HELP!! I have a windows server 2012 r2 . I can still use my server until i fell asleep and now woke up, And can't log in to my administrator account. I didn't change password at all, i use the same password and i'd make sure that it is correct. But still not working. Only i can access the guest account. I research and tried some tutorials but not working.
I don't have installation CD and my physical back is already affected by AMNESIA file, can't copy because it needs admin rights.
I found out that all of my files in D: where my system is located is already AMNESIA file. I think it is ransomware. Already research about it. and tried some software but it requires admin rights and my password didn't work now.
I wish i could log in to my admin account so that i can fix the ransomware inside the admin.
Please help me. Anyone who knows???
I will Truly Appreciate you help. Thank You in Advance

Recommended Answers

All 26 Replies

Hi,

probably putting the server offline, removing the disk and accessing it in readonly mode from an OS that will not execute any of the code in that disk could be a starting point to backup what is still available.

It's important to make sure it cannot spread in your lan, through wifi or shared folders.

For the removal and recovering it depends on the version that affected your server, see if this helps: https://www.pcrisk.com/removal-guides/11217-amnesia-ransomware

Bye.

You raised a lot of issues here. It's unclear why there is no installation CD (it's more likely to be a DVD) since well, it's one of the things you need to fix issues from time to time. I know with all the natural disasters there's a reason to be in such a pickle but I'd take the owner of such a server to task about being lax in regards to the company disaster plan.

But here we are. My bet is you'll have to remove drives so you can on a machine running Linux which as write by cereal will not execute any code but allow full access to backup what you want if the backups were not done. Linux will also let me copy in a file, edit if need be. But this is your support staff skills and not something you may find on the web as a step by step. In short, get the drives out and backup, then attempt a fix from another OS. That OS will likely be Linux.

Microsoft still sells Server 2012 media if you can't find a copy on the web. Once in a while I find an IT staffer flailing about, unwilling to pay the man for the media. I can't imagine why they delay.

Thank You for your advice @cereal and @rproffitt.So i ned to find an OS(like linux)? Is windows not possible??I don't have linux os here.Also It is still possible that i can copy/decrypt those in Drive D even though it is alredy incrypted by ransomware?
Theres no installation cd because we lost it.

Also, Id like to try this https://www.youtube.com/watch?v=gn2AwB1Xoxc in opening my admin again.
And also I will try to decrypt my files using programs that can decrypt ransomware.
But my concern, is if i decrypt my files, is it possible that the files that ar affected will be back to normal or theres a chance that my data will be loss???Or will not work again?

@J

We have to tackle this step by step. Remember that ransomware does not always encode files. It appears that recent ransomware is just wiping out files and hope you pay. They keep the money and have no decoder.

-> You have now stepped into the disaster plan with both feet. That is, you know you need to obtain your OS DVD, go get a Linux (too easy, I hope anyone that runs Windows Server knows how to go get this) and most of all, backups. If these files are irreplaceable then they are on backups. If not, they weren't worth backing up?

Some folk lash out over such events. I feel for them but for many that don't backup, don't have a disaster plan and run a loose ship that ransomware was installed by the user/owner/someone (so far I have yet to find an instance of a drive by ransonware.) Let's call it their Waterloo. They get soundly trounced and if they survive, they become a steadfast believer in backups and disaster plans.

I think about 2 or 3 out of 100 swear off Windows forever and 1 will toss the entire system in the bin and hide out on their smart phone.

BACK TO DECRYPTING. Since we have the new ransomware and a few you can decode the problem now is:

What Ransomware is it?

That's the big question since if you don't know the name of the daemon you can't be sure how to decrypt it.

commented: " they become a steadfast believer in backups and disaster plans." lol +15

wow, what a word @rproffitt, thank you anyway.
i think i am in panic because we don't have back up, especially the database, it is affected as well.
I already research about the ransomware that affected my files - "AMNESIA" and it is decryptable.
My problem now is, i can't log in to my admin computer.

Remember we don't have to login. Besides, running this infected machine can lead to further damage.

