Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


333 posts

Ultimate Geek
+1 received by user: 6


Topic # 229127 8-Feb-2018 20:23
Send private message

Thought our windows server 2012 had frozen, restarted it and was met with a message on sreen saying all our files have been encrypted.

 

We had an external drive plugged in for backups and the files on there are encrpted also.

 

We will restore from a backup and our server is being formatted.

 

When I look at the document files that are encrypted the file types are all now Java and the names of the documents have changed.

 

Is there any software that can be used to unencrpt them.

 

Also the encryption is only on the server, none of the workstations seem to have been infected.

 

Not sure how we go it because it happened overnight. We use Nod32 endpoint but the virus disabled it.

 

Any thoughts would be appreciated.

 

thanks

 

Ford

 

 

 

 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
BDFL - Memuneh
61011 posts

Uber Geek
+1 received by user: 11846

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1953840 8-Feb-2018 20:41
Send private message

I hope you don't use the server to browser websites and have it pretty locked down otherwise? 







333 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1953877 8-Feb-2018 21:07
Send private message

Hi

 

No it doesn't even have email on it.

 

Its used for MYOB and storing documents on it that we create on the workstations.

 

Sometimes documents get sent to us and we store them on the server.

 

So what goes on the server in terms of anything even downloads of MYOB updates have always been on, or come from a workstation first.

 

The only thing I can think could happen is that about three days ago I had a usb drive with photos on it that came from a camera. Some of the photos were corrupted which I didn't know but the workstation I plugged it into does not have the Ransomware. Once I realised I couldn't read all of the photos I put the usb drive in to the server. But the same issue.

 

We have been accessing the file server since then for two or three days until this morning when the ransomware appeared.

 

And it doesn't explain why the workstations are ok


BDFL - Memuneh
61011 posts

Uber Geek
+1 received by user: 11846

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1953878 8-Feb-2018 21:11
2 people support this post
Send private message

Ford:

 

Some of the photos were corrupted which I didn't know but the workstation I plugged it into does not have the Ransomware. Once I realised I couldn't read all of the photos I put the usb drive in to the server. But the same issue.

 

 

That explains how it got to the server. 

 

Ford: And it doesn't explain why the workstations are ok

 

 

No, the workstations aren't ok. They probably are infected, just not triggered yet.





530 posts

Ultimate Geek
+1 received by user: 100


  Reply # 1953895 8-Feb-2018 21:41
Send private message

Is RDP to the server open to the internet? If so we have had cases of actual people ( not bots ) getting creds, logging in, disabling the AV, and manually running the ransomware

Client got hit twice before I figured it out - please,, no commenting on why RDP was open, was subject of many conversations with the client

Clint

530 posts

Ultimate Geek
+1 received by user: 100


  Reply # 1953902 8-Feb-2018 21:51
Send private message

For prevention I take all the usual precautions and backup, backup, and for good measure backup some more :) some on-site for quick recover, some off-site for security

960 posts

Ultimate Geek
+1 received by user: 194


  Reply # 1953928 8-Feb-2018 22:22
Send private message

Could easily be a WannaCry / Eternal Blue attack too. Guessing the workstations probably get automatic Windows Updates and the server may have been sitting there for some time waiting for a restart.

 

Top 4 tips I can think of without knowing more is:

 

- Ensure the server is patched every month

 

- Don't let your servers out to the internet, only out to specifically what they need to access

 

- Don't mix untrusted (unmanaged) devices on the same network as the server (and managed workstations). i.e. use a separate subnet for BYOD devices and consider exactly what resources on the server they need to access

 

- Use Microsoft AV products on Windows servers, different product on the workstations if you like. No risk of a subscription lapsing etc. (But.. AV doesn't stop Ransomware anyway).

