<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Exchange Server injected with ransomware? What to do now?

Published on
510 Points
510 Views
Last Modified:
This is a very interesting topic. Ransomware has been around for a while but has increased drastically over the last year or so.

 Let’s take a brief look at what Ransomware is before moving on to an Exchange Server infected with Ransomware:

Ransomware is a form of malicious software (or malware) that, once it's taken over your computer, either a desktop or server, it threatens you with harm, usually by denying you access to your data. The attacker demands a ransom from the victim, promising — not always truthfully — to restore access to the data upon payment.

Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands.  Some ransomware encrypts files on the machine, where other forms of Ransomware encrypt the entire machine making it useless.

What happens when my Exchange Server is infected with Ransomware?

There are a couple of things you need to do if you suspect that the Exchange server is infected:

  • Take it off the network immediately
  • Check if other servers are infected
  • Look for any suspicious folders or user accounts on the server
  • Check what data has been encrypted and see if you are able to get access to the location where the Exchange databases are located and copy them off to another location.
  • Use backups to recover the data
  • Pay the bitcoins or crypto currency to get the “unlock” key to get your data back
  • Use Stellar Phoenix Mailbox Exchange Recovery to extract the data.
  • Recover the server by re-installing and then using the recovery switch.


Let’s expand on the above a bit. As hectic as it might sound, you do need to isolate the machine that is infected.  Yes, it means Exchange will be down (if it is a standalone server) and if the server is part of a DAG you could run on the 2nd, 3rd of 4th copy depending on how big your DAG is.  If it is a case of a single server, you will need to check if the C:\ drive has been encrypted and how badly. This all depends on the kind of Ransomware that has reached the server.

The next step would be to see what other Servers on your network have been compromised and take action like the one we mentioned above to isolate the machine. Unfortunately, business might not meet SLA due to the amount of downtime and recovery of the data.

With some forms of Malware, they leave some form of trace behind, like a user account was compromised and they were able to gain access to the server and then create a new account for themselves that has full administrative rights or new folders are created on the server. A common one is the Intel folder where the executable is dropped and then launched.

If you can get access to the location where the Exchange databases are sitting, then ensure you get a copy of the data off the machine before it is encrypted. It’s easier said than done as your Exchange databases can be huge and this will take quite a while to copy across.

The “bad” option is having to pay. Yes the demands for decrypting the data can be financially straining in a sense that they could demand 100 bitcoin etc., and if your currency exchange rate is high you are looking at millions to get that “decrypt key” but it is no guarantee that they will release it to you after paying. It is big gamble paying unfortunately.

Another thing you can look at is using Stellar Phoenix Exchange Recovery to get into the .EDB file, depending on the fact you can get to the directory or not. If you have a backup in place then the Stellar Phoenix tool and open the. EDB file and extract the data.  This tool can save you a lot of time extracting the data to Office 365 or to .PST files etc., there are many options while you rebuild your exchange server.

Lastly, if you want to recover exchange from the setup, then you would need to use the recovery switch to do so. Here is a small example of how this is done:

  • Reset the computer account in AD
  • Prepare new server with the same operating system with latest windows updates.
  • Assign same ip address as the “corrupt” server had.
  • Join to domain with the same Server name as before.
  • Install pre-requisites which is required before attempting to install Exchange.
  • Extract the CU or copy the install files to a location.
  • Open the CMD “Run as Administrator” and navigate to the install directory as mentioned above.
  • Use “Setup /m:RecoverServer /IAcceptExchangeServerLicenseTerms” command


You can use the “New-MailboxRestoreRequest” cmdlet to extract data from a recovery database. After extraction, the data can then be exported to a folder or merged into an existing mailbox. Recovery databases enable you to recover data from a backup or copy of a database without disturbing user access to current data.

If you have a good backup of the database before the infection occurred you could use that database to do the recovery if the current one is encrypted.

Quick overview of the recovery process:

Command to run:

  • Get-MailboxStatistics -Database database1 | Where { $.DisconnectReason -eq “SoftDeleted” -or $.DisconnectReason -eq “Disabled” } | Format-List LegacyDN, DisplayName, MailboxGUID, DisconnectReason


Restoring a Mailbox:

Restore the source mailbox with the MailboxGUID <guid> on mailbox database database1 to the target mailbox

Command for running the mailbox restore request:

  • New-MailboxRestoreRequest -SourceDatabase “DB1” -SourceStoreMailbox <guid> -TargetMailbox User1


Restoring the Content:

Restore the content of the source mailbox with the DisplayName of User2 on mailbox database DB1.  This is just a high level overview of the process.

0
0 Comments

Featured Post

SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month