?
Solved

We got ransomware on the server fileserver 2012

Posted on 2016-09-28
17
Medium Priority
?
198 Views
Last Modified: 2016-09-28
This morning , the users reported that when they click on the files on the network drives , they are getting the ransomware dilog box that tells them that you have 72 hours to pay. I have backup of the server drives, but how do i clean this up and how do i find out who's computer on the network got this to begin with that even if restore this does not happen again . should I run malwarebytes on the server?
0
Comment
Question by:netcomp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +7
17 Comments
 
LVL 36

Assisted Solution

by:Kimputer
Kimputer earned 124 total points
ID: 41819851
If no one was working on the server, which I suppose it didn't, the encryption happened from a workstation. Therefore, scan all workstations first.
If there's an admin ON the server, downloading lots of stuff, the server needs to be scanned too.
After everything is cleaned up, then finally restore files from backup
0
 
LVL 97

Assisted Solution

by:Experienced Member
Experienced Member earned 124 total points
ID: 41819863
I agree with the above. Ask user to log off (all the users). Restore from backup. Then scan each workstation and allow back on after it has been scanned and tested. Check as you go.

There is no magic here. Someone opened an email from a stranger and clicked on an enticing link or such like.

1. Make sure your spam filter is top notch, working, and updated regularly.
2. Train users not to open attachments from strangers - just delete them.
3. Ask users to tell friend to email their home account, not the business account.
0
 
LVL 1

Author Comment

by:netcomp
ID: 41819867
We have about 100 computers . How do find out which one is the issue? Also, almost all have admin rights removed. How could this have happened with no admin rights. Also, the all have anitvirus on them.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 1

Author Comment

by:netcomp
ID: 41819874
Sorry, one more thing. How do I find the bad computer . What do I need to scan all or there are other signs I can look for?
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41819875
You either need a centralized AV application with a management suite or else you need users to scan - something like that.
0
 
LVL 2

Assisted Solution

by:Kenny Innes
Kenny Innes earned 124 total points
ID: 41819902
We had this and had around 110 computers. At the time i powered off all network switches on the floor to stop further spreading then manually checked every computer and noticed that our particular ransomware left a directory in the C drive so we found the original infected PC and then wiped it.

As we had very good backups we deleted 2TB of data and then restored from backups (took a day) but we had a fully operational office within 24hours.

To stop further infection I would kill the network between devices and then work your way around each device.

Unfortunately as we all know having a AV solution whether standalone or central does NOT guarantee protection from advanced ransomware attacks.

P.S our infection was from a royal mail email that contained a zip file with information about your delivery.
0
 

Assisted Solution

by:Ray Zuchowski
Ray Zuchowski earned 124 total points
ID: 41819930
When you restore all your files, make all your network drives hidden shares. Ransomware cant spread to hidden files. So what happens then is your server is saved but the users files on their pc get infected. To overcome this, you can do folder redirection in active directory and make that a hidden share as well. So this way only local files on the pc will be harmed. I don't allow my users to save on their local drive so ransomware rarely happens.

As for finding the persons pc who was the culprit, if you don't have a managed virus protection setup, then all have to run manual as others suggested. Hope this helps. Good Luck !
0
 
LVL 36

Assisted Solution

by:Kimputer
Kimputer earned 124 total points
ID: 41819935
Antiivirus solutions are mostly always a step behind (a few hours, before first occurrence, and sending out the new database).
Also, non-admins can ALWAYS run cryptoware, as it doesn't need admin rights. It needs read/write access, and the file server, is of course open to reading and writing of files (cryptoware just reads the files and writes it back)..
To find the culprit (because sometimes the AV won't find it, simply because the cryptoware deletes itself after its run), find the PC with the user with its own My Documents folder encrypted. If the file share was restricted to certain users (for example, only Finance users), you are already one step closer to finding the user (has to be one of the Finance users, unless the server admin was really the cause, that's not uncommon also, sadly).
0
 
LVL 5

Assisted Solution

by:Mdlinnett
Mdlinnett earned 124 total points
ID: 41820070
As has already been said, one of your computers will have their local files encrypted as well, that will be your culprit.

