2003 Server infected with Ransomware

Hi there, Folks

I have a Windows 2003 server which we run for a customer. Someone, somehow has managed to get the server infected with the .libbywovas@dr.com.gr3g files ransomware and boy has it made a hash of the server.

I'm looking for help getting the server back to a state where I am able to login. I'm told I can manually remove the ransomware by logging in safe mode. However, logging in in safe mode requires F8 to be sent while in boot stage. I'm finding this impossible because the server is a VPS (VMWare) and it doesn't seem to let me send the F8.

Does anyone know how to get this server cleaned? I would sincerely appreciate the help.

Best wishes
Chris
LVL 1
kenwardcAsked:
Who is Participating?
 
☠ MASQ ☠Commented:
Does the link I'm about to paste below look reasonable?

The https://sensorstechforum.com site is a marketing outlet for Enigma's Spyhunter software.  The information on infections is on the whole accurate but for each infection they index you'll find the clean-up process is the same: "Buy Spyhunter".  
Yes, that will remove the infective vector but it won't undo the encryption.
0
 
parshu ram sharmaCommented:
Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now...
0
 
AlanConsultantCommented:
Hi Ken,

My suggestion would be not to bother.

Server 2003 is so old that it is not even a joke - it has no support, including security updates.

The time (and implicitly, if not explicit, dollars) that you would spend getting it back, would leave you with a Server 2003 machine still, and you can never trust that machine again no matter what anyone or any anti-malware vendor might like to get you to believe.

Purchase Server 2016, restore the data from backup, and have a much better outcome.

Alan.
3
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
☠ MASQ ☠Commented:
For the F8 bit VMWare does allow this as the guest launches
https://kb.vmware.com/s/article/1004011
Restoring from backup once you've disinfected is the best option.
1
 
Scott CSenior Systems EnginerCommented:
How to clean the server?  Restore from backup of course.  You do have current backups right?

Next....GET RID OF THAT SERVER.  It is YEARS out of support.
0
 
parshu ram sharmaCommented:
you may try this on yr own risk
got to know from google research
0
 
William MillerInventory/IT ConsultantCommented:
As other experts have already stated here, you're better off restoring from backup on a newer server version. It doesn't have to be the latest and greatest, but it should at the very least be a supported server software. You CAN fix this for the customer, but you're going to cost them a lot of money only for this to potentially happen again. It's only a matter of time. Put the cost towards getting them to a more modern state, it will save them a lot of headache in the future.
0
 
kenwardcAuthor Commented:
Hi Folks and thanks for the fast responses:

@parshu ram sharma: I cannot create a new file as the Windows File Explorer app has been encrypted and cannot be launched.

@Alan: This is a customer server. I have tried to get them to upgrade but have not succeeded. Easy to say "dump it" but it has data on it that I would need to try and restore even if I was going to dump the server.

@☠ MASQ ☠: Thank you for the link. I'll have a look at that. I'm using a MAC which does increase the complication as I have to send fn+F8 which is slow.

@Scott C: The backups I have are only kept for 7 days and sadly they only picked this up now. The server has obviously been infected for longer than 7 days as my oldest backup has the ransomware infection on it. Good suggestion though... if I had a backup without the infection.

Looking forward to some further comments and ideas.

Cheers
Chris
0
 
AlanConsultantCommented:
Hi Chris,

If there is no backup, then they are essentially up the proverbial creek.

You *might* be able to decrypt if you spend some time searching on the net, but often not.

They *could* pay the ransom, but I strongly advise not to do that, plus there is no guarantee that they will get it decrypted anyway.

They should talk to their insurance broker - it is possible they might be covered for something like this (bit of a long shot, but no harm in asking).


From what you say, I would suggest they make a copy of everything (in case decryption becomes possible later), and start the process of setting up a new server.

