Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


335 posts

Ultimate Geek
+1 received by user: 6


Topic # 229127 8-Feb-2018 20:23
Send private message

Thought our windows server 2012 had frozen, restarted it and was met with a message on sreen saying all our files have been encrypted.

 

We had an external drive plugged in for backups and the files on there are encrpted also.

 

We will restore from a backup and our server is being formatted.

 

When I look at the document files that are encrypted the file types are all now Java and the names of the documents have changed.

 

Is there any software that can be used to unencrpt them.

 

Also the encryption is only on the server, none of the workstations seem to have been infected.

 

Not sure how we go it because it happened overnight. We use Nod32 endpoint but the virus disabled it.

 

Any thoughts would be appreciated.

 

thanks

 

Ford

 

 

 

 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
BDFL - Memuneh
61310 posts

Uber Geek
+1 received by user: 12046

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1953840 8-Feb-2018 20:41
Send private message


335 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1953877 8-Feb-2018 21:07
Send private message

Hi

 

No it doesn't even have email on it.

 

Its used for MYOB and storing documents on it that we create on the workstations.

 

Sometimes documents get sent to us and we store them on the server.

 

So what goes on the server in terms of anything even downloads of MYOB updates have always been on, or come from a workstation first.

 

The only thing I can think could happen is that about three days ago I had a usb drive with photos on it that came from a camera. Some of the photos were corrupted which I didn't know but the workstation I plugged it into does not have the Ransomware. Once I realised I couldn't read all of the photos I put the usb drive in to the server. But the same issue.

 

We have been accessing the file server since then for two or three days until this morning when the ransomware appeared.

 

And it doesn't explain why the workstations are ok


BDFL - Memuneh
61310 posts

Uber Geek
+1 received by user: 12046

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1953878 8-Feb-2018 21:11
2 people support this post
Send private message

Ford:

 

Some of the photos were corrupted which I didn't know but the workstation I plugged it into does not have the Ransomware. Once I realised I couldn't read all of the photos I put the usb drive in to the server. But the same issue.

 

 

That explains how it got to the server. 

 

Ford: And it doesn't explain why the workstations are ok

 

 

No, the workstations aren't ok. They probably are infected, just not triggered yet.





539 posts

Ultimate Geek
+1 received by user: 105


  Reply # 1953895 8-Feb-2018 21:41
Send private message

Is RDP to the server open to the internet? If so we have had cases of actual people ( not bots ) getting creds, logging in, disabling the AV, and manually running the ransomware

Client got hit twice before I figured it out - please,, no commenting on why RDP was open, was subject of many conversations with the client

Clint

539 posts

Ultimate Geek
+1 received by user: 105


  Reply # 1953902 8-Feb-2018 21:51
Send private message

For prevention I take all the usual precautions and backup, backup, and for good measure backup some more :) some on-site for quick recover, some off-site for security

What does this tag do
970 posts

Ultimate Geek
+1 received by user: 203

Subscriber

  Reply # 1953928 8-Feb-2018 22:22
Send private message

Could easily be a WannaCry / Eternal Blue attack too. Guessing the workstations probably get automatic Windows Updates and the server may have been sitting there for some time waiting for a restart.

 

Top 4 tips I can think of without knowing more is:

 

- Ensure the server is patched every month

 

- Don't let your servers out to the internet, only out to specifically what they need to access

 

- Don't mix untrusted (unmanaged) devices on the same network as the server (and managed workstations). i.e. use a separate subnet for BYOD devices and consider exactly what resources on the server they need to access

 

- Use Microsoft AV products on Windows servers, different product on the workstations if you like. No risk of a subscription lapsing etc. (But.. AV doesn't stop Ransomware anyway).

