Cause of ransomware attack

Recently one of our sites suffered a ransomware attack. Luckily we had good image backups and were able to roll back to the previous healthy backup so downtime was only a few hours.

We now want to determine the point of the attack.

The site setup is as follows:

Office with 60 users
2 x Host Servers in a Hyper V Cluster with 4 VMs
One of the VMs is a 2012 Terminal server
Fortinet Firewall in place
10 users work from outside the office
They have laptops with software VPN on each
They firstly connect to the VPN and then RDP to the TS
ESET AV installed on all machines

Following the attack we checked all internal machines for ransomeware - we used malwarebyte - all machines appear to be clean

We examined the infected terminal server and discovered the following:
A high number of failed login attempts using various different accounts before the attack
Successful login via an AD user called accounts that is current not in use
Within a minute an executable file was downloaded to the downloads folder of this user profile
The following day the wallet ransomware signature was found under this user’s profile

We have kept the terminal server off since the attack.

My question is where is the likely source of the attack? Only VPN traffic is allowed through the firewall. Was the terminal server itself compromised or would it be more likely one of the laptops and in turn the TS?

Any help would be appreciated - thanks

Colum TraynorMDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas Zucker-ScharffSolution GuideCommented:
Sounds like the terminal server itself was compromised. Wallet is a form of dharma which has a decryptor.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas Zucker-ScharffSolution GuideCommented:
Colum TraynorMDAuthor Commented:
Thanks. So how would such an attack happen and could it have been prevented?
CEOs need to know what they should worry about

Nearly every week during the past few years has featured a headline about the latest data breach, malware attack, ransomware demand, or unrecoverable corporate data loss. Those stories are frequently followed by news that the CEOs at those companies were forced to resign.

Scott CSenior EngineerCommented:
Most ransomware attacks come from users clicking on links or going to web sites that are less than reputable.

User education is one of the best forms of prevention, in addition to your hardware.
John TsioumprisSoftware & Systems EngineerCommented:
Does your TS has by any mean access to the it reachable from the outside...have you checked your firewall for a policy that allows to connect to TS without VPN...?
From the bizzare acount and the following attack it seems like someone breached into the TS and dropped the ransomware for.......
Firewall should have log of the IP that got to the TS...
Colum TraynorMDAuthor Commented:
Thanks I will find that out - I am not sys admin but will check that and report back.
Thomas Zucker-ScharffSolution GuideCommented:
Users are the biggest problem and the hardest to fix.  User education only works if it comes from the top down. One of the campaigns with the best results is a fake phishing campaign. Click throughs generally go from ~85% to 15%!
btanExec ConsultantCommented:
Can check that particular uswr account activity as it would have RDP and received some phished email or visited some compromosed website that cause a loaded exploit to introduce the malware.

Can check the RDP server on the similar use case of any phished attachment, USB or compromised visited as it can lead to infection. But it would seem more likely a infected machine or a compromised account that has been successfully login due to weak account or stolen credentials that RDP get planted and infected by exploits.

The user mapped drives is an area wherw you can check the timestamps of all the encrypted files creation and the file owner and trace down that particular account and machine. Rhw earlist appearance of rhe file in either server or clienr machine can help tell us which is the source of infection and from there do further forensic on that machine traced.

Use also the encrypted file to check what Ransomware is planted using ID-RANSOMWARE.MALWAREHUNTERTEAM.COM and knowing the type helps to also understand the infection spread mechanism more specifically.

For info, there are suggested some possibility of spread in article faq too.
David Johnson, CD, MVPRetiredCommented:
you should disable unused accounts, you could also step up your lockout policies
btanExec ConsultantCommented:
Like to understand why my answer ID: 42053584 is excluded for consideration?
Hello Colum Traynor,

To fight against these kind of attacks 2FA plays important role.
Implementing 2FA (Two Factor Authentication) protects you from ransomeware related attacks because they use stolen credentials to access the systems. Using 2FA process can help to lower the cases of identity theft, because the attacker would need more than just the users name and password details. Also install endpoint security on all systems, which should protect unauthorized modification on system MBR.

Good Luck!
Colum TraynorMDAuthor Commented:
thanks for the great advice. We contained the problem and implemented the following:

Sophos Intercept x installed on all end point
Hardened Firewall
Implemented 2 factor authentication using DUO
Had a professional penetration test carried out by a 3rd party - passed :)

So looking much better now
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.