Solved

Encryption of server

Posted on 2016-11-07
7
112 Views
Last Modified: 2016-11-18
A client of mine uses QuickBooks Premier Edition of Manufacturing and Wholesale. It is Registered with 3 seats. Her last good backup of her Windows Server 2008 R2 was on Friday, October 28th at 11:30pm using Windows Server Backup. When she came into work on Monday, October 31st, all the files that were located in the shared S: drive on the server, which is where all the QB related files and work files are located were encrypted with systemdown@indial.com.xtbl. None of the files in the C: drive were encrypted. Even though the S: drive is just a mapping to a portion of the C: drive. Normally I would call this a RANSOMWARE virus. But we were able to use the server without problem. Office, Adobe, and Server all functioned normally as long as I did not try to access the encrypted files. Server Control Panel apps all worked and displayed information without a problem. The only PROBLEM  was that there was no RANSOMWARE NOTE! Telling me that my files were encrypted and to get them back, I had to pay a bitware ransom.
I was lucky to be able to copy all the encrypted files to an external hard drive and then restore the backup from October 26th to the original location. It worked fine. QB is able to lookup, process, print, etc, except of course there is no data from October 26 going forward which is ok. We did not want to take a chance of restoring encrypted files. The client was able to restore the 10 invoices missing without incident.
I know that the server and a few PCs ran windows updates over the weekend.
I need to know:
1. what happened?
2. how to prevent this from happening again
0
Comment
Question by:Richard Schierer
  • 3
  • 3
7 Comments
 
LVL 9

Assisted Solution

by:Scott Silva
Scott Silva earned 250 total points
ID: 41877572
I will assume that only one drive was encrypted because the users computer that pulled in the virus only has access to that share...

Look at the encrypted files and check for the owner... That is usually the user that got infected... You will need to isolate that users computer(s) and look for infection or you will just reencrypt everything again...
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 250 total points
ID: 41877586
SOMEONE got a ransomeware virus that infected the server.  Did you try to recover from Shadow Copy?  Did you inspect EVERY workstation for signs of the virus?  Whoever did it might be embarassed and not want to admit it.
0
 

Author Comment

by:Richard Schierer
ID: 41878597
Thanks for the responses. I will check ownership of the file and yes it was just the one drive. I am also dealing with some Windows updates that seem to have caused some issues too. I rolled back all the PCs. What would be your best practices for ensuring that I get rid of this infection?
thanks again!
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 9

Accepted Solution

by:
Scott Silva earned 250 total points
ID: 41879265
Best practice would be to find the offending machine, recover what you can, and do a wipe/reinstall...
Restore from backups...
Scan other machines if you have the capability,
Then flog, cane or otherwise make an example of the user responsible... ;)
0
 

Author Comment

by:Richard Schierer
ID: 41882271
thanks for the updates! I beleive that I found the offending culprit and it was the remote PC that other users would RDP into it to run Quickbooks on the server. Our tech found the RANSOMWARE note on it,. we are going to scrap that PC as it is not worth wiping it out and reinstalling the OS, etc.
0
 

Author Comment

by:Richard Schierer
ID: 41887719
Scott, what would you recommend to 'scan the other machines' with? I used Malwarebytes Pro as they give it to you free for 30 days. We are replacing the 'offending' remote computer. It was cheaper and a smarter way of getting peace of mind.
0
 
LVL 9

Assisted Solution

by:Scott Silva
Scott Silva earned 250 total points
ID: 41888230
Malwarebytes is good... And the free version finds the same things, it just doesn't scan in realtime... Most likely any infected machines would have made themselves known already...

If you really want to be safe you need multi tiered efforts...  

We have a scanning firewall with malware detection capabilities, we have a centrally managed endpoint scanning system, and we scan and block any suspicious emails....  I also try and keep my users educated with a somewhat weekly short email about what is happening out in the world with malware...  
Be as proactive as you can, and have good backups....  

With all that we still got hit with a ransomware strike last year.... The end users will be your weakest link... Mine said he was suspicious of the personal email from his private account, but "opened it anyway"...
1

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now