites More sharing options...
MegaSource Posted May 17, 2022 Author ID:1515916 Share Posted May 17, 2022 Here is the Malwarebytes Log MalwarebytesLog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2022 ID:1515921 Share Posted May 17, 2022 Hi I will guide you. This is just a starter step. This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed. get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it. Disregard the title subject of the topic.Run the MBAR tool as listed here https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes when done, I need the MBAR logs. Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop. Please attach both files in your next reply. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2022 ID:1515925 Share Posted May 17, 2022 This operating system is reported to be Microsoft Windows Server 2008 R2 Standard Service Pack 1 (X64) Question: Are you in a company, corporation, private or public Organization ? Otherwise, is this your own personal system ? Other question: Are you having any sort of persistent recurring notices for payment for ransomware ? just have to ask. Other than the temp folder, so far, I only see a few INI files that show with the ".ini.anigma" Link to post Share on other sites More sharing options...
MegaSource Posted May 17, 2022 Author ID:1515928 Share Posted May 17, 2022 This is a private office running medical billing software. I am their technical adviser. Last Friday, they were hit with a crypto (Ransom.crysis) virus, but did not receive a decryption message. I cleaned what I could and Malwarebytes cleaned the system. No notice of payment or ransomeware. I reinstalled the medical software and restored a backup. This morning, they reported the .anigma extension on all their data files. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2022 ID:1515930 Share Posted May 17, 2022 (edited) A .ini file is just a text-type file that may have some user preference setting. For example, A common use of the Desktop.ini file is to assign a custom icon or thumbnail image to a folder. There is some oddity here that a few of these files have the appended .anigma on the file-names. That aside, if as you say, which you do say, their real data files have that .anigma extension than that would tend to be a encrypting ransomware. If indeed it is a encrypting ransomware, then we here have no tools to decrypt the ransomware. We here can help to see that there are no "active" remainders of malware infection. We just cannot decrypt any encrypted files. I did suggest ( and highly so) to run the MBAR anti-rooykit tool. just as I listed above. Edited May 17, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
MegaSource Posted May 17, 2022 Author ID:1515933 Share Posted May 17, 2022 The MBAR Tool on the Server reported no malware. I am running the MBAR tool on the other two workstations. Link to post Share on other sites More sharing options...
MegaSource Posted May 17, 2022 Author ID:1515941 Share Posted May 17, 2022 Here is the MBAR Log File from one workstation. Still waiting on the other one. How can a ransomeware exist and not be seen by MBAR? mbar-log-2022-05-17 (12-44-59).txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2022 ID:1515943 Share Posted May 17, 2022 You need to know that encrypting ransomwares do self-delete after they have done their deed. Thus, typically, there are no leftover active remains of the pest itself. Thus, Malwarebytes can report "no threats" present and active. BUT the Malwarebytes report you provided at the top, did report there is one EXE threat that you did not mark with a tick-mark for removal. Save any on-going work or edits. Close all web browsers. Do a new scan with Malwarebytes for Windows. Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Let me know how that goes. Next, the Malwarebytes scan. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 😉 Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2022 ID:1515962 Share Posted May 17, 2022 After you get caught up with the preceding posts of mine ^^^^ above Adding note to gather up additional detail on this infection. Please look the "P: drive" and on your Documents folder & or Desktop & in the location where the .anigma files are for some file or files with named like "Readme" and attach a copy. Note: Some of the "ransom note" files can have names similar to _readme.txt _openme.txt _open_.txt README.txt HOW TO DECRYPT YOUR DATA.txt Readme to restore your files.txt Decryption instructions.txt FILES ENCRYPTED.txt Files encrypted!!.txt Look for similar names on Desktop & under Documents. Attach 2 of those if possible. Link to post Share on other sites More sharing options...
MegaSource Posted May 17, 2022 Author ID:1515999 Share Posted May 17, 2022 I did find this one file. How can I know the server is "clean?" README.txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted May 17, 2022 Solution ID:1516018 Share Posted May 17, 2022 (edited) Uploaded that file to https://id-ransomware.malwarehunterteam.com No luck. Site cannot find a near match to known families of ransomware. If you can try to upload a different ransom note to id-ransomware it may have some luck. For now, one can speculate that the ransomware here -seems to be similar to- volcano / insanecrypt variant of ransomware. Have you run a scan with Malwarebytes on each system like I noted before? results ? The best way to recover the users damaged datasets is from a known clean recent system image backup / full backup. Otherwise, wipe the systems and rebuild all from scratch. You should do some readings about ransomware at Bleepingcomputer forum ( who keep an active collection about various ransomware)https://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/ If these systems had had licensed-paid Malwarebytes apps installed, prior to the first infection, it would have stopped the ransomware. Also read this on Malwarebytes Blog https://blog.malwarebytes.com/detections/ransom-crysis/ Given that these systems are used in commerce and are using Windows business operating system, they should have had Malwarebytes Endpoint Protection installed and activated. Also read this section ""Ransomware mitigations"" on Malwarebytes bloghttps://blog.malwarebytes.com/threat-intelligence/2022/05/ransomware-april-2022-review/ Edited May 17, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 19, 2022 Root Admin ID:1516352 Share Posted May 19, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts