This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.
2003 Server infected with Ransomware
Hi there, Folks
I have a Windows 2003 server which we run for a customer. Someone, somehow has managed to get the server infected with the .libbywovas@dr.com.gr3g files ransomware and boy has it made a hash of the server.
I'm looking for help getting the server back to a state where I am able to login. I'm told I can manually remove the ransomware by logging in safe mode. However, logging in in safe mode requires F8 to be sent while in boot stage. I'm finding this impossible because the server is a VPS (VMWare) and it doesn't seem to let me send the F8.
Does anyone know how to get this server cleaned? I would sincerely appreciate the help.
Best wishes
Chris
I have a Windows 2003 server which we run for a customer. Someone, somehow has managed to get the server infected with the .libbywovas@dr.com.gr3g files ransomware and boy has it made a hash of the server.
I'm looking for help getting the server back to a state where I am able to login. I'm told I can manually remove the ransomware by logging in safe mode. However, logging in in safe mode requires F8 to be sent while in boot stage. I'm finding this impossible because the server is a VPS (VMWare) and it doesn't seem to let me send the F8.
Does anyone know how to get this server cleaned? I would sincerely appreciate the help.
Best wishes
Chris
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now...
Hi Ken,
My suggestion would be not to bother.
Server 2003 is so old that it is not even a joke - it has no support, including security updates.
The time (and implicitly, if not explicit, dollars) that you would spend getting it back, would leave you with a Server 2003 machine still, and you can never trust that machine again no matter what anyone or any anti-malware vendor might like to get you to believe.
Purchase Server 2016, restore the data from backup, and have a much better outcome.
Alan.
My suggestion would be not to bother.
Server 2003 is so old that it is not even a joke - it has no support, including security updates.
The time (and implicitly, if not explicit, dollars) that you would spend getting it back, would leave you with a Server 2003 machine still, and you can never trust that machine again no matter what anyone or any anti-malware vendor might like to get you to believe.
Purchase Server 2016, restore the data from backup, and have a much better outcome.
Alan.
For the F8 bit VMWare does allow this as the guest launches
https://kb.vmware.com/s/article/1004011
Restoring from backup once you've disinfected is the best option.
https://kb.vmware.com/s/article/1004011
Restoring from backup once you've disinfected is the best option.
How to clean the server? Restore from backup of course. You do have current backups right?
Next....GET RID OF THAT SERVER. It is YEARS out of support.
Next....GET RID OF THAT SERVER. It is YEARS out of support.
As other experts have already stated here, you're better off restoring from backup on a newer server version. It doesn't have to be the latest and greatest, but it should at the very least be a supported server software. You CAN fix this for the customer, but you're going to cost them a lot of money only for this to potentially happen again. It's only a matter of time. Put the cost towards getting them to a more modern state, it will save them a lot of headache in the future.
Hi Folks and thanks for the fast responses:
@parshu ram sharma: I cannot create a new file as the Windows File Explorer app has been encrypted and cannot be launched.
@Alan: This is a customer server. I have tried to get them to upgrade but have not succeeded. Easy to say "dump it" but it has data on it that I would need to try and restore even if I was going to dump the server.
@☠ MASQ ☠: Thank you for the link. I'll have a look at that. I'm using a MAC which does increase the complication as I have to send fn+F8 which is slow.
@Scott C: The backups I have are only kept for 7 days and sadly they only picked this up now. The server has obviously been infected for longer than 7 days as my oldest backup has the ransomware infection on it. Good suggestion though... if I had a backup without the infection.
Looking forward to some further comments and ideas.
Cheers
Chris
@parshu ram sharma: I cannot create a new file as the Windows File Explorer app has been encrypted and cannot be launched.
@Alan: This is a customer server. I have tried to get them to upgrade but have not succeeded. Easy to say "dump it" but it has data on it that I would need to try and restore even if I was going to dump the server.
@☠ MASQ ☠: Thank you for the link. I'll have a look at that. I'm using a MAC which does increase the complication as I have to send fn+F8 which is slow.
@Scott C: The backups I have are only kept for 7 days and sadly they only picked this up now. The server has obviously been infected for longer than 7 days as my oldest backup has the ransomware infection on it. Good suggestion though... if I had a backup without the infection.
Looking forward to some further comments and ideas.
Cheers
Chris
Hi Chris,
If there is no backup, then they are essentially up the proverbial creek.
You *might* be able to decrypt if you spend some time searching on the net, but often not.
They *could* pay the ransom, but I strongly advise not to do that, plus there is no guarantee that they will get it decrypted anyway.
They should talk to their insurance broker - it is possible they might be covered for something like this (bit of a long shot, but no harm in asking).
From what you say, I would suggest they make a copy of everything (in case decryption becomes possible later), and start the process of setting up a new server.
Alan.
If there is no backup, then they are essentially up the proverbial creek.
You *might* be able to decrypt if you spend some time searching on the net, but often not.
They *could* pay the ransom, but I strongly advise not to do that, plus there is no guarantee that they will get it decrypted anyway.
They should talk to their insurance broker - it is possible they might be covered for something like this (bit of a long shot, but no harm in asking).
From what you say, I would suggest they make a copy of everything (in case decryption becomes possible later), and start the process of setting up a new server.
Alan.
