Solved

We got ransomware on the server fileserver 2012

Posted on 2016-09-28
17
125 Views
Last Modified: 2016-09-28
This morning , the users reported that when they click on the files on the network drives , they are getting the ransomware dilog box that tells them that you have 72 hours to pay. I have backup of the server drives, but how do i clean this up and how do i find out who's computer on the network got this to begin with that even if restore this does not happen again . should I run malwarebytes on the server?
0
Comment
Question by:netcomp
  • 3
  • 3
  • 2
  • +7
17 Comments
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 31 total points
Comment Utility
If no one was working on the server, which I suppose it didn't, the encryption happened from a workstation. Therefore, scan all workstations first.
If there's an admin ON the server, downloading lots of stuff, the server needs to be scanned too.
After everything is cleaned up, then finally restore files from backup
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 31 total points
Comment Utility
I agree with the above. Ask user to log off (all the users). Restore from backup. Then scan each workstation and allow back on after it has been scanned and tested. Check as you go.

There is no magic here. Someone opened an email from a stranger and clicked on an enticing link or such like.

1. Make sure your spam filter is top notch, working, and updated regularly.
2. Train users not to open attachments from strangers - just delete them.
3. Ask users to tell friend to email their home account, not the business account.
0
 
LVL 1

Author Comment

by:netcomp
Comment Utility
We have about 100 computers . How do find out which one is the issue? Also, almost all have admin rights removed. How could this have happened with no admin rights. Also, the all have anitvirus on them.
0
 
LVL 1

Author Comment

by:netcomp
Comment Utility
Sorry, one more thing. How do I find the bad computer . What do I need to scan all or there are other signs I can look for?
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
You either need a centralized AV application with a management suite or else you need users to scan - something like that.
0
 
LVL 1

Assisted Solution

by:Kenny Innes
Kenny Innes earned 31 total points
Comment Utility
We had this and had around 110 computers. At the time i powered off all network switches on the floor to stop further spreading then manually checked every computer and noticed that our particular ransomware left a directory in the C drive so we found the original infected PC and then wiped it.

As we had very good backups we deleted 2TB of data and then restored from backups (took a day) but we had a fully operational office within 24hours.

To stop further infection I would kill the network between devices and then work your way around each device.

Unfortunately as we all know having a AV solution whether standalone or central does NOT guarantee protection from advanced ransomware attacks.

P.S our infection was from a royal mail email that contained a zip file with information about your delivery.
0
 

Assisted Solution

by:Ray Zuchowski
Ray Zuchowski earned 31 total points
Comment Utility
When you restore all your files, make all your network drives hidden shares. Ransomware cant spread to hidden files. So what happens then is your server is saved but the users files on their pc get infected. To overcome this, you can do folder redirection in active directory and make that a hidden share as well. So this way only local files on the pc will be harmed. I don't allow my users to save on their local drive so ransomware rarely happens.

As for finding the persons pc who was the culprit, if you don't have a managed virus protection setup, then all have to run manual as others suggested. Hope this helps. Good Luck !
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 31 total points
Comment Utility
Antiivirus solutions are mostly always a step behind (a few hours, before first occurrence, and sending out the new database).
Also, non-admins can ALWAYS run cryptoware, as it doesn't need admin rights. It needs read/write access, and the file server, is of course open to reading and writing of files (cryptoware just reads the files and writes it back)..
To find the culprit (because sometimes the AV won't find it, simply because the cryptoware deletes itself after its run), find the PC with the user with its own My Documents folder encrypted. If the file share was restricted to certain users (for example, only Finance users), you are already one step closer to finding the user (has to be one of the Finance users, unless the server admin was really the cause, that's not uncommon also, sadly).
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 5

Assisted Solution

by:Mdlinnett
Mdlinnett earned 31 total points
Comment Utility
As has already been said, one of your computers will have their local files encrypted as well, that will be your culprit.

The issue with Ransomware is that it's relatively cheap (less than 200 euros) to buy a piece of software that will re-package malware to evade AV software.

For instance, Virus A is made up of part 1, 2, 3 & 4 in that order.  The re-packager changes the order to 4,3,2,1 and immediately that virus bypasses standard AV signature detection.

Isolate the Servers by disconnecting from the network, start your Server restoration, run a Malwarebytes scan on each Client & a full scan from your standard AV solution.  The infected Client PC will need to be re-imaged / re-built.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 31 total points
Comment Utility
You should already have the real time or on access scan on the server and if the ransom dialog is coming from server, I suggest plan for rebuild though it is non-trivial for server. Otherwise scan with HitmanPro.Alert and Malwarebytes AM as mentioned (if not done so). Consider having anti-raansomware going ahead to protect the system and application whitelisting using applocker or cryptoprevent.

On the aspect of tracing of if there are other machine also infected, I am thinking if you can look at the last modified user of those encrypted files. If audit trail is enabled, we can see the login account and may be that can shrink down to couple hostname and those machine that this account has access to. Hopefully no USB drive is plugged in prior and after the infection.
0
 
LVL 5

Assisted Solution

by:Mdlinnett
Mdlinnett earned 31 total points
Comment Utility
Check this too > https://noransom.kaspersky.com/

More and more ransomware variants now have decrypting tools available from various AV providers.
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 31 total points
Comment Utility
"More and more" is quite overstating it. It's about a few thousands in the wild vs only a handful of decryptors.

It totally depends if the maker has been caught or not (and then the key has to be found on his hardware). Obviously, you'll be a few years in before you can decrypt your files, if ever.
0
 
LVL 87

Accepted Solution

by:
rindi earned 252 total points
Comment Utility
All those users who have reported the seeing the ransomware notice, will have had the virus. But lots of ransomware will automatically remove itself from the PC after it has finished the job and shown the note.

It will still be best practice to scan all the PC's for malware. If your users get ransomware, they will also get other viruses, so even if the ransom virus is gone, it is very likely that there are still other viruses on the system.

You will also have to rethink your environment.

First of all make sure no one logs onto to a PC with an account that has Admin rights. Not even the Admins. If they need to do something that requires those rights, UAC will show up and then they can use the credentials of an Admin account to do the job.

Educate your users on how to safely handle email and web-browsing. Disable macros in Office documents, as many viruses and particularly ransomware are started that way.

Use Application white-listing. That way only programs you have OK'd will execute.
1
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 31 total points
Comment Utility
The suggestions so far are excellent, in terms of finding the offending computer, have you tried looking in the event logs (assuming they have not been encrypted)?
0
 
LVL 30

Assisted Solution

by:pgm554
pgm554 earned 31 total points
Comment Utility
As this is a CYA moment ,I would look at getting a Unified Threat Management appliance.

A lot of what sneaks into a network are  back door Trojans and a UTM is one way to at least keep up with them
0
 
LVL 1

Author Comment

by:netcomp
Comment Utility
Thank you all for your comments. First, looked at the Help Decryption you File that the virus leaves on each folder. Right clicked the file and found out who the owner was and from there I know which user was the problem computer. There was no way of scanning all the computers and I am not sure our Managed AV would have found it. The client computer itself did not have any files locked. From the time stamp on file on the server, I could tell that all this had happened around 4:00PM last night.  I ended up restoring using shadow copies . What was interesting was that not all the folders within the network drive was effected. Apparently, it had only gotten to  some folders. I guess it did not have enough time.
Thank you for all the help again,
1
 
LVL 87

Expert Comment

by:rindi
Comment Utility
It can only encrypt folders the user has access to.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now