?
Solved

Encryption of server

Posted on 2016-11-07
7
Medium Priority
?
213 Views
Last Modified: 2016-11-18
A client of mine uses QuickBooks Premier Edition of Manufacturing and Wholesale. It is Registered with 3 seats. Her last good backup of her Windows Server 2008 R2 was on Friday, October 28th at 11:30pm using Windows Server Backup. When she came into work on Monday, October 31st, all the files that were located in the shared S: drive on the server, which is where all the QB related files and work files are located were encrypted with systemdown@indial.com.xtbl. None of the files in the C: drive were encrypted. Even though the S: drive is just a mapping to a portion of the C: drive. Normally I would call this a RANSOMWARE virus. But we were able to use the server without problem. Office, Adobe, and Server all functioned normally as long as I did not try to access the encrypted files. Server Control Panel apps all worked and displayed information without a problem. The only PROBLEM  was that there was no RANSOMWARE NOTE! Telling me that my files were encrypted and to get them back, I had to pay a bitware ransom.
I was lucky to be able to copy all the encrypted files to an external hard drive and then restore the backup from October 26th to the original location. It worked fine. QB is able to lookup, process, print, etc, except of course there is no data from October 26 going forward which is ok. We did not want to take a chance of restoring encrypted files. The client was able to restore the 10 invoices missing without incident.
I know that the server and a few PCs ran windows updates over the weekend.
I need to know:
1. what happened?
2. how to prevent this from happening again
0
Comment
Question by:Richard Schierer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 11

Assisted Solution

by:Scott Silva
Scott Silva earned 1000 total points
ID: 41877572
I will assume that only one drive was encrypted because the users computer that pulled in the virus only has access to that share...

Look at the encrypted files and check for the owner... That is usually the user that got infected... You will need to isolate that users computer(s) and look for infection or you will just reencrypt everything again...
0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 1000 total points
ID: 41877586
SOMEONE got a ransomeware virus that infected the server.  Did you try to recover from Shadow Copy?  Did you inspect EVERY workstation for signs of the virus?  Whoever did it might be embarassed and not want to admit it.
0
 

Author Comment

by:Richard Schierer
ID: 41878597
Thanks for the responses. I will check ownership of the file and yes it was just the one drive. I am also dealing with some Windows updates that seem to have caused some issues too. I rolled back all the PCs. What would be your best practices for ensuring that I get rid of this infection?
thanks again!
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 11

Accepted Solution

by:
Scott Silva earned 1000 total points
ID: 41879265
Best practice would be to find the offending machine, recover what you can, and do a wipe/reinstall...
Restore from backups...
Scan other machines if you have the capability,
Then flog, cane or otherwise make an example of the user responsible... ;)
0
 

Author Comment

by:Richard Schierer
ID: 41882271
thanks for the updates! I beleive that I found the offending culprit and it was the remote PC that other users would RDP into it to run Quickbooks on the server. Our tech found the RANSOMWARE note on it,. we are going to scrap that PC as it is not worth wiping it out and reinstalling the OS, etc.
0
 

Author Comment

by:Richard Schierer
ID: 41887719
Scott, what would you recommend to 'scan the other machines' with? I used Malwarebytes Pro as they give it to you free for 30 days. We are replacing the 'offending' remote computer. It was cheaper and a smarter way of getting peace of mind.
0
 
LVL 11

Assisted Solution

by:Scott Silva
Scott Silva earned 1000 total points
ID: 41888230
Malwarebytes is good... And the free version finds the same things, it just doesn't scan in realtime... Most likely any infected machines would have made themselves known already...

If you really want to be safe you need multi tiered efforts...  

We have a scanning firewall with malware detection capabilities, we have a centrally managed endpoint scanning system, and we scan and block any suspicious emails....  I also try and keep my users educated with a somewhat weekly short email about what is happening out in the world with malware...  
Be as proactive as you can, and have good backups....  

With all that we still got hit with a ransomware strike last year.... The end users will be your weakest link... Mine said he was suspicious of the personal email from his private account, but "opened it anyway"...
1

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question