 

 

 

Re comment about RDP being open; it has proven to be a pretty secure service to expose to the internet really - but relies entirely of course on strong passwords! Lock it down to only users who must have it; get a firewall which lets you do geoblocking and only allow traffic from NZ, or block hosts after a few failed attempts




333 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1953985 9-Feb-2018 00:47
Send private message

I've copied the data on the workstations to another drive how will I know if it's ok. I can open the files



333 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1953986 9-Feb-2018 01:05
Send private message

We do use rdp it may have been open at the time

960 posts

Ultimate Geek
+1 received by user: 194


  Reply # 1953998 9-Feb-2018 07:25
One person supports this post
Send private message

Oh and 5) make sure no one is running as admin users on the workstations

You could run Windows Defender Offline on the workstations and run a scan, if that was all clear I’d be fairly happy to say they were ok. Assuming desktops had been patched and perhaps not server.
https://support.microsoft.com/en-nz/help/17466/windows-defender-offline-help-protect-my-pc

3241 posts

Uber Geek
+1 received by user: 1764

Lifetime subscriber

  Reply # 1954004 9-Feb-2018 07:48
Send private message

A: Don't ever have RDP open to the internet, setup a VPN, and RDP once VPN'd if you need internet facing connectivity.

 

B: Ensure you're server is regularly doing Windows Updates.

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


1077 posts

Uber Geek
+1 received by user: 65


  Reply # 1954035 9-Feb-2018 08:53
Send private message

I have had good success with using the File Server Resource Manager feature on my sites.  I used the following lists:

 

https://fsrm.experiant.ca/

 

 

 

It has stopped a couple of infections from client computers spreading to the file shares on the server.  And because I use redirected folders for staff profiles, the infections that have occurred only caused issues with the client computer and not user data.  After that it was a simple case of re-imaging the PC and letting the user log in.


5844 posts

Uber Geek
+1 received by user: 1757

Trusted

  Reply # 1954037 9-Feb-2018 08:59
One person supports this post
Send private message

Sounds like you've got a good ol case of ransomware.

In all honesty, I would go consult an "IT Person" or take up some of the professional services people here offer if you value your data..
You bet if you have moved USB drives around and transferred files between server and work stations they all got it! I've seen this stuff ruin businesses and people don't take it overly serious until its too late.
Cheers





Steam: Coil (Same photos as profile here)
Origin: Scranax
Currently playing on PC: Rust, Subnautica, CS:GO, AOE2 HD, BeamNG Drive, BF1.


3237 posts

Uber Geek
+1 received by user: 846


  Reply # 1954038 9-Feb-2018 09:00
Send private message

Ford: I've copied the data on the workstations to another drive how will I know if it's ok. I can open the files

 

You may have also copied files that have been infected, so they still might be triggered at a later date


236 posts

Master Geek
+1 received by user: 51


  Reply # 1954120 9-Feb-2018 10:08
Send private message

Ensuring good backups are the best thing you can do, for example following the 3-2-1 backup rule.

 

Indeed have good AV/Firewall/patching/UAC/User training in place, but the nature of ransomware and the such these days is that you need to be prepared for recovering when it hits, not just trying to stop it from hitting. It is pretty trivial to get past many of the systems used to try and stop ransomware from entering a network, idea is to reduce the exposure.

 

This doc produced by the ASD, part of the Australian Department of Defense, is seen as a good reference for strategies to mitigate cyber security incidents - https://asd.gov.au/publications/Mitigation_Strategies_2017.pdf

 

 


1497 posts

Uber Geek
+1 received by user: 338


  Reply # 1954132 9-Feb-2018 10:37
Send private message

Ford:

 

Is there any software that can be used to unencrpt them.

 

Not sure how we go it because it happened overnight. We use Nod32 endpoint but the virus disabled it.

 

 

The days of being able to unencrypt are long gone. That will only work on very old versions of ransomware
You can try, but honestly its clutching at straws .

NOD32 will not stop ransomware . Ive seen a few ransomware infections despite having up to date NOD.
From what Ive seen , the usual way it gets in is from a Workstation (often after clicking a bogus email link) : it will then encrypt network accessable files .
Also is the possibility of it getting in via a user having a stupidly insecure password : it happens .

 

 

 

"And it doesn't explain why the workstations are ok"

 

some malware will do the damage, then remove all traces of itself. So there may no longer be any active malware on the workstations/server when
you AV/malware scan them.
Who knows, it could be a strain that targets network shares & leaves the workstation in a fully usable state .
If its  zero day malware, it wont get detected regardless.


 1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.