pscanevit
asked on
nemesis decryptor - torproject.org
Hi,
Today My exchange server rebooted on it's own and on my desktop was _decrypt_my_files text file
**all your work and personal files have been encrypted**
buy special software <nemesis decryptor>
https://*.onion.to to get details.
I am hoping this is a hoax, does anyone know of this?
Today My exchange server rebooted on it's own and on my desktop was _decrypt_my_files text file
**all your work and personal files have been encrypted**
buy special software <nemesis decryptor>
https://*.onion.to to get details.
I am hoping this is a hoax, does anyone know of this?
John
If the files have been encrypted (looks as is this is the case), you must clean out the viruses (and perhaps even reinstall your server) and then restore from backup. Ransomware - not a hoax.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you both.
My next question. I am not sure I can wipe and reload the server on my own...does experts exchange offer referrals to professionals that could help?
My next question. I am not sure I can wipe and reload the server on my own...does experts exchange offer referrals to professionals that could help?
If you post in the Gigs section, someone will almost surely be able to advise.
Even though you need help with reloading your server, you should close this question here.
I would also question how the virus got on your Exchange server to begin with. Not something that would normally happen. Be sure you aren't just putting your server back the way it was and leaving it there.
*Usually these ransomware targets files such as XLSX, DOCX etc.
If you do not use Exchange server for anything else such as a file server etc., you can probably continue to use the server without wipe/reloading it if you can make 100% sure you closed all security holes, installed a proper AV and removed the current virus.
Ultimately you will only be a 100% sure if you wipe/reload and as mentioned, you need to figure out how it happened. My guess is you probably use the same account administering server that you use on your desktop.
See article about implementing tier isolation
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
If you do not use Exchange server for anything else such as a file server etc., you can probably continue to use the server without wipe/reloading it if you can make 100% sure you closed all security holes, installed a proper AV and removed the current virus.
Ultimately you will only be a 100% sure if you wipe/reload and as mentioned, you need to figure out how it happened. My guess is you probably use the same account administering server that you use on your desktop.
See article about implementing tier isolation
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html