Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




291 posts

Ultimate Geek
+1 received by user: 6


Topic # 229127 8-Feb-2018 20:23
Send private message quote this post

Thought our windows server 2012 had frozen, restarted it and was met with a message on sreen saying all our files have been encrypted.

 

We had an external drive plugged in for backups and the files on there are encrpted also.

 

We will restore from a backup and our server is being formatted.

 

When I look at the document files that are encrypted the file types are all now Java and the names of the documents have changed.

 

Is there any software that can be used to unencrpt them.

 

Also the encryption is only on the server, none of the workstations seem to have been infected.

 

Not sure how we go it because it happened overnight. We use Nod32 endpoint but the virus disabled it.

 

Any thoughts would be appreciated.

 

thanks

 

Ford

 

 

 

 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
BDFL - Memuneh
59637 posts

Uber Geek
+1 received by user: 10784

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1953840 8-Feb-2018 20:41
Send private message quote this post

I hope you don't use the server to browser websites and have it pretty locked down otherwise? 







291 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1953877 8-Feb-2018 21:07
Send private message quote this post

Hi

 

No it doesn't even have email on it.

 

Its used for MYOB and storing documents on it that we create on the workstations.

 

Sometimes documents get sent to us and we store them on the server.

 

So what goes on the server in terms of anything even downloads of MYOB updates have always been on, or come from a workstation first.

 

The only thing I can think could happen is that about three days ago I had a usb drive with photos on it that came from a camera. Some of the photos were corrupted which I didn't know but the workstation I plugged it into does not have the Ransomware. Once I realised I couldn't read all of the photos I put the usb drive in to the server. But the same issue.

 

We have been accessing the file server since then for two or three days until this morning when the ransomware appeared.

 

And it doesn't explain why the workstations are ok


 
 
 
 


BDFL - Memuneh
59637 posts

Uber Geek
+1 received by user: 10784

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1953878 8-Feb-2018 21:11
2 people support this post
Send private message quote this post

Ford:

 

Some of the photos were corrupted which I didn't know but the workstation I plugged it into does not have the Ransomware. Once I realised I couldn't read all of the photos I put the usb drive in to the server. But the same issue.

 

 

That explains how it got to the server. 

 

Ford: And it doesn't explain why the workstations are ok

 

 

No, the workstations aren't ok. They probably are infected, just not triggered yet.





501 posts

Ultimate Geek
+1 received by user: 94


  Reply # 1953895 8-Feb-2018 21:41
Send private message quote this post

Is RDP to the server open to the internet? If so we have had cases of actual people ( not bots ) getting creds, logging in, disabling the AV, and manually running the ransomware

Client got hit twice before I figured it out - please,, no commenting on why RDP was open, was subject of many conversations with the client

Clint

501 posts

Ultimate Geek
+1 received by user: 94


  Reply # 1953902 8-Feb-2018 21:51
Send private message quote this post

For prevention I take all the usual precautions and backup, backup, and for good measure backup some more :) some on-site for quick recover, some off-site for security

What does this tag do
921 posts

Ultimate Geek
+1 received by user: 185

Subscriber

  Reply # 1953928 8-Feb-2018 22:22
Send private message quote this post

Could easily be a WannaCry / Eternal Blue attack too. Guessing the workstations probably get automatic Windows Updates and the server may have been sitting there for some time waiting for a restart.

 

Top 4 tips I can think of without knowing more is:

 

- Ensure the server is patched every month

 

- Don't let your servers out to the internet, only out to specifically what they need to access

 

- Don't mix untrusted (unmanaged) devices on the same network as the server (and managed workstations). i.e. use a separate subnet for BYOD devices and consider exactly what resources on the server they need to access

 

- Use Microsoft AV products on Windows servers, different product on the workstations if you like. No risk of a subscription lapsing etc. (But.. AV doesn't stop Ransomware anyway).

 

 

 

Re comment about RDP being open; it has proven to be a pretty secure service to expose to the internet really - but relies entirely of course on strong passwords! Lock it down to only users who must have it; get a firewall which lets you do geoblocking and only allow traffic from NZ, or block hosts after a few failed attempts




291 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1953985 9-Feb-2018 00:47
Send private message quote this post

I've copied the data on the workstations to another drive how will I know if it's ok. I can open the files



291 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1953986 9-Feb-2018 01:05
Send private message quote this post

We do use rdp it may have been open at the time

What does this tag do
921 posts

Ultimate Geek
+1 received by user: 185

Subscriber

  Reply # 1953998 9-Feb-2018 07:25
One person supports this post
Send private message quote this post

Oh and 5) make sure no one is running as admin users on the workstations

You could run Windows Defender Offline on the workstations and run a scan, if that was all clear I’d be fairly happy to say they were ok. Assuming desktops had been patched and perhaps not server.
https://support.microsoft.com/en-nz/help/17466/windows-defender-offline-help-protect-my-pc

2946 posts

Uber Geek
+1 received by user: 1538

Subscriber

  Reply # 1954004 9-Feb-2018 07:48
Send private message quote this post

A: Don't ever have RDP open to the internet, setup a VPN, and RDP once VPN'd if you need internet facing connectivity.