The issue with Ransomware is that it's relatively cheap (less than 200 euros) to buy a piece of software that will re-package malware to evade AV software.

For instance, Virus A is made up of part 1, 2, 3 & 4 in that order.  The re-packager changes the order to 4,3,2,1 and immediately that virus bypasses standard AV signature detection.

Isolate the Servers by disconnecting from the network, start your Server restoration, run a Malwarebytes scan on each Client & a full scan from your standard AV solution.  The infected Client PC will need to be re-imaged / re-built.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 124 total points
ID: 41820103
You should already have the real time or on access scan on the server and if the ransom dialog is coming from server, I suggest plan for rebuild though it is non-trivial for server. Otherwise scan with HitmanPro.Alert and Malwarebytes AM as mentioned (if not done so). Consider having anti-raansomware going ahead to protect the system and application whitelisting using applocker or cryptoprevent.

On the aspect of tracing of if there are other machine also infected, I am thinking if you can look at the last modified user of those encrypted files. If audit trail is enabled, we can see the login account and may be that can shrink down to couple hostname and those machine that this account has access to. Hopefully no USB drive is plugged in prior and after the infection.
0
 
LVL 5

Assisted Solution

by:Mdlinnett
Mdlinnett earned 124 total points
ID: 41820115
Check this too > https://noransom.kaspersky.com/

More and more ransomware variants now have decrypting tools available from various AV providers.
0
 
LVL 36

Assisted Solution

by:Kimputer
Kimputer earned 124 total points
ID: 41820118
"More and more" is quite overstating it. It's about a few thousands in the wild vs only a handful of decryptors.

It totally depends if the maker has been caught or not (and then the key has to be found on his hardware). Obviously, you'll be a few years in before you can decrypt your files, if ever.
0
 
LVL 88

Accepted Solution

by:
rindi earned 1008 total points
ID: 41820155
All those users who have reported the seeing the ransomware notice, will have had the virus. But lots of ransomware will automatically remove itself from the PC after it has finished the job and shown the note.

It will still be best practice to scan all the PC's for malware. If your users get ransomware, they will also get other viruses, so even if the ransom virus is gone, it is very likely that there are still other viruses on the system.

You will also have to rethink your environment.

First of all make sure no one logs onto to a PC with an account that has Admin rights. Not even the Admins. If they need to do something that requires those rights, UAC will show up and then they can use the credentials of an Admin account to do the job.

Educate your users on how to safely handle email and web-browsing. Disable macros in Office documents, as many viruses and particularly ransomware are started that way.

Use Application white-listing. That way only programs you have OK'd will execute.
1
 
LVL 25

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 124 total points
ID: 41820275
The suggestions so far are excellent, in terms of finding the offending computer, have you tried looking in the event logs (assuming they have not been encrypted)?
0
 
LVL 30

Assisted Solution

by:pgm554
pgm554 earned 124 total points
ID: 41820378
As this is a CYA moment ,I would look at getting a Unified Threat Management appliance.

A lot of what sneaks into a network are  back door Trojans and a UTM is one way to at least keep up with them
0
 
LVL 1

Author Comment

by:netcomp
ID: 41820888
Thank you all for your comments. First, looked at the Help Decryption you File that the virus leaves on each folder. Right clicked the file and found out who the owner was and from there I know which user was the problem computer. There was no way of scanning all the computers and I am not sure our Managed AV would have found it. The client computer itself did not have any files locked. From the time stamp on file on the server, I could tell that all this had happened around 4:00PM last night.  I ended up restoring using shadow copies . What was interesting was that not all the folders within the network drive was effected. Apparently, it had only gotten to  some folders. I guess it did not have enough time.
Thank you for all the help again,
1
 
LVL 88

Expert Comment

by:rindi
ID: 41820900
It can only encrypt folders the user has access to.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question