We help IT Professionals succeed at work.

AES-NI ransomware on windows server 2008

1,199 Views
Last Modified: 2017-04-21
Does someone have any experience with  AES-NI ransomware on windows server 2008?

What is the best way to fix it?

(I have online backup)
Comment
Watch Question

Adam BrownCloud Security Consultant
CERTIFIED EXPERT
Top Expert 2010

Commented:
Go to http://idransomware.malwarehunterteam.com and upload a copy of one encrypted file and/or the ransom note file. If there's currently a known decrypt app, that will tell you where to get it. If there's no decrypt app, you'll have to restore your files from backup.

Author

Commented:
link not working.
Adam BrownCloud Security Consultant
CERTIFIED EXPERT
Top Expert 2010
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Network Administrator
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
I'm trying to remove with spy hunter everything crashes it's on the DC.

What can I do?
Scott SilvaNetwork Administrator
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
I'm trying to sfc command.

I think it only encrypt the data files not the AD and everything.

Do I need really to re-install everything?
Scott SilvaNetwork Administrator
CERTIFIED EXPERT

Commented:
I guess you could try malwarebytes and see if it kills the encryptor. Then do some extensive testing to see if your forest is corrupted...

It is very poor practice to try and clean a critical server like that, but you can try...

How can you be sure it didn't add other malware?

It probably at a minimum killed your sysvol and group policies.
So was this just a domain controller or were you doing other things with it too?
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Scott SilvaNetwork Administrator
CERTIFIED EXPERT

Commented:
I know my system has 4 domain controllers, across 2 main sites and 4 satellites. None of the domain controllers do anything else, and 2 are virtualized. They DO NOT talk to the outside world except the primary which can reach outside to keep the clock synced. And they are all backed up daily. They don't even get updates from outside, but from an internal WSUS server.

AD is a very critical element and once it breaks bad, you have to start over without good backups.

I also agree with the virtualization recommendation... It is a bit expensive to dedicate a server to just a domain controller, but a virtual server is fairly cheap to do... You can host several virts on a reasonable chassis...
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Sufficient advice given
I had problems with this ransomware, and I managed to recover some files with a help of  ShadowExplorer and this guide. But all recovered files are very old :(