Ransomeware virus

I'm trying to identify a ransomware virus that hit a network. I believe it is “FakeGlobe” virus. Aside from not knowing how it got on the network, there are other things I cannot figure out.  The more I know, the better I can protect this network. We did have backup replicated offsite so we are good. It just took a lot of work rebuilding servers and restoring data.

This virus uninstalled TrendMicro on servers and workstations. It then ran on those devices.  This created a unique encryption. If they were to have paid to get it unencrypted, they would have had to pay for each computer separately.  It appears it did not rely on shared drives to spread it.  

It also infected a server that was off the domain. The administrator account password was not the same as administrator password on the network. I have no idea how they could have gotten to that.

There are only three people with domain admin rights and there are service accounts with domain admin rights. None of the three users were on the network when it hit on a Saturday evening.  Passwords for the accounts with administrator rights were not changed. This means they had to find a way to read the passwords.

I did see information about  Pony Botnet that may have been used https://thehackernews.com/2014/02/pony-botnet-steals-220000-from-multiple.html 

I’m just looking for thoughts and ideas on how this could have happened so I can prevent it from happening again.  I’d like to know if it was done manually by someone gaining access to a computer or they managed to run scripts that did all the damage.  If they got to a computer, we may need to disable remote access. Many of the users have TeamViewer.  I saw this post https://www.teamviewer.com/en/company/press/statement-on-ransomware-infections-via-teamviewer/

Another thing I need to figure out is how to prevent unprotected computers from VPN access. We have a SonicWall firewall. We use both the global VPN and NetExtender.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
These viruses are transmitted by email. Someone in your company opened an email from a stranger, it then spawned the ransomware and it attacks anything connected. Very unlikely anyone hacked in and passwords and domain connection are not necessary to transmit the virus.
gilnovSystems AdministratorCommented:
There is no way for anyone here to definitively tell you how the virus got in without spending significant time on your network and, even then, it might not be possible to say for sure. That said, the 2 most common ways malware penetrates networks is via email and web browsing, especially with unpatched computers. Once the malware has a toehold on a computer, it's just a matter of privilege escalation which can happen in a matter of minutes. Ways to mitigate include a hardware firewall, whole-network web filtering, up-to-date OS and application patches, up-to-date antivirus software (a.k.a. endpoint protection), following the principal of least privilege (i.e. not giving users local admin rights to their computers), and end-user training.
JohnBusiness Consultant (Owner)Commented:

1. Top notch spam control - very effective.
2. User training as noted above.
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

ajdratchAuthor Commented:
I know it most likely would be from email or clicking on a link. If a user without domain admin privileges clicked on the link, how could it have gotten to servers that users do not have rights to? This did not just effect shares on servers. It effected severs without any shares

Each workstation and server that was effected appears as if the link was clicked on that device. They somehow got to each device, uninstalled Trend Micro and infected it as if that was the device that clicked on the link

We have hardware firewalls and workstations have Windows firewall enabled.

And finally how did it get to a server that was not on the domain and the administrator password was different than the domain administrator password. No one went on the internet when logged into the backup server.
JohnBusiness Consultant (Owner)Commented:
The virus can transmit itself to any connected device. That is why backups should be removed from the system
gilnovSystems AdministratorCommented:
As I mentioned earlier, privilege escalation techniques can be used to gain access to other machines, including servers, on the network.

gilnovSystems AdministratorCommented:
Here's a more general explanation of privilege escalation: https://en.wikipedia.org/wiki/Privilege_escalation
gilnovSystems AdministratorCommented:
And here's a great presentation on the topic: https://www.youtube.com/watch?v=PC_iMqiuIRQ

It's a bit long but well worth a view.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Identification of ransomware - try using idransomware. Match against know type and variant. Decryptor may be available.

Authentication - suspect it came in through poor hygiene e.g. Use of unmanaged USB, email with phished content. Consider 2FA for local and remote administration.

Hygiene - Remote managements via VPN is good but it should be augmented with NAC. It checks for health integrity before granting connection from quarantine segment. The latter is default segment for all unauthorised machine in their initial connection to network.

Audit trails - Check for early hints of error and anomalous administrator activity in log, assuming it is enabled for account access and file access..

Application whitelisting is critical add on to reduce attack surface. Hope the faq will helps https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html

PS - Do change the user account login if not done so...
ajdratchAuthor Commented:
This links were very informative. In this case the users did not have local admin rights. Most of my clients need local admin rights to run various 3rd party software.
gilnovSystems AdministratorCommented:
Google "principle of least privilege" for more info. It is very bad security practice to operate a computer full time while logged in to an admin account. UAC helps but is not a security barrier (users will just reflexively hit the "Yes, infect me please" button).

What you should advise clients to do is log in with a standard user account and type in the password for an admin account any time they need to do something that requires admin rights. It's a bit of a hassle but miles closer to secure computing.
btanExec ConsultantCommented:
User should not be allowed to install software as it also means doing malware a favour as it make their job easier skippibg the step to escalate privileges during its infection cycle.

When an organization does not remove administrator rights, users can change system settings, which affects compliance to regulatory standards. Failure to meet standards can result in more audits and remediation work.

Assuming Windows machine there can be something to do this restricted access to users....https://social.technet.microsoft.com/Forums/windowsserver/en-US/45de4290-c66c-4353-8b46-f5c3bcc1b710/how-can-i-remove-my-users-from-local-admin-rights-with-a-gpo?forum=winserverGP
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.