Link to home
Start Free TrialLog in
Avatar of Richard Schierer
Richard Schierer

asked on

Encryption of server

A client of mine uses QuickBooks Premier Edition of Manufacturing and Wholesale. It is Registered with 3 seats. Her last good backup of her Windows Server 2008 R2 was on Friday, October 28th at 11:30pm using Windows Server Backup. When she came into work on Monday, October 31st, all the files that were located in the shared S: drive on the server, which is where all the QB related files and work files are located were encrypted with systemdown@indial.com.xtbl. None of the files in the C: drive were encrypted. Even though the S: drive is just a mapping to a portion of the C: drive. Normally I would call this a RANSOMWARE virus. But we were able to use the server without problem. Office, Adobe, and Server all functioned normally as long as I did not try to access the encrypted files. Server Control Panel apps all worked and displayed information without a problem. The only PROBLEM  was that there was no RANSOMWARE NOTE! Telling me that my files were encrypted and to get them back, I had to pay a bitware ransom.
I was lucky to be able to copy all the encrypted files to an external hard drive and then restore the backup from October 26th to the original location. It worked fine. QB is able to lookup, process, print, etc, except of course there is no data from October 26 going forward which is ok. We did not want to take a chance of restoring encrypted files. The client was able to restore the 10 invoices missing without incident.
I know that the server and a few PCs ran windows updates over the weekend.
I need to know:
1. what happened?
2. how to prevent this from happening again
SOLUTION
Avatar of Scott Silva
Scott Silva
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Richard Schierer
Richard Schierer

ASKER

Thanks for the responses. I will check ownership of the file and yes it was just the one drive. I am also dealing with some Windows updates that seem to have caused some issues too. I rolled back all the PCs. What would be your best practices for ensuring that I get rid of this infection?
thanks again!
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks for the updates! I beleive that I found the offending culprit and it was the remote PC that other users would RDP into it to run Quickbooks on the server. Our tech found the RANSOMWARE note on it,. we are going to scrap that PC as it is not worth wiping it out and reinstalling the OS, etc.
Scott, what would you recommend to 'scan the other machines' with? I used Malwarebytes Pro as they give it to you free for 30 days. We are replacing the 'offending' remote computer. It was cheaper and a smarter way of getting peace of mind.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial