Encryption of server

Posted on 2016-11-07
Last Modified: 2016-11-18
A client of mine uses QuickBooks Premier Edition of Manufacturing and Wholesale. It is Registered with 3 seats. Her last good backup of her Windows Server 2008 R2 was on Friday, October 28th at 11:30pm using Windows Server Backup. When she came into work on Monday, October 31st, all the files that were located in the shared S: drive on the server, which is where all the QB related files and work files are located were encrypted with None of the files in the C: drive were encrypted. Even though the S: drive is just a mapping to a portion of the C: drive. Normally I would call this a RANSOMWARE virus. But we were able to use the server without problem. Office, Adobe, and Server all functioned normally as long as I did not try to access the encrypted files. Server Control Panel apps all worked and displayed information without a problem. The only PROBLEM  was that there was no RANSOMWARE NOTE! Telling me that my files were encrypted and to get them back, I had to pay a bitware ransom.
I was lucky to be able to copy all the encrypted files to an external hard drive and then restore the backup from October 26th to the original location. It worked fine. QB is able to lookup, process, print, etc, except of course there is no data from October 26 going forward which is ok. We did not want to take a chance of restoring encrypted files. The client was able to restore the 10 invoices missing without incident.
I know that the server and a few PCs ran windows updates over the weekend.
I need to know:
1. what happened?
2. how to prevent this from happening again
Question by:Richard Schierer
  • 3
  • 3

Assisted Solution

by:Scott Silva
Scott Silva earned 250 total points
ID: 41877572
I will assume that only one drive was encrypted because the users computer that pulled in the virus only has access to that share...

Look at the encrypted files and check for the owner... That is usually the user that got infected... You will need to isolate that users computer(s) and look for infection or you will just reencrypt everything again...
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 250 total points
ID: 41877586
SOMEONE got a ransomeware virus that infected the server.  Did you try to recover from Shadow Copy?  Did you inspect EVERY workstation for signs of the virus?  Whoever did it might be embarassed and not want to admit it.

Author Comment

by:Richard Schierer
ID: 41878597
Thanks for the responses. I will check ownership of the file and yes it was just the one drive. I am also dealing with some Windows updates that seem to have caused some issues too. I rolled back all the PCs. What would be your best practices for ensuring that I get rid of this infection?
thanks again!
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...


Accepted Solution

Scott Silva earned 250 total points
ID: 41879265
Best practice would be to find the offending machine, recover what you can, and do a wipe/reinstall...
Restore from backups...
Scan other machines if you have the capability,
Then flog, cane or otherwise make an example of the user responsible... ;)

Author Comment

by:Richard Schierer
ID: 41882271
thanks for the updates! I beleive that I found the offending culprit and it was the remote PC that other users would RDP into it to run Quickbooks on the server. Our tech found the RANSOMWARE note on it,. we are going to scrap that PC as it is not worth wiping it out and reinstalling the OS, etc.

Author Comment

by:Richard Schierer
ID: 41887719
Scott, what would you recommend to 'scan the other machines' with? I used Malwarebytes Pro as they give it to you free for 30 days. We are replacing the 'offending' remote computer. It was cheaper and a smarter way of getting peace of mind.

Assisted Solution

by:Scott Silva
Scott Silva earned 250 total points
ID: 41888230
Malwarebytes is good... And the free version finds the same things, it just doesn't scan in realtime... Most likely any infected machines would have made themselves known already...

If you really want to be safe you need multi tiered efforts...  

We have a scanning firewall with malware detection capabilities, we have a centrally managed endpoint scanning system, and we scan and block any suspicious emails....  I also try and keep my users educated with a somewhat weekly short email about what is happening out in the world with malware...  
Be as proactive as you can, and have good backups....  

With all that we still got hit with a ransomware strike last year.... The end users will be your weakest link... Mine said he was suspicious of the personal email from his private account, but "opened it anyway"...

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now