The ransomware is a YYTO variant so there's no realistic chance of data recovery, without a backup you will need to rebuild :(
Be aware that it is not uncommon for businesses to go under due to this kind of thing, and if creditors lose money, then it is very common that the directors will be pursued for negligence (especially if you have advised them to upgrade to a supported server OS and they refused).
You might want to distance yourself from the fallout.
Alan.
You might want to distance yourself from the fallout.
Alan.
Hi there
Does the link I'm about to paste below look reasonable?
https://sensorstechforum.com/libbywovasdr-com-gr3g-files-virus-remove-restore-files/
I've just looked at the files within the backup and they are all encrypted in there as well so there's another plan down the drain.
Cheers
Chris
Does the link I'm about to paste below look reasonable?
https://sensorstechforum.com/libbywovasdr-com-gr3g-files-virus-remove-restore-files/
I've just looked at the files within the backup and they are all encrypted in there as well so there's another plan down the drain.
Cheers
Chris
Unfortunately when dealing with most any ransom-based malware attack the odds of you recovering data that you don't already have backups for is pretty slim. I would say you MAY be able to send it off to a recovery service but this will only be useful if the service has successfully decrypted this specific attack before (Which again, is stepping into unlikely waters). Now is the perfect time to play your hand and strongly push for an upgrade. If they still refuse to do so, like Alan stated, it would be a good idea to distance yourself. The last thing you want to have happen is have your name dropped when the auditors ask "Why?"
I have informed them that one of their users has had to have clicked on a link or downloaded an infected file or Email to make this happen. They were thinking of decommissioning the server at the end of the month but I'm pretty sure they wanted the database data etc off of it.
I'm assuming that because the SQL files are all encrypted that's a non-starter too?
Cheers
Chris
I'm assuming that because the SQL files are all encrypted that's a non-starter too?
Cheers
Chris
Again, it's technically possible to recover this data but generally you need a file off of the machine in question that is prior to the encryption. If you don't have any clean backups from the server, then the prognosis is bleak. Recovery Service is a POTENTIAL option, but you have to find one that has had success with this specific attack. All attacks tend to vary in some small, but meaningful way. If you luck into a service that has the decryption key you may hit a homerun, but that's going to be such a small percentage it's almost not worth the labor to find one.
Hi Chris,
My experience is that you are highly unlikely to be able to recover that SQL data.
What can we say that you probably haven't told them many times over the months / years? They needed to have a proper backup regime in place, and they ignored the professional advice they received.
Like having a car crash, then wishing they hadn't decided the premiums were too high to warrant insurance - they made a decision, and now they have to live (or die) with the consequences of the decision they made.
I realise this sounds harsh, but those premiums were spent elsewhere - if the owner(s) had a holiday in the last few years, or bought coffees or whatever, that could have paid for a proper backup system with multiple offsite drives etc.
I am still inclined to say that you should walk (run) away from this mess lest your reputation gets damaged - the directors won't admit to having received good advice, especially if it means that they are more liable for creditor losses, and they may choose to blame you.
On that note, assuming that *you* have PI insurance, you should make sure your broker is up to speed on this as you almost certainly have a duty to disclose immediately you know there could be any chance of a claim against you.
Alan.
My experience is that you are highly unlikely to be able to recover that SQL data.
What can we say that you probably haven't told them many times over the months / years? They needed to have a proper backup regime in place, and they ignored the professional advice they received.
Like having a car crash, then wishing they hadn't decided the premiums were too high to warrant insurance - they made a decision, and now they have to live (or die) with the consequences of the decision they made.
I realise this sounds harsh, but those premiums were spent elsewhere - if the owner(s) had a holiday in the last few years, or bought coffees or whatever, that could have paid for a proper backup system with multiple offsite drives etc.
I am still inclined to say that you should walk (run) away from this mess lest your reputation gets damaged - the directors won't admit to having received good advice, especially if it means that they are more liable for creditor losses, and they may choose to blame you.
On that note, assuming that *you* have PI insurance, you should make sure your broker is up to speed on this as you almost certainly have a duty to disclose immediately you know there could be any chance of a claim against you.
Alan.
Does the link I'm about to paste below look reasonable?
The https://sensorstechforum.com site is a marketing outlet for Enigma's Spyhunter software. The information on infections is on the whole accurate but for each infection they index you'll find the clean-up process is the same: "Buy Spyhunter".
Yes, that will remove the infective vector but it won't undo the encryption.
The https://sensorstechforum.com site is a marketing outlet for Enigma's Spyhunter software. The information on infections is on the whole accurate but for each infection they index you'll find the clean-up process is the same: "Buy Spyhunter".
Yes, that will remove the infective vector but it won't undo the encryption.
I'm using a MAC which does increase the complication as I have to send fn+F8 which is slow.Change your default keyboard behavior to function keys in System Preferences -> Keyboard
If you have a Sierra or newer, you can set individual apps to have Function keys by default and keep others apps with the standard Mac Media keys. System Preferences -> Keyboard -> Shortcut -> Functino Keys -> Add an App with the + button.
Looks as though Safe Mode has been disabled as I cannot boot into safe mode with networking or with command prompt. I think we're done!
Thanks for the help folks. Not sure how really to allocate points as there hasn't been a solution but will do my best.
Cheers
Chris
Thanks for the help folks. Not sure how really to allocate points as there hasn't been a solution but will do my best.
Cheers
Chris
Premium Content
You need an Expert Office subscription to comment.Start Free Trial