asked on

iv got locky virus in my server

please help i got Locky in my server is destroy several files
is any way to clean it
is any way to recover the files?
please experts

Ernesto

ASKER

Im using spy hunter 4 and recuva
are them for trust?
i have a chance?
please
regards

Hypercat (Deb)

Restoring from backup is the only way to recover the files that have been affected by locky safely and surely. I've heard of some other ways, but from what I've read they're chancy and not fully tested.

Do you have a good, uninfected backup of the files that were affected by locky?

Uptime Legal Systems

You can clean the virus off but the files will need to be restored from backup.

This EE thread has more details/discussion.

SOLUTION

ste5an

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER CERTIFIED SOLUTION

pjam

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

TheITjedi

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

rindi

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Ernesto

ASKER

how to be sure to rid of .locky

whats the steps
regards

rindi

Re-image the PC's that have been infected.

Ernesto

ASKER

how to do that?

rindi

What do you do when you setup a new PC? Normally you have an image with the OS and all the software you need, then you just restore that image to the new PC and it is ready for use.

Ernesto

ASKER

it is a server is any software to clean up the server, im trying kasperski
regards

SOLUTION

btan

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Ernesto

ASKER

oh man, i have malwerbytes premium installed in the server and pass thru
if i run malwarebytes and result is 0 threts its that the virus is rid off?
regards
what to do whit .locky files
delete them?
or keep them in order to see if recover with recuva?
regards

SOLUTION

btan

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Ernesto

ASKER

so the damage is done,
is not spread more files?
kasperski and malwarebites says is clean?
what to do?

rindi

As I already said earlier, it isn't the server that is infected, or it shouldn't be if it is used properly as a server. It is one or more of the connected workstations. The Virus is running on one of those PC's and encrypts all files it can, including those it has access to on servers. So you must concentrate on keeping the PC's in question off the LAN and just setting them up with a fresh OS.

Ernesto

ASKER

ok i identify the machines and i rid off the network,
the virus i think it spread by a network drive, is any way to avoid in the future that my server get infected, what is the proper way to shere it the most saftley way
regards

rindi

In my first comment I explained about what measures should be taken to avoid future infections.

btan

lock down your endpoint and prevent unauthorized USB from use. There is appl and device control in HIPS like Symantec, McAfee, DeviceLock etc
The ransomware does not by default in its initial version has symptom showing the spread through network drive though they will encrypt files from network drive. If there are such files of its exe found in network drive then it may be spread from network and it also means it can be a new version of this family.
I suspect someone has use internet in those infected machine or the infected USB drive is shared among the machines..

Ernesto

ASKER

thank you all