 

B: Ensure you're server is regularly doing Windows Updates.

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


1034 posts

Uber Geek
+1 received by user: 58


  Reply # 1954035 9-Feb-2018 08:53
Send private message quote this post

I have had good success with using the File Server Resource Manager feature on my sites.  I used the following lists:

 

https://fsrm.experiant.ca/

 

 

 

It has stopped a couple of infections from client computers spreading to the file shares on the server.  And because I use redirected folders for staff profiles, the infections that have occurred only caused issues with the client computer and not user data.  After that it was a simple case of re-imaging the PC and letting the user log in.


5519 posts

Uber Geek
+1 received by user: 1593

Trusted

  Reply # 1954037 9-Feb-2018 08:59
One person supports this post
Send private message quote this post

Sounds like you've got a good ol case of ransomware.

In all honesty, I would go consult an "IT Person" or take up some of the professional services people here offer if you value your data..
You bet if you have moved USB drives around and transferred files between server and work stations they all got it! I've seen this stuff ruin businesses and people don't take it overly serious until its too late.
Cheers





Steam: Coil (Same photos as profile here)
Origin: Scranax
Currently playing on PC: Rust, Subnautica, CS:GO, AOE2 HD, BeamNG Drive, BF1.


2850 posts

Uber Geek
+1 received by user: 627


  Reply # 1954038 9-Feb-2018 09:00
Send private message quote this post

Ford: I've copied the data on the workstations to another drive how will I know if it's ok. I can open the files

 

You may have also copied files that have been infected, so they still might be triggered at a later date


212 posts

Master Geek
+1 received by user: 37


  Reply # 1954120 9-Feb-2018 10:08
Send private message quote this post

Ensuring good backups are the best thing you can do, for example following the 3-2-1 backup rule.

 

Indeed have good AV/Firewall/patching/UAC/User training in place, but the nature of ransomware and the such these days is that you need to be prepared for recovering when it hits, not just trying to stop it from hitting. It is pretty trivial to get past many of the systems used to try and stop ransomware from entering a network, idea is to reduce the exposure.

 

This doc produced by the ASD, part of the Australian Department of Defense, is seen as a good reference for strategies to mitigate cyber security incidents - https://asd.gov.au/publications/Mitigation_Strategies_2017.pdf

 

 


1332 posts

Uber Geek
+1 received by user: 284


  Reply # 1954132 9-Feb-2018 10:37
Send private message quote this post

Ford:

 

Is there any software that can be used to unencrpt them.

 

Not sure how we go it because it happened overnight. We use Nod32 endpoint but the virus disabled it.

 

 

The days of being able to unencrypt are long gone. That will only work on very old versions of ransomware
You can try, but honestly its clutching at straws .

NOD32 will not stop ransomware . Ive seen a few ransomware infections despite having up to date NOD.
From what Ive seen , the usual way it gets in is from a Workstation (often after clicking a bogus email link) : it will then encrypt network accessable files .
Also is the possibility of it getting in via a user having a stupidly insecure password : it happens .

 

 

 

"And it doesn't explain why the workstations are ok"

 

some malware will do the damage, then remove all traces of itself. So there may no longer be any active malware on the workstations/server when
you AV/malware scan them.
Who knows, it could be a strain that targets network shares & leaves the workstation in a fully usable state .
If its  zero day malware, it wont get detected regardless.


 1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Fujifilm X beats its best with new top of the range, high-performance camera
Posted 24-Feb-2018 14:05


One million kiwis affected by cybercrime
Posted 24-Feb-2018 13:58


New Zealanders want to engage with government online and via mobile apps
Posted 24-Feb-2018 13:56


Samsung launches Samsung Max
Posted 24-Feb-2018 13:52


CPTPP text and National Interest Analysis released for public scrutiny
Posted 21-Feb-2018 19:43


Foodstuffs to trial digitised shopping trolleys
Posted 21-Feb-2018 18:27


2018: The year of zero-login, smart cars & the biometrics of things
Posted 21-Feb-2018 18:25


Intel reimagines data centre storage with new 3D NAND SSDs
Posted 16-Feb-2018 15:21


Ground-breaking business programme begins in Hamilton
Posted 16-Feb-2018 10:18


Government to continue search for first Chief Technology Officer
Posted 12-Feb-2018 20:30


Time to take Apple’s iPad Pro seriously
Posted 12-Feb-2018 16:54


New Fujifilm X-A5 brings selfie features to mirrorless camera
Posted 9-Feb-2018 09:12


D-Link ANZ expands connected smart home with new HD Wi-Fi cameras
Posted 9-Feb-2018 09:01


Dragon Professional for Mac V6: Near perfect dictation
Posted 9-Feb-2018 08:26


OPPO announces R11s with claims to be the picture perfect smartphone
Posted 2-Feb-2018 13:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.