It's like you are fire and insist on running. I read above advice about getting your files out. This is a standard routine. You get the drive over to some Linux box to copy out your files. If you know they can be decrypted, then you have your files and head to your decryption methods.

Remember you write it is decryptable so that means you know how. What you don't know is how to get the files out.

That would be the old standard routine. Remove drive from infected PC, boot Linux and get the files copied out to where you can work on them.

I think at this point we are going in circles. I get it that folk want a choice of the red or blue pill that will just fix it but this is mildly complicated work. Not impossible, just complicated. It might be scary to those that never booted Linux or moved drives around.

Glad to read you haven't taken to drink yet.

Thanks for the advice, Im still researching and getting help on forums before taking an action. I just want to log in to my admin account because our system operates there, and it will be easy for me to decrypt my files, but you told me that it will just create another damage on my pc.

I think i will have no problem taking out the drive D: My problem now is the C drive, where my OS located, where the password where created, Some of the settings of our program is located in C drive.. Im using PRIMA server , and the drive is different to usual drive of computer.

I'm sorry I didn't directly address the login issue. My thought is you would NEVER do that since it can be boobytrapped.

At least I warned you (nod to Tim the Enchanter.)

If you can't use NTPASSWD (see google) then pay up at www.lostpassword.com since it's cheap.

I only did a quick read through, but have you considered cloning your drive and then attempting whatever on the clone?

commented: +1. Make clone, operation fails on clone. Repeat. +14

my drive is in mirror. But the problem is i don't know how to use it. im sorry about that

That's OK. A mirror is just a real time copy but won't save you from corruption and a lot of other failures. All this means is you can pull it or boot Linux to get to your files.

oh. i see. I think i really need a linux os. It is downloadable os right?
By the way, im kinda threaten on what you said that i should NEVER do the steps that i mentioned earlier. (crying even though it is the only option that ive got to go back to my admin)

So what you mean is my only option is to pay for the lost password. I think NTPSSWD will not work to me.

My Conclusion:
Ransomware - "AMnesia : Decryptable"
Cant log in to my admin - (If i use the youtube tutorial to reset my password, it still possible that it could still hard my computer)

Only option :
Take out the drive and copy the files in linux

Then what about my admin account??
only option is
-Reinstall the OS (I dont have backup)?

Sorry but Linux has been downloadable for decades.

Also this -> http://tips.oncomputers.info/archives2004/0401/2004-Jan-11.htm

That was over a decade ago. No learning Linux. Just boot and get your files out. Be sure to use a more current distro.

-> I want to pry. What IT staff that admins Windows Server is this? I won't beat them up but it sounds like they are very new.

You mean the person assign to this? well hes very new and doesnt have that much experiencE. Our old it staff resigned already. Im just helping out to find a solutions to this mess.

I wonder if there is more to the story. Sometimes a company will remove the tools required to do the job.

For example while I have NTPASSWD (which I don't need to write about as we have google) every once in a while the IT staffer is forbidden to google it up.

Or they are not allowed to pay for lostpassword.com, buy a spare HDD to clone to and so on.

Is anyone impeding the work? In other words, this should have been completed by now. What's the holdup?

We are waiting for the programmer response (Hes a freelance) and the server (the one who sold us the server). We want to know what their opinion be. We need to make sure that we do the right thing or else, we need to pay big time again.
Since we don't have a back up, we can't just do reckless things you know. We need to fix it without spending so much money.

Well , youre right! there's more to the story . Like, i couldn't even find the antivirus in installed program. It means that we really don't have right? I think it also caused the problem, Plus they are using Teamviewer (that will help to access outside).
Let's think about it, The server is not updated, (OS or most of the programs there). No antivirus
Plus theyre using a teamviewer, and even have web access outside
All in all, NO PROTECTION AT ALL. NO BACKUP.
I want to die right now. LOL.
That's why its really complicated. But im still hoping that it will be back to normal, even jus without losing the data. (I'm praying for that)

Would it be worse if we dont take an action right away (Obviously YES, right?) Will turning off the PC will help not to spread the Ransomware?

