We’ve posted a new Expert Spotlight! Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.
AES-NI ransomware on windows server 2008
Does someone have any experience with AES-NI ransomware on windows server 2008?
What is the best way to fix it?
(I have online backup)
What is the best way to fix it?
(I have online backup)
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Go to http://idransomware.malwarehunterteam.com and upload a copy of one encrypted file and/or the ransom note file. If there's currently a known decrypt app, that will tell you where to get it. If there's no decrypt app, you'll have to restore your files from backup.
The BEST way is to rebuild the machine and restore DATA files from backups. But that is also the most time consuming...
I am pretty sure Spy Hunter is a fake malware ridden POS...
But removing the cryptography virus after everything is encrypted is like locking the barn door after the horse died in a fire....
You need a good backup of the system state to restore the AD database...
If you have a full online backup, you will need to find out how to do a bare metal restore IF it is possible with your backup choice...
If it isn't, time to make a new machine, and HOPE your backup restores to it... third option ... Start over...
But removing the cryptography virus after everything is encrypted is like locking the barn door after the horse died in a fire....
You need a good backup of the system state to restore the AD database...
If you have a full online backup, you will need to find out how to do a bare metal restore IF it is possible with your backup choice...
If it isn't, time to make a new machine, and HOPE your backup restores to it... third option ... Start over...
I'm trying to sfc command.
I think it only encrypt the data files not the AD and everything.
Do I need really to re-install everything?
I think it only encrypt the data files not the AD and everything.
Do I need really to re-install everything?
I guess you could try malwarebytes and see if it kills the encryptor. Then do some extensive testing to see if your forest is corrupted...
It is very poor practice to try and clean a critical server like that, but you can try...
How can you be sure it didn't add other malware?
It probably at a minimum killed your sysvol and group policies.
So was this just a domain controller or were you doing other things with it too?
It is very poor practice to try and clean a critical server like that, but you can try...
How can you be sure it didn't add other malware?
It probably at a minimum killed your sysvol and group policies.
So was this just a domain controller or were you doing other things with it too?
No known way to decrypt AES NI Ransomware. Only way is to get back from your backup. Check your online backup if it ia encrypted as Ransomware can infect those online mapped drive, if that is the default mapping once user login. Change the password to err on the safe side.
Indeed you can use idransomware for confirmation of the infection. If the encrypted files are appended with .aes256 file extension, most likely it is confirmed AES NI Ransomware infection.
You can save a copy of the encrypted files before you start to rebuild the machine from a clean slate. That is the cleanest approach. The backup of the encrypted files is so that in future there is a decryptor published you can still try them out. These does happened for other variant.
Preventive measures moving ahead include application whitelisting (Applocker or cryptoprevent), logon using non administrative account, install anti ransomware such those from Malwarebytes or Winpatrol and maintain regular patch and scan of security fixes and signature.
You cam catch more information in the FAQ https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
Or https://www.experts-exchange.com/articles/21199/Ransomware-Beware.html
There other good one in EE too. E.g
https://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html
Indeed you can use idransomware for confirmation of the infection. If the encrypted files are appended with .aes256 file extension, most likely it is confirmed AES NI Ransomware infection.
You can save a copy of the encrypted files before you start to rebuild the machine from a clean slate. That is the cleanest approach. The backup of the encrypted files is so that in future there is a decryptor published you can still try them out. These does happened for other variant.
Preventive measures moving ahead include application whitelisting (Applocker or cryptoprevent), logon using non administrative account, install anti ransomware such those from Malwarebytes or Winpatrol and maintain regular patch and scan of security fixes and signature.
You cam catch more information in the FAQ https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
Or https://www.experts-exchange.com/articles/21199/Ransomware-Beware.html
There other good one in EE too. E.g
https://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html
Removing malware is one thing. Trying to address files that are encrypted is another totally. You don't know exactly how many system files have been encrypted, nor do you know when a method to decrypt the files will, if ever, become available. And I doubt you have the time/resources to go through a whole investigation (which I would recommend your doing anyway) or to get security experts on site (would be great to do as well).
Reload the server and try to restore data from before the encryption occurred. And you ideally might want to ideally do virtualization so that you can also create backups of the VM. That may save you some heartache in the future.
You also want to review the roles of that server, as well as overall security policies. Is it accessible from the outside, and does it really need to be? How are you firewall rules looking? You need to check across the board HOW things happen, but also take measures to prevent that from being able to occur in the future. And work your way to being proactive with respect to security, not reactive.
I know you don't like the sound of it, but that's going to be the best route to go.
Reload the server and try to restore data from before the encryption occurred. And you ideally might want to ideally do virtualization so that you can also create backups of the VM. That may save you some heartache in the future.
You also want to review the roles of that server, as well as overall security policies. Is it accessible from the outside, and does it really need to be? How are you firewall rules looking? You need to check across the board HOW things happen, but also take measures to prevent that from being able to occur in the future. And work your way to being proactive with respect to security, not reactive.
I know you don't like the sound of it, but that's going to be the best route to go.
I know my system has 4 domain controllers, across 2 main sites and 4 satellites. None of the domain controllers do anything else, and 2 are virtualized. They DO NOT talk to the outside world except the primary which can reach outside to keep the clock synced. And they are all backed up daily. They don't even get updates from outside, but from an internal WSUS server.
AD is a very critical element and once it breaks bad, you have to start over without good backups.
I also agree with the virtualization recommendation... It is a bit expensive to dedicate a server to just a domain controller, but a virtual server is fairly cheap to do... You can host several virts on a reasonable chassis...
AD is a very critical element and once it breaks bad, you have to start over without good backups.
I also agree with the virtualization recommendation... It is a bit expensive to dedicate a server to just a domain controller, but a virtual server is fairly cheap to do... You can host several virts on a reasonable chassis...
I had problems with this ransomware, and I managed to recover some files with a help of ShadowExplorer and this guide. But all recovered files are very old :(
Premium Content
You need an Expert Office subscription to comment.Start Free Trial