All files suddenly have .abc extension

On our file server, which is a windows 2012 server, all files under one of our shared folders suddenly have ".abc" appended to the end of the filename.  So, instead of document.doc we have  Even after renaming the document to document.doc, it will no longer open.  I have restored from backup as a solution, but I'd like to know if anyone has any knowledge of what might have occurred?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sounds like a ransomware attack.  It is likely that a users computer has/had gotten infected with a program that has encrypted and renamed all of the user type files.  While I am not directly familiar with any ransomware attack that appends an abc extension, it certainly does sound like that is what this is.

Have your users reported anything strange?  You may need to scan systems individually.  Also do note the modified date, this will help track down when the infection occurred and also give you a date/time to restore from (if needed).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Suspicions validated (however, not yet confirmed):

matthewiAuthor Commented:
I use Symantec Endpoint Protection across our network.  What can I do to prevent this in the future?
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Scott CSenior EngineerCommented:
Make sure your users are educated as well about the dangers of clicking on links to unknown websites and opening attachments that are suspicious.

No system will be 100% secure.  You just have to do the best you can and make sure you have good backups....which you already do.

However, unless you have found the ramsomware on your environment, it is probably still lurking out there.

As suggested, you need to do some deep scans on all of your computers.

MalwareBytes would be a good place to start.
Tim EdwardsIT Team Lead - Unified Communications & CollaborationCommented:
I have not had this issue in our corporate environment but my parents personal computer had this happen to it, and even affected the attached storage.

For his computer I used malwarebytes to remove the malware unfortunately I cannot remember the freeware that I used to remove.

As stated above you cannot 100% stop this from happening, but you can setup rules on your firewalls and if you run your own spam filter to limit these coming into your network.
matthewiAuthor Commented:
Thank you for all the help.  A user called me yesterday unable to access her files, and I discovered her computer was infected with ransomware.  I have scanned it with MalwareBytes, which found and remove the infections.  I hope this was the only computer effected!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.