I'm trying to identify a ransomware virus that hit a network. I believe it is “FakeGlobe” virus. Aside from not knowing how it got on the network, there are other things I cannot figure out. The more I know, the better I can protect this network. We did have backup replicated offsite so we are good. It just took a lot of work rebuilding servers and restoring data.
This virus uninstalled TrendMicro on servers and workstations. It then ran on those devices. This created a unique encryption. If they were to have paid to get it unencrypted, they would have had to pay for each computer separately. It appears it did not rely on shared drives to spread it.
It also infected a server that was off the domain. The administrator account password was not the same as administrator password on the network. I have no idea how they could have gotten to that.
There are only three people with domain admin rights and there are service accounts with domain admin rights. None of the three users were on the network when it hit on a Saturday evening. Passwords for the accounts with administrator rights were not changed. This means they had to find a way to read the passwords.
I did see information about Pony Botnet that may have been used https://thehackernews.com/2014/02/pony-botnet-steals-220000-from-multiple.html
I’m just looking for thoughts and ideas on how this could have happened so I can prevent it from happening again. I’d like to know if it was done manually by someone gaining access to a computer or they managed to run scripts that did all the damage. If they got to a computer, we may need to disable remote access. Many of the users have TeamViewer. I saw this post https://www.teamviewer.com/en/company/press/statement-on-ransomware-infections-via-teamviewer/
Another thing I need to figure out is how to prevent unprotected computers from VPN access. We have a SonicWall firewall. We use both the global VPN and NetExtender.