 

 

 

Re comment about RDP being open; it has proven to be a pretty secure service to expose to the internet really - but relies entirely of course on strong passwords! Lock it down to only users who must have it; get a firewall which lets you do geoblocking and only allow traffic from NZ, or block hosts after a few failed attempts




335 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1953985 9-Feb-2018 00:47
Send private message

I've copied the data on the workstations to another drive how will I know if it's ok. I can open the files



335 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1953986 9-Feb-2018 01:05
Send private message

We do use rdp it may have been open at the time

What does this tag do
970 posts

Ultimate Geek
+1 received by user: 203

Subscriber

  Reply # 1953998 9-Feb-2018 07:25
One person supports this post
Send private message

Oh and 5) make sure no one is running as admin users on the workstations

You could run Windows Defender Offline on the workstations and run a scan, if that was all clear I’d be fairly happy to say they were ok. Assuming desktops had been patched and perhaps not server.
https://support.microsoft.com/en-nz/help/17466/windows-defender-offline-help-protect-my-pc

3360 posts

Uber Geek
+1 received by user: 1837

Trusted
Lifetime subscriber

  Reply # 1954004 9-Feb-2018 07:48
Send private message

A: Don't ever have RDP open to the internet, setup a VPN, and RDP once VPN'd if you need internet facing connectivity.

 

B: Ensure you're server is regularly doing Windows Updates.

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.


1086 posts

Uber Geek
+1 received by user: 65


  Reply # 1954035 9-Feb-2018 08:53
Send private message

I have had good success with using the File Server Resource Manager feature on my sites.  I used the following lists:

 

https://fsrm.experiant.ca/

 

 

 

It has stopped a couple of infections from client computers spreading to the file shares on the server.  And because I use redirected folders for staff profiles, the infections that have occurred only caused issues with the client computer and not user data.  After that it was a simple case of re-imaging the PC and letting the user log in.


6063 posts

Uber Geek
+1 received by user: 1831

Trusted

  Reply # 1954037 9-Feb-2018 08:59
One person supports this post
Send private message

Sounds like you've got a good ol case of ransomware.

In all honesty, I would go consult an "IT Person" or take up some of the professional services people here offer if you value your data..
You bet if you have moved USB drives around and transferred files between server and work stations they all got it! I've seen this stuff ruin businesses and people don't take it overly serious until its too late.
Cheers





 


3379 posts

Uber Geek
+1 received by user: 917


  Reply # 1954038 9-Feb-2018 09:00
Send private message

Ford: I've copied the data on the workstations to another drive how will I know if it's ok. I can open the files

 

You may have also copied files that have been infected, so they still might be triggered at a later date


240 posts

Master Geek
+1 received by user: 51


  Reply # 1954120 9-Feb-2018 10:08
Send private message

Ensuring good backups are the best thing you can do, for example following the 3-2-1 backup rule.

 

Indeed have good AV/Firewall/patching/UAC/User training in place, but the nature of ransomware and the such these days is that you need to be prepared for recovering when it hits, not just trying to stop it from hitting. It is pretty trivial to get past many of the systems used to try and stop ransomware from entering a network, idea is to reduce the exposure.

 

This doc produced by the ASD, part of the Australian Department of Defense, is seen as a good reference for strategies to mitigate cyber security incidents - https://asd.gov.au/publications/Mitigation_Strategies_2017.pdf

 

 


1550 posts

Uber Geek
+1 received by user: 353


  Reply # 1954132 9-Feb-2018 10:37
Send private message

Ford:

 

Is there any software that can be used to unencrpt them.

 

Not sure how we go it because it happened overnight. We use Nod32 endpoint but the virus disabled it.

 

 

The days of being able to unencrypt are long gone. That will only work on very old versions of ransomware
You can try, but honestly its clutching at straws .

NOD32 will not stop ransomware . Ive seen a few ransomware infections despite having up to date NOD.
From what Ive seen , the usual way it gets in is from a Workstation (often after clicking a bogus email link) : it will then encrypt network accessable files .
Also is the possibility of it getting in via a user having a stupidly insecure password : it happens .

 

 

 

"And it doesn't explain why the workstations are ok"

 

some malware will do the damage, then remove all traces of itself. So there may no longer be any active malware on the workstations/server when
you AV/malware scan them.
Who knows, it could be a strain that targets network shares & leaves the workstation in a fully usable state .
If its  zero day malware, it wont get detected regardless.


 1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.