Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 74
  • Last Modified:

Connecting workstations to Server 2012 Standard after Ransomware

Hi guys,

A client's network has one Server 2012 Standard and several client workstations connected to it via a single domain. This server is the only server on their network, so is also the Domain Controller and DNS server. Over the weekend, the server was attacked by Ransomware which caused all data on it to become encrypted. As no 'fix' for that Ransomware had yet been developed which didn't involve paying, we opted to pull a server image from a local daily backup which is run via Acronis Backup & Restore v11.5. Unfortunately, they'd not been switching daily between their two local backup drives, so the one connected to the machine during the attack, which has the last month's-worth of backups on it, was encrypted. As a side note, I thought Acronis' .TIB files couldn't be encrypted, but that is clearly incorrect (on a machine running Acronis, at very least). Anyway, we restored a backup from July 19th 2016 to the server and got the server back to that point with very little issue.

The current issue, however, is that two users who weren't already logged in (most users don't turn their PCs off or even log off from their session almost ever) are now unable to access the server. The one logged into the domain gets one of the two following error when they try to login:

1. The User Profile Service service failed to login. User profile cannot be loaded.
2. The trust relationship between this workstation and the primary domain failed.

This is a Windows 7 Pro workstation, for what it's worth.

One of the machines, a Windows 10 workstation, is a new machine which was deployed only last week. It was connected to the domain last week but then, when this issue happened, I tried disconnecting it from the domain, restarting the PC and reconnecting. Now, it doesn't reconnect, giving me one of the two messages:

1. The following error occurred attempting to join domain "<domain_name>":   The specified domain either does not exist or could not be contacted.
2. An Active Directory Domain Controller (AD DC) for the domain '<domain_name>" could not be contacted. Ensure the domain name is typed correctly. If the name is correct, click Details for troubleshooting information.

These alternate messages occurred at different times during my attempted fixes on the server. So far, I have attempted the fixes from the following URLs (in order):

http://www.tomshardware.com/faq/id-1943765/windows-server-2012-dns-server-accessible-unable-resolve-dns-queries.html
https://blog.blksthl.com/2013/03/18/fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/
https://redmondmag.com/articles/2014/04/21/domain-trust-issues.aspx

With the new machine, knowing that it wasn't around at the time the Server was restored to, I even tried adding in the Computer name in Active Directory > Users and Computers > Computers, but to no avail. With the other (Windows 7 PC), I even found a solution which suggested that in this same location I find the users PC which was already in the list, right-click on it and select 'Reset Account'. This, too, produced no results.

So, I'm out of my depth and need some assistance - please help. I suspect the fix isn't hard... I just don't know what it is.
0
Servant-Leggie
Asked:
Servant-Leggie
  • 2
1 Solution
 
Waahid JoomunCommented:
Hello Sir,

Try to remove the computer in your AD and re join to your domain on both PC. This should fix the problem.

W
0
 
Servant-LeggieAuthor Commented:
Waahid Joomun, I have done that EXCEPT FOR removing the computer first, which sounds like the important part. I will go ahead and do that and will let you know how I go.
0
 
David Johnson, CD, MVPOwnerCommented:
For what it's worth,  you should adjust the permissions on your backup locations so that ONLY the account that Acronis is using should have read/write/modify permissions.  Administrators don't need access, Users definitely don't need access. That or do a mount share / backup / dismount share. Or have a machine that you can set the bios or send a WOL magic packet so the machine that holds the backup share starts, do your agent scheduled backups, upon completion do an automated shutdown of the machine. This will decrease your exposure time

Ransomware will encrypt ANY file that the miscreant thinks is valuable. We relied on shadow copies, they now delete shadow copies, they only went after common file types i.e. Office Documents and Image Files.. Backup's were "safe" now they also target common backup file extensions as well.
0
 
Servant-LeggieAuthor Commented:
Thanks Waahid Joomun, this worked a treat! Sorry for my slow reply.
0
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now