1
A server I am administrating has been infected by a ransomware named Cerber. They demand a payment (as is the point of such viruses).
As of now I have narrowed the infection source down and removed it. I googled around a bit and found multiple articles on how to remove it from the system. Especially the one at bleepingcomputer was rather enlightening.
They say the virus is located at %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe
. Unfortunately that folder does not exist on the infected system :(
They also provide multiple registry keys where the virus executable is started:
HKCU\Control Panel\Desktop\SCRNSAVE.EXE "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Command Processor\AutoRun "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\[random] "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
None of these entries exist either.
Where (or even how) do I find the executable of the virus so I can clear it out of the system?
2
The proper way to deal with a compromised server is to reinstall it from scratch, as the attackers may have left some other "present" besides the ransomware that will allow them to get back in. More info on ServerFault: https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server
– André Borie – 2016-06-24T19:23:11.903@AndréBorie boy am I lucky that this was ad 1) not a root compromization, ad 2) not on a publicly facing webservice and ad 3) only on a single user account on the server that also affected shared resources. I'm quite sure that there was no manual access from the attacker's side. The whole attack was aimed at a single-user home-system where recovering from this would've been a bigger problem than it was. Just because the word server appears in this post, that doesn't mean that this was a webserver. – Vogel612 – 2016-06-24T19:35:33.667
2Web server or no, anything short of a clean install is unwise. – Alexander O'Mara – 2016-06-24T20:23:54.653
1You need to reinstall from scratch. You have no idea what havoc that thing wreaked. – cat – 2016-06-24T20:27:50.770
2You can never be sure, that's the issue. For all you know it's a custom made rootkit that just uses the ransomware as a decoy, hoping for people like you to just remove the ransomware while leaving the rootkit alone. – André Borie – 2016-06-24T21:49:48.047