Windows 2008R2 DCs have Ransom Remnants

We were hit by Ransomware last week.  I thought we had isolated the problem to the PC and removed quickly from network.  I had several file directories I had to restore from tape.  I thought all was ok.  Everything domain-wide seems to be working ok.  I started doing a little more research and found that the local c:\windws\sysvol\ directories were all hit with the ransom-file replacement.  All have the timestamps of the rogue Trojan.

What do I do?  I probably have a system state backed up from several DCs.  I have 2 Win2k12R2 DC servers and they don't appear to have the sysvol folder. Starting to panic.
cobmoIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matthew ParsonsDirectorCommented:
Hi there,

OK, so your have two DCs which I presume use to replicate between each other with no previous problems.

I presume you have checked your backups for the sysvol file? If you have a backup you would have to enter directory restore mode first then restore it accordingly. Obviously this would need to be completed on the Primary Domain Controller.

You might want to look at the following similar experts exchange article, it goes into further detail checking registry entries and checking sysvol folder share etc.

However due to potential issues, i would probably lead on the way of caution and contact Microsoft directly, pay for a case and have them look at it and will get resolved.

Hope this helps.

cobmoIT ManagerAuthor Commented:
Thanks Matt
I have way too many DCs.  I have 3 w2k8 DCs (two here +one offsite).  I then have recently purchased 2 new servers running W2k12R2. I promoted them to DCs as well. Running w2k8 forest level.  So my plan was then to demote the win2k8 DCs and have just the 2 w2k12r2 DCs. But haven't done that yet.  The PDC - or FSMO - is still a win2k8R2 server.

OK I was afraid of the restore.  However, I just checked my tape from the pre-CryptoWall attack and I have the SYSVOL and the System State backed up to it.  I did something right at least.  I agree I will need MS help on this.  I hope the process can be restored smoothly. My domain is original to NT/2000/2003/2008.  I think my fear now is is that the restore requires a password from the original install. Im not sure I have that. Does MS have a way around that?
Matthew ParsonsDirectorCommented:
Was you Windows2k8R2 server effected by CryptoWall? You maybe able to get away with some replication work rather than restoring from backup.

Well as long as you have a backup then you should be ok :) If you don't have the password for DSRM you can reset it from a command prompt, my only concern is i'm unsure as of the impact you'll have when restoring the sysvol folder.

Here's the article to reset the DSRM password.

I know that pit of the stomach feeling when you think it's going wrong and due to the critical nature of your problem, i would give Microsoft a call, log it as urgent, you'll get a call back in 2 hours and i'm sure it will get sorted.

You might also want to have a look at the next article as well, you can add some additional group policies to stop cryptowall in future.

Hope this helps. Matt

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

cobmoIT ManagerAuthor Commented:
I contacted McAfee immediately.  It's only as good as what's available, right?   McAfee sent me their recommended User-Defined settings to "help" resist another CryptoWall attack but of course it's not 100%.

I also have Anti-virus filter on my Dell SonicWall.  It has about 5-6  CryptoWall signatures but not the one that hit. Ugh.  I do feel extremely nauseas.  I'm ultimately responsible for the users who make poor decisions.
Matthew ParsonsDirectorCommented:
I know that feeling, it's not great, but ultimately your backups are your worse case scenario.

What you can do however is teach users about threats via email. I run a solution that emails a company and you can get a report back of who has clicked the link or not, obviously allowing the IT manager to have a chat and to educate the user.

I also use the Dell Sonicwall and they're generally pretty good, some features still need a bit of attention but generally good.

Let me know if I can be of any further assistance. Matt
cobmoIT ManagerAuthor Commented:
I have the Dell Analyzer reporting software.  I was able to run a report for the hour the user launched it.  I see Pinterest entries but a ton of Ad Servers and everything else that gets loaded to a web page.  It's amazing how much overhead and virtually impossible to even think that MSN or yahoo can contain their information without being malicious.  

For email I use the Dell anti-spam subscription filter and then use the McAfee MSME product on my Exchange 2010 server. I feel so overwhelmed but I also think I have done at least multiple layers to protect what I can.  This incident will set a precedence and if there is a possibility of termination, well let's just say they may all behave better and not think it's all fun and games and smirk when I snarl at them and say "you're not the one that will be here on the weekend rebuilding all of this".  And I'm here on a Sunday afternoon doing just that.  Thanks for your help and guidance on this today.
Matthew ParsonsDirectorCommented:
Users do forget that us technical guys have to pick up the pieces, we can make suggestions and put in procedures but if users don't follow them it's pointless.

"If you don't know the sender, don't open the attachment" and is pin interest a work related activity? I'd look to escalate that to owners and block potential risks, after all it only takes a few users to ruin the privileges for others.

Anyway, best of luck, let me know if I can help any further.

cobmoIT ManagerAuthor Commented:
I did go ahead and block Pinterest.  Pinterest itself is not evil but my understanding is that it has users posting things up to it.  We have children activities that my users may use Pinterst to get ideas from for arts & crafts types of things so yes for some of my users it "WAS" a viable site. ha.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.