Alan.
0
 
☠ MASQ ☠Commented:
The ransomware is a YYTO variant so there's no realistic chance of data recovery, without a backup you will need to rebuild :(
0
 
AlanConsultantCommented:
Be aware that it is not uncommon for businesses to go under due to this kind of thing, and if creditors lose money, then it is very common that the directors will be pursued for negligence (especially if you have advised them to upgrade to a supported server OS and they refused).

You might want to distance yourself from the fallout.

Alan.
0
 
kenwardcAuthor Commented:
Hi there

Does the link I'm about to paste below look reasonable?

https://sensorstechforum.com/libbywovasdr-com-gr3g-files-virus-remove-restore-files/

I've just looked at the files within the backup and they are all encrypted in there as well so there's another plan down the drain.

Cheers
Chris
0
 
William MillerInventory/IT ConsultantCommented:
Unfortunately when dealing with most any ransom-based malware attack the odds of you recovering data that you don't already have backups for is pretty slim. I would say you MAY be able to send it off to a recovery service but this will only be useful if the service has successfully decrypted this specific attack before (Which again, is stepping into unlikely waters). Now is the perfect time to play your hand and strongly push for an upgrade. If they still refuse to do so, like Alan stated, it would be a good idea to distance yourself. The last thing you want to have happen is have your name dropped when the auditors ask "Why?"
0
 
kenwardcAuthor Commented:
I have informed them that one of their users has had to have clicked on a link or downloaded an infected file or Email to make this happen. They were thinking of decommissioning the server at the end of the month but I'm pretty sure they wanted the database data etc off of it.

I'm assuming that because the SQL files are all encrypted that's a non-starter too?

Cheers
Chris
0
 
William MillerInventory/IT ConsultantCommented:
Again, it's technically possible to recover this data but generally you need a file off of the machine in question that is prior to the encryption. If you don't have any clean backups from the server, then the prognosis is bleak. Recovery Service is a POTENTIAL option, but you have to find one that has had success with this specific attack. All attacks tend to vary in some small, but meaningful way. If you luck into a service that has the decryption key you may hit a homerun, but that's going to be such a small percentage it's almost not worth the labor to find one.
0
 
AlanConsultantCommented:
Hi Chris,

My experience is that you are highly unlikely to be able to recover that SQL data.

What can we say that you probably haven't told them many times over the months / years?  They needed to have a proper backup regime in place, and they ignored the professional advice they received.

Like having a car crash, then wishing they hadn't decided the premiums were too high to warrant insurance - they made a decision, and now they have to live (or die) with the consequences of the decision they made.

I realise this sounds harsh, but those premiums were spent elsewhere - if the owner(s) had a holiday in the last few years, or bought coffees or whatever, that could have paid for a proper backup system with multiple offsite drives etc.


I am still inclined to say that you should walk (run) away from this mess lest your reputation gets damaged - the directors won't admit to having received good advice, especially if it means that they are more liable for creditor losses, and they may choose to blame you.

On that note, assuming that *you* have PI insurance, you should make sure your broker is up to speed on this as you almost certainly have a duty to disclose immediately you know there could be any chance of a claim against you.

Alan.
0
 
serialbandCommented:
I'm using a MAC which does increase the complication as I have to send fn+F8 which is slow.
Change your default keyboard behavior to function keys in System Preferences -> Keyboard
If you have a Sierra or newer, you can set individual apps to have Function keys by default and keep others apps with the standard Mac Media keys.   System Preferences -> Keyboard -> Shortcut -> Functino Keys -> Add an App with the + button.
0
 
kenwardcAuthor Commented:
Looks as though Safe Mode has been disabled as I cannot boot into safe mode with networking or with command prompt. I think we're done!

Thanks for the help folks. Not sure how really to allocate points as there hasn't been a solution but will do my best.

Cheers
Chris
0
 
☠ MASQ ☠Commented:
If fairness Chris, with the scenario you described, a solution that was going to recover the server was never really an option.
0
 
kenwardcAuthor Commented:
True! Thanks to all for your responses that helped get to where we are at the moment.

All the best
Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.