AES-NI ransomware on windows server 2008

Does someone have any experience with  AES-NI ransomware on windows server 2008?

What is the best way to fix it?

(I have online backup)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSenior Systems AdminCommented:
Go to and upload a copy of one encrypted file and/or the ransom note file. If there's currently a known decrypt app, that will tell you where to get it. If there's no decrypt app, you'll have to restore your files from backup.
alonig1Author Commented:
link not working.
Adam BrownSenior Systems AdminCommented:
Sorry, forgot a character there:
 Acronis Global Cyber Summit 2019 in Miami

The Acronis Global Cyber Summit 2019 will be held at the Fontainebleau Miami Beach Resort on October 13–16, 2019, and it promises to be the must-attend event for IT infrastructure managers, CIOs, service providers, value-added resellers, ISVs, and developers.

Scott SilvaNetwork AdministratorCommented:
The BEST way is to rebuild the machine and restore DATA files from backups. But that is also the most time consuming...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alonig1Author Commented:
I'm trying to remove with spy hunter everything crashes it's on the DC.

What can I do?
Scott SilvaNetwork AdministratorCommented:
I am pretty sure Spy Hunter is a fake malware ridden POS...
But removing the cryptography virus after everything is encrypted is like locking the barn door after the horse died in a fire....

You need a good backup of the system state to restore the AD database...

If you have a full online backup, you will need to find out how to do a bare metal restore IF it is possible with your backup choice...
If it isn't, time to make a new machine, and HOPE your backup restores to it... third option ... Start over...
alonig1Author Commented:
I'm trying to sfc command.

I think it only encrypt the data files not the AD and everything.

Do I need really to re-install everything?
Scott SilvaNetwork AdministratorCommented:
I guess you could try malwarebytes and see if it kills the encryptor. Then do some extensive testing to see if your forest is corrupted...

It is very poor practice to try and clean a critical server like that, but you can try...

How can you be sure it didn't add other malware?

It probably at a minimum killed your sysvol and group policies.
So was this just a domain controller or were you doing other things with it too?
btanExec ConsultantCommented:
No known way to decrypt AES NI Ransomware. Only way is to get back from your backup. Check your online backup if it ia encrypted as Ransomware can infect those online mapped drive, if that is the default mapping once user login. Change the password to err on the safe side.

Indeed you can use idransomware for confirmation of the infection. If the encrypted files are appended with .aes256 file extension, most likely it is confirmed AES NI Ransomware infection.

You can save a copy of the encrypted files before you start to rebuild the machine from a clean slate. That is the cleanest approach. The backup of the encrypted files is so that in future there is a decryptor published you can still try them out. These does happened for other variant.

Preventive measures moving ahead include application whitelisting (Applocker or cryptoprevent), logon using non administrative account, install anti ransomware such those from Malwarebytes or Winpatrol and maintain regular patch and scan of security fixes and signature.

You cam catch more information in the FAQ
There other good one in EE too. E.g't-be-caught-out.html
Removing malware is one thing. Trying to address files that are encrypted is another totally. You don't know exactly how many system files have been encrypted, nor do you know when a method to decrypt the files will, if ever, become available. And I doubt you have the time/resources to go through a whole investigation (which I would recommend your doing anyway) or to get security experts on site (would be great to do as well).

Reload the server and try to restore data from before the encryption occurred. And you ideally might want to ideally do virtualization so that you can also create backups of the VM. That may save you some heartache in the future.

You also want to review the roles of that server, as well as overall security policies. Is it accessible from the outside, and does it really need to be? How are you firewall rules looking? You need to check across the board HOW things happen, but also take measures to prevent that from being able to occur in the future. And work your way to being proactive with respect to security, not reactive.

I know you don't like the sound of it, but that's going to be the best route to go.
Scott SilvaNetwork AdministratorCommented:
I know my system has 4 domain controllers, across 2 main sites and 4 satellites. None of the domain controllers do anything else, and 2 are virtualized. They DO NOT talk to the outside world except the primary which can reach outside to keep the clock synced. And they are all backed up daily. They don't even get updates from outside, but from an internal WSUS server.

AD is a very critical element and once it breaks bad, you have to start over without good backups.

I also agree with the virtualization recommendation... It is a bit expensive to dedicate a server to just a domain controller, but a virtual server is fairly cheap to do... You can host several virts on a reasonable chassis...
Sufficient advice given
Alan VaceCommented:
I had problems with this ransomware, and I managed to recover some files with a help of  ShadowExplorer and this guide. But all recovered files are very old :(
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.