Encryption of server

Posted on 2016-11-07
Last Modified: 2016-11-18
A client of mine uses QuickBooks Premier Edition of Manufacturing and Wholesale. It is Registered with 3 seats. Her last good backup of her Windows Server 2008 R2 was on Friday, October 28th at 11:30pm using Windows Server Backup. When she came into work on Monday, October 31st, all the files that were located in the shared S: drive on the server, which is where all the QB related files and work files are located were encrypted with None of the files in the C: drive were encrypted. Even though the S: drive is just a mapping to a portion of the C: drive. Normally I would call this a RANSOMWARE virus. But we were able to use the server without problem. Office, Adobe, and Server all functioned normally as long as I did not try to access the encrypted files. Server Control Panel apps all worked and displayed information without a problem. The only PROBLEM  was that there was no RANSOMWARE NOTE! Telling me that my files were encrypted and to get them back, I had to pay a bitware ransom.
I was lucky to be able to copy all the encrypted files to an external hard drive and then restore the backup from October 26th to the original location. It worked fine. QB is able to lookup, process, print, etc, except of course there is no data from October 26 going forward which is ok. We did not want to take a chance of restoring encrypted files. The client was able to restore the 10 invoices missing without incident.
I know that the server and a few PCs ran windows updates over the weekend.
I need to know:
1. what happened?
2. how to prevent this from happening again
Question by:Richard Schierer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 10

Assisted Solution

by:Scott Silva
Scott Silva earned 250 total points
ID: 41877572
I will assume that only one drive was encrypted because the users computer that pulled in the virus only has access to that share...

Look at the encrypted files and check for the owner... That is usually the user that got infected... You will need to isolate that users computer(s) and look for infection or you will just reencrypt everything again...
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 250 total points
ID: 41877586
SOMEONE got a ransomeware virus that infected the server.  Did you try to recover from Shadow Copy?  Did you inspect EVERY workstation for signs of the virus?  Whoever did it might be embarassed and not want to admit it.

Author Comment

by:Richard Schierer
ID: 41878597
Thanks for the responses. I will check ownership of the file and yes it was just the one drive. I am also dealing with some Windows updates that seem to have caused some issues too. I rolled back all the PCs. What would be your best practices for ensuring that I get rid of this infection?
thanks again!
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

LVL 10

Accepted Solution

Scott Silva earned 250 total points
ID: 41879265
Best practice would be to find the offending machine, recover what you can, and do a wipe/reinstall...
Restore from backups...
Scan other machines if you have the capability,
Then flog, cane or otherwise make an example of the user responsible... ;)

Author Comment

by:Richard Schierer
ID: 41882271
thanks for the updates! I beleive that I found the offending culprit and it was the remote PC that other users would RDP into it to run Quickbooks on the server. Our tech found the RANSOMWARE note on it,. we are going to scrap that PC as it is not worth wiping it out and reinstalling the OS, etc.

Author Comment

by:Richard Schierer
ID: 41887719
Scott, what would you recommend to 'scan the other machines' with? I used Malwarebytes Pro as they give it to you free for 30 days. We are replacing the 'offending' remote computer. It was cheaper and a smarter way of getting peace of mind.
LVL 10

Assisted Solution

by:Scott Silva
Scott Silva earned 250 total points
ID: 41888230
Malwarebytes is good... And the free version finds the same things, it just doesn't scan in realtime... Most likely any infected machines would have made themselves known already...

If you really want to be safe you need multi tiered efforts...  

We have a scanning firewall with malware detection capabilities, we have a centrally managed endpoint scanning system, and we scan and block any suspicious emails....  I also try and keep my users educated with a somewhat weekly short email about what is happening out in the world with malware...  
Be as proactive as you can, and have good backups....  

With all that we still got hit with a ransomware strike last year.... The end users will be your weakest link... Mine said he was suspicious of the personal email from his private account, but "opened it anyway"...

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question