troubleshooting Question

Cause of ransomware attack

Avatar of Colum Traynor
Colum Traynor asked on
Microsoft Server OSRansomware
12 Comments4 Solutions389 ViewsLast Modified:
Recently one of our sites suffered a ransomware attack. Luckily we had good image backups and were able to roll back to the previous healthy backup so downtime was only a few hours.

We now want to determine the point of the attack.

The site setup is as follows:

Office with 60 users
2 x Host Servers in a Hyper V Cluster with 4 VMs
One of the VMs is a 2012 Terminal server
Fortinet Firewall in place
10 users work from outside the office
They have laptops with software VPN on each
They firstly connect to the VPN and then RDP to the TS
ESET AV installed on all machines

Following the attack we checked all internal machines for ransomeware - we used malwarebyte - all machines appear to be clean

We examined the infected terminal server and discovered the following:
A high number of failed login attempts using various different accounts before the attack
Successful login via an AD user called accounts that is current not in use
Within a minute an executable file was downloaded to the downloads folder of this user profile
The following day the wallet ransomware signature was found under this user’s profile

We have kept the terminal server off since the attack.

My question is where is the likely source of the attack? Only VPN traffic is allowed through the firewall. Was the terminal server itself compromised or would it be more likely one of the laptops and in turn the TS?

Any help would be appreciated - thanks

Colum
ASKER CERTIFIED SOLUTION
Thomas Zucker-Scharff
Solution Guide

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 4 Answers and 12 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 4 Answers and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros