[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Encryption of server

Posted on 2016-11-07
Medium Priority
Last Modified: 2016-11-18
A client of mine uses QuickBooks Premier Edition of Manufacturing and Wholesale. It is Registered with 3 seats. Her last good backup of her Windows Server 2008 R2 was on Friday, October 28th at 11:30pm using Windows Server Backup. When she came into work on Monday, October 31st, all the files that were located in the shared S: drive on the server, which is where all the QB related files and work files are located were encrypted with systemdown@indial.com.xtbl. None of the files in the C: drive were encrypted. Even though the S: drive is just a mapping to a portion of the C: drive. Normally I would call this a RANSOMWARE virus. But we were able to use the server without problem. Office, Adobe, and Server all functioned normally as long as I did not try to access the encrypted files. Server Control Panel apps all worked and displayed information without a problem. The only PROBLEM  was that there was no RANSOMWARE NOTE! Telling me that my files were encrypted and to get them back, I had to pay a bitware ransom.
I was lucky to be able to copy all the encrypted files to an external hard drive and then restore the backup from October 26th to the original location. It worked fine. QB is able to lookup, process, print, etc, except of course there is no data from October 26 going forward which is ok. We did not want to take a chance of restoring encrypted files. The client was able to restore the 10 invoices missing without incident.
I know that the server and a few PCs ran windows updates over the weekend.
I need to know:
1. what happened?
2. how to prevent this from happening again
Question by:Richard Schierer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 11

Assisted Solution

by:Scott Silva
Scott Silva earned 1000 total points
ID: 41877572
I will assume that only one drive was encrypted because the users computer that pulled in the virus only has access to that share...

Look at the encrypted files and check for the owner... That is usually the user that got infected... You will need to isolate that users computer(s) and look for infection or you will just reencrypt everything again...
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 1000 total points
ID: 41877586
SOMEONE got a ransomeware virus that infected the server.  Did you try to recover from Shadow Copy?  Did you inspect EVERY workstation for signs of the virus?  Whoever did it might be embarassed and not want to admit it.

Author Comment

by:Richard Schierer
ID: 41878597
Thanks for the responses. I will check ownership of the file and yes it was just the one drive. I am also dealing with some Windows updates that seem to have caused some issues too. I rolled back all the PCs. What would be your best practices for ensuring that I get rid of this infection?
thanks again!
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 11

Accepted Solution

Scott Silva earned 1000 total points
ID: 41879265
Best practice would be to find the offending machine, recover what you can, and do a wipe/reinstall...
Restore from backups...
Scan other machines if you have the capability,
Then flog, cane or otherwise make an example of the user responsible... ;)

Author Comment

by:Richard Schierer
ID: 41882271
thanks for the updates! I beleive that I found the offending culprit and it was the remote PC that other users would RDP into it to run Quickbooks on the server. Our tech found the RANSOMWARE note on it,. we are going to scrap that PC as it is not worth wiping it out and reinstalling the OS, etc.

Author Comment

by:Richard Schierer
ID: 41887719
Scott, what would you recommend to 'scan the other machines' with? I used Malwarebytes Pro as they give it to you free for 30 days. We are replacing the 'offending' remote computer. It was cheaper and a smarter way of getting peace of mind.
LVL 11

Assisted Solution

by:Scott Silva
Scott Silva earned 1000 total points
ID: 41888230
Malwarebytes is good... And the free version finds the same things, it just doesn't scan in realtime... Most likely any infected machines would have made themselves known already...

If you really want to be safe you need multi tiered efforts...  

We have a scanning firewall with malware detection capabilities, we have a centrally managed endpoint scanning system, and we scan and block any suspicious emails....  I also try and keep my users educated with a somewhat weekly short email about what is happening out in the world with malware...  
Be as proactive as you can, and have good backups....  

With all that we still got hit with a ransomware strike last year.... The end users will be your weakest link... Mine said he was suspicious of the personal email from his private account, but "opened it anyway"...

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question