AES-NI ransomware on windows server 2008

alonig1
alonig1 used Ask the Experts™
on
Does someone have any experience with  AES-NI ransomware on windows server 2008?

What is the best way to fix it?

(I have online backup)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Go to http://idransomware.malwarehunterteam.com and upload a copy of one encrypted file and/or the ransom note file. If there's currently a known decrypt app, that will tell you where to get it. If there's no decrypt app, you'll have to restore your files from backup.

Author

Commented:
link not working.
Adam BrownSenior Systems Admin
Top Expert 2010
Commented:
Sorry, forgot a character there: https://id-ransomware.malwarehunterteam.com/
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Network Administrator
Commented:
The BEST way is to rebuild the machine and restore DATA files from backups. But that is also the most time consuming...

Author

Commented:
I'm trying to remove with spy hunter everything crashes it's on the DC.

What can I do?
Scott SilvaNetwork Administrator
Commented:
I am pretty sure Spy Hunter is a fake malware ridden POS...
But removing the cryptography virus after everything is encrypted is like locking the barn door after the horse died in a fire....

You need a good backup of the system state to restore the AD database...

If you have a full online backup, you will need to find out how to do a bare metal restore IF it is possible with your backup choice...
If it isn't, time to make a new machine, and HOPE your backup restores to it... third option ... Start over...

Author

Commented:
I'm trying to sfc command.

I think it only encrypt the data files not the AD and everything.

Do I need really to re-install everything?
Scott SilvaNetwork Administrator

Commented:
I guess you could try malwarebytes and see if it kills the encryptor. Then do some extensive testing to see if your forest is corrupted...

It is very poor practice to try and clean a critical server like that, but you can try...

How can you be sure it didn't add other malware?

It probably at a minimum killed your sysvol and group policies.
So was this just a domain controller or were you doing other things with it too?
btanExec Consultant
Distinguished Expert 2018
Commented:
No known way to decrypt AES NI Ransomware. Only way is to get back from your backup. Check your online backup if it ia encrypted as Ransomware can infect those online mapped drive, if that is the default mapping once user login. Change the password to err on the safe side.

Indeed you can use idransomware for confirmation of the infection. If the encrypted files are appended with .aes256 file extension, most likely it is confirmed AES NI Ransomware infection.

You can save a copy of the encrypted files before you start to rebuild the machine from a clean slate. That is the cleanest approach. The backup of the encrypted files is so that in future there is a decryptor published you can still try them out. These does happened for other variant.

Preventive measures moving ahead include application whitelisting (Applocker or cryptoprevent), logon using non administrative account, install anti ransomware such those from Malwarebytes or Winpatrol and maintain regular patch and scan of security fixes and signature.

You cam catch more information in the FAQ https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
Or https://www.experts-exchange.com/articles/21199/Ransomware-Beware.html
There other good one in EE too. E.g
https://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html
Distinguished Expert 2018
Commented:
Removing malware is one thing. Trying to address files that are encrypted is another totally. You don't know exactly how many system files have been encrypted, nor do you know when a method to decrypt the files will, if ever, become available. And I doubt you have the time/resources to go through a whole investigation (which I would recommend your doing anyway) or to get security experts on site (would be great to do as well).

Reload the server and try to restore data from before the encryption occurred. And you ideally might want to ideally do virtualization so that you can also create backups of the VM. That may save you some heartache in the future.

You also want to review the roles of that server, as well as overall security policies. Is it accessible from the outside, and does it really need to be? How are you firewall rules looking? You need to check across the board HOW things happen, but also take measures to prevent that from being able to occur in the future. And work your way to being proactive with respect to security, not reactive.

I know you don't like the sound of it, but that's going to be the best route to go.
Scott SilvaNetwork Administrator

Commented:
I know my system has 4 domain controllers, across 2 main sites and 4 satellites. None of the domain controllers do anything else, and 2 are virtualized. They DO NOT talk to the outside world except the primary which can reach outside to keep the clock synced. And they are all backed up daily. They don't even get updates from outside, but from an internal WSUS server.

AD is a very critical element and once it breaks bad, you have to start over without good backups.

I also agree with the virtualization recommendation... It is a bit expensive to dedicate a server to just a domain controller, but a virtual server is fairly cheap to do... You can host several virts on a reasonable chassis...
Distinguished Expert 2018

Commented:
Sufficient advice given
I had problems with this ransomware, and I managed to recover some files with a help of  ShadowExplorer and this guide. But all recovered files are very old :(

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial