Link to home
Start Free TrialLog in
Avatar of netcomp
netcomp

asked on

We got ransomware on the server fileserver 2012

This morning , the users reported that when they click on the files on the network drives , they are getting the ransomware dilog box that tells them that you have 72 hours to pay. I have backup of the server drives, but how do i clean this up and how do i find out who's computer on the network got this to begin with that even if restore this does not happen again . should I run malwarebytes on the server?
SOLUTION
Avatar of Kimputer
Kimputer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of netcomp
netcomp

ASKER

We have about 100 computers . How do find out which one is the issue? Also, almost all have admin rights removed. How could this have happened with no admin rights. Also, the all have anitvirus on them.
Avatar of netcomp

ASKER

Sorry, one more thing. How do I find the bad computer . What do I need to scan all or there are other signs I can look for?
You either need a centralized AV application with a management suite or else you need users to scan - something like that.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of netcomp

ASKER

Thank you all for your comments. First, looked at the Help Decryption you File that the virus leaves on each folder. Right clicked the file and found out who the owner was and from there I know which user was the problem computer. There was no way of scanning all the computers and I am not sure our Managed AV would have found it. The client computer itself did not have any files locked. From the time stamp on file on the server, I could tell that all this had happened around 4:00PM last night.  I ended up restoring using shadow copies . What was interesting was that not all the folders within the network drive was effected. Apparently, it had only gotten to  some folders. I guess it did not have enough time.
Thank you for all the help again,
It can only encrypt folders the user has access to.