Link to home
Start Free TrialLog in
Avatar of InterlinkCo
InterlinkCo

asked on

aes256 Ransomware on SBS 2011

I have a client with aes256 ransomware on an SBS 2011 server. What is be best removal procedure/product? I have recovered the data but need to be sure the server is clean. I'm finding very little on this bug.
SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of InterlinkCo
InterlinkCo

ASKER

Someone said that SpyHunter might be a fix but I don't see that it has SBS 2011 or Server 2008 listed. Any thoughts?
There are many A/V products out there and I stick with commercial brand names from lengthy experience with them. Still, since you were actually struck and had to recover data, I would (in your shoes) take the trouble to reinstall the Server OS. Then put in top grade protection - server and workstations.
You definitely CANNOT trust the server unless you do a complete rebuild. Even then, you must be careful what files you put back on it. Make sure you have a clone of the clean OS drive.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, Top Grade Protection includes, and must include, training the users to NOT click on anything they did not expect and know for sure what it is.  Even if it came from the co-worker across the room, ask the sender what it is and if it can be trusted.  And if the users hover over the link and it looks "weird" do not click on it for any reason.

If you can get them to remember and act on the above rules you will eliminate a great many of such attacks.
Yes. Common sense and good training win more than half the battle.
Larry,
This is exactly the case. Workstation had the message that the server had been hacked but the server itself did not. Of course it had to be the user with the highest level of access besides the admin. Luckily, I had server Shadow Copy from the day of the strike before it happened so we are looking pretty good. Nuked the Workstation and have been watching closely. Lots of .aes256 file to delete. Guess it was time for password changes anyway. This one looks like it came in through RDP.
If a workstation was infested and the user was using server drives via RDP, yes, that could happen.
It also appears that Microsoft Drive Encryption would run every time the Workstation would boot.  That might be a good hint.
Well, I don't know who to give the credit to for the solution to this problem. All solutions and advice presented are good and valid.
You got some very good advice here and you can split however you wish.