Turning off should be fine as I've yet to encounter or read about a "shutdown and we'll spread" ransomware.

-> How did you recover from your disaster last year? I read we talked about backup and now here we are again.

Antivirus would be nice but doesn't stop everything. This is all about us, backups and not installing ransomware. That is, I only read where the owner/user installs the ransomware. And since they might overrider the antivirus and have, just having antivirus is not enough.

You've answered part of my question. I worry that the company is hobbling the new IT staffer.

Nah, they're not hobbling the New IT staffer.
You mean the back up last year? Problem last year, was the slow performance of the System (So they ask me if i could do a System Restore before the problem was happen. I just delete some of the data in the database that they're not using, almost 7Millions of it, the reason why it slows down , and holla! It works faster again. (Look Im not really a professional IT person here, Im just there freelance, and they just ask me to solve some issue, because i know some of Computers, but after that issue, i need to focus on my new job that time, so i never contact them or vice versa)
And Now here i am, analyzing some problem again. And right now, i'm not familiar with this problem, so i want help from their freelance programmer and the seller of their server and also here online.
I hoping that your not getting me wrong here. Lol
We are all working out here to solve this issue.

Actually it does paint a clearer picture. Here I find a lot of admins with multiple OS skills. I worry when an admin asks if they can download Linux. At some point they should have done that, ran that, picked up the skills so they are ready to boot it and get the user's files out.

It's very old advice I handed out. Check out the date at http://tips.oncomputers.info/archives2004/0401/2004-Jan-11.htm

Me? Just a person that has been on so many projects over the years from the GE-310 and on. CP/M, DOS, Windows, Apples, Linux, Windows 1.0, NT to present day. Ran a repair shop, worked on firmware, hardware designs, wrote in assembler and many other languages. Apps galore over the years from embedded to factory automation to SQL to well, what next?

Now working on things like Android apps which as you guessed is Android Studio on W10 and for CVS, still sorting that out.

Along the way, you run into a lot of recovery disaster jobs and stories.

Wow, Lucky you , you have a lot of experience. Here in our place, we don't really use linux, we just use windows and such things. Im not actually the admin here,lol long story
I always run into troubles and always the one try to fix. Im getting tired actually. Since i don't take computers personally. Like , it just a hobby, but im so lazy in learning new things nowadays. But, what happen right now, is a wake up call also. I know i have a lot of fault here also.

Thank you for sharing anyway. That trigger me as well to do a good job from now on. LOL

HI, Im just going to update what happened to my server now. Ive already took out the files in the drive and i successfully decrypt using Emsisoft Decrypter.
Now i have a back up of my program.
And my only problem now, is my administrator account. I can't still log in. I've tried to reset it, using a bootable usb (i download windows server 2012 r2 iso) But it seems not to work out.
It is possible that if the Bootable OS that contains all version of server 2012, will not detect the D drive?

Here's what i did,
I boot the OS, Repair, then open the CMD.
After that, it brings me to "X:\System32 blah blah " but when i DIR D:, drive D: could not find. I'm looking for Program Files actually
I also DIR C:, the only thing that contains are the bootable files.

@J

If it's just an account password issue, www.lostpassword.com is my advice when NTPASSWD (see google) doesn't cut it.

About your second question. Many Microsoft versions do that until the OS is installed. You might have to install a driver or activate a drive after the installation.

kinda hard to understand since it's for linux, although it might for windows :(

Hi.I've already solve the problem last year.lol
I use the a linux program called Ultimate Boot Cd Beta Version and follow this steps
www.techrepublic.com/blog/tr-dojo/reset-windows-passwords-with-the-help-of-linux and this one https://partedmagic.com/clearing-the-administrator-password-in-windows/. Finally i got to open and decrypt the files that are affected using EMSISOFT.
I lost my database. So i install again the program and use my previous back up of database.Now my Server is working again.Of course i'd make sure that it is protected and have back up now.
Thank you for helping me @rproffitt. Really BIG help.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.