We got ransomware on the server fileserver 2012

This morning , the users reported that when they click on the files on the network drives , they are getting the ransomware dilog box that tells them that you have 72 hours to pay. I have backup of the server drives, but how do i clean this up and how do i find out who's computer on the network got this to begin with that even if restore this does not happen again . should I run malwarebytes on the server?
LVL 1
netcompAsked:
Who is Participating?
 
rindiCommented:
All those users who have reported the seeing the ransomware notice, will have had the virus. But lots of ransomware will automatically remove itself from the PC after it has finished the job and shown the note.

It will still be best practice to scan all the PC's for malware. If your users get ransomware, they will also get other viruses, so even if the ransom virus is gone, it is very likely that there are still other viruses on the system.

You will also have to rethink your environment.

First of all make sure no one logs onto to a PC with an account that has Admin rights. Not even the Admins. If they need to do something that requires those rights, UAC will show up and then they can use the credentials of an Admin account to do the job.

Educate your users on how to safely handle email and web-browsing. Disable macros in Office documents, as many viruses and particularly ransomware are started that way.

Use Application white-listing. That way only programs you have OK'd will execute.
1
 
KimputerCommented:
If no one was working on the server, which I suppose it didn't, the encryption happened from a workstation. Therefore, scan all workstations first.
If there's an admin ON the server, downloading lots of stuff, the server needs to be scanned too.
After everything is cleaned up, then finally restore files from backup
0
 
JohnBusiness Consultant (Owner)Commented:
I agree with the above. Ask user to log off (all the users). Restore from backup. Then scan each workstation and allow back on after it has been scanned and tested. Check as you go.

There is no magic here. Someone opened an email from a stranger and clicked on an enticing link or such like.

1. Make sure your spam filter is top notch, working, and updated regularly.
2. Train users not to open attachments from strangers - just delete them.
3. Ask users to tell friend to email their home account, not the business account.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
netcompAuthor Commented:
We have about 100 computers . How do find out which one is the issue? Also, almost all have admin rights removed. How could this have happened with no admin rights. Also, the all have anitvirus on them.
0
 
netcompAuthor Commented:
Sorry, one more thing. How do I find the bad computer . What do I need to scan all or there are other signs I can look for?
0
 
JohnBusiness Consultant (Owner)Commented:
You either need a centralized AV application with a management suite or else you need users to scan - something like that.
0
 
Kenny InnesCommented:
We had this and had around 110 computers. At the time i powered off all network switches on the floor to stop further spreading then manually checked every computer and noticed that our particular ransomware left a directory in the C drive so we found the original infected PC and then wiped it.

As we had very good backups we deleted 2TB of data and then restored from backups (took a day) but we had a fully operational office within 24hours.

To stop further infection I would kill the network between devices and then work your way around each device.

Unfortunately as we all know having a AV solution whether standalone or central does NOT guarantee protection from advanced ransomware attacks.

P.S our infection was from a royal mail email that contained a zip file with information about your delivery.
0
 
Ray ZuchowskiInformation Systems ManagerCommented:
When you restore all your files, make all your network drives hidden shares. Ransomware cant spread to hidden files. So what happens then is your server is saved but the users files on their pc get infected. To overcome this, you can do folder redirection in active directory and make that a hidden share as well. So this way only local files on the pc will be harmed. I don't allow my users to save on their local drive so ransomware rarely happens.

As for finding the persons pc who was the culprit, if you don't have a managed virus protection setup, then all have to run manual as others suggested. Hope this helps. Good Luck !
0
 
KimputerCommented:
Antiivirus solutions are mostly always a step behind (a few hours, before first occurrence, and sending out the new database).
Also, non-admins can ALWAYS run cryptoware, as it doesn't need admin rights. It needs read/write access, and the file server, is of course open to reading and writing of files (cryptoware just reads the files and writes it back)..
To find the culprit (because sometimes the AV won't find it, simply because the cryptoware deletes itself after its run), find the PC with the user with its own My Documents folder encrypted. If the file share was restricted to certain users (for example, only Finance users), you are already one step closer to finding the user (has to be one of the Finance users, unless the server admin was really the cause, that's not uncommon also, sadly).
0
 
MdlinnettCommented:
As has already been said, one of your computers will have their local files encrypted as well, that will be your culprit.

The issue with Ransomware is that it's relatively cheap (less than 200 euros) to buy a piece of software that will re-package malware to evade AV software.

For instance, Virus A is made up of part 1, 2, 3 & 4 in that order.  The re-packager changes the order to 4,3,2,1 and immediately that virus bypasses standard AV signature detection.

Isolate the Servers by disconnecting from the network, start your Server restoration, run a Malwarebytes scan on each Client & a full scan from your standard AV solution.  The infected Client PC will need to be re-imaged / re-built.
0
 
btanExec ConsultantCommented:
You should already have the real time or on access scan on the server and if the ransom dialog is coming from server, I suggest plan for rebuild though it is non-trivial for server. Otherwise scan with HitmanPro.Alert and Malwarebytes AM as mentioned (if not done so). Consider having anti-raansomware going ahead to protect the system and application whitelisting using applocker or cryptoprevent.

On the aspect of tracing of if there are other machine also infected, I am thinking if you can look at the last modified user of those encrypted files. If audit trail is enabled, we can see the login account and may be that can shrink down to couple hostname and those machine that this account has access to. Hopefully no USB drive is plugged in prior and after the infection.
0
 
MdlinnettCommented:
Check this too > https://noransom.kaspersky.com/

More and more ransomware variants now have decrypting tools available from various AV providers.
0
 
KimputerCommented:
"More and more" is quite overstating it. It's about a few thousands in the wild vs only a handful of decryptors.

It totally depends if the maker has been caught or not (and then the key has to be found on his hardware). Obviously, you'll be a few years in before you can decrypt your files, if ever.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
The suggestions so far are excellent, in terms of finding the offending computer, have you tried looking in the event logs (assuming they have not been encrypted)?
0
 
pgm554Commented:
As this is a CYA moment ,I would look at getting a Unified Threat Management appliance.

A lot of what sneaks into a network are  back door Trojans and a UTM is one way to at least keep up with them
0
 
netcompAuthor Commented:
Thank you all for your comments. First, looked at the Help Decryption you File that the virus leaves on each folder. Right clicked the file and found out who the owner was and from there I know which user was the problem computer. There was no way of scanning all the computers and I am not sure our Managed AV would have found it. The client computer itself did not have any files locked. From the time stamp on file on the server, I could tell that all this had happened around 4:00PM last night.  I ended up restoring using shadow copies . What was interesting was that not all the folders within the network drive was effected. Apparently, it had only gotten to  some folders. I guess it did not have enough time.
Thank you for all the help again,
1
 
rindiCommented:
It can only encrypt folders the user has access to.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.