Avatar of Chris Kenward
Chris Kenward
Flag for United Kingdom of Great Britain and Northern Ireland asked on

2003 Server infected with Ransomware

Hi there, Folks

I have a Windows 2003 server which we run for a customer. Someone, somehow has managed to get the server infected with the .libbywovas@dr.com.gr3g files ransomware and boy has it made a hash of the server.

I'm looking for help getting the server back to a state where I am able to login. I'm told I can manually remove the ransomware by logging in safe mode. However, logging in in safe mode requires F8 to be sent while in boot stage. I'm finding this impossible because the server is a VPS (VMWare) and it doesn't seem to let me send the F8.

Does anyone know how to get this server cleaned? I would sincerely appreciate the help.

Best wishes
Chris
RansomwareWindows OSWindows Server 2003Security

Avatar of undefined
Last Comment
Chris Kenward

8/22/2022 - Mon
parshu ram sharma

Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now...
Alan

Hi Ken,

My suggestion would be not to bother.

Server 2003 is so old that it is not even a joke - it has no support, including security updates.

The time (and implicitly, if not explicit, dollars) that you would spend getting it back, would leave you with a Server 2003 machine still, and you can never trust that machine again no matter what anyone or any anti-malware vendor might like to get you to believe.

Purchase Server 2016, restore the data from backup, and have a much better outcome.

Alan.
SOLUTION
☠ MASQ ☠

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Scott C

How to clean the server?  Restore from backup of course.  You do have current backups right?

Next....GET RID OF THAT SERVER.  It is YEARS out of support.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
parshu ram sharma

you may try this on yr own risk
got to know from google research
SOLUTION
William Miller

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Chris Kenward

ASKER
Hi Folks and thanks for the fast responses:

@parshu ram sharma: I cannot create a new file as the Windows File Explorer app has been encrypted and cannot be launched.

@Alan: This is a customer server. I have tried to get them to upgrade but have not succeeded. Easy to say "dump it" but it has data on it that I would need to try and restore even if I was going to dump the server.

@☠ MASQ ☠: Thank you for the link. I'll have a look at that. I'm using a MAC which does increase the complication as I have to send fn+F8 which is slow.

@Scott C: The backups I have are only kept for 7 days and sadly they only picked this up now. The server has obviously been infected for longer than 7 days as my oldest backup has the ransomware infection on it. Good suggestion though... if I had a backup without the infection.

Looking forward to some further comments and ideas.

Cheers
Chris
SOLUTION
Alan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
☠ MASQ ☠

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Alan

Be aware that it is not uncommon for businesses to go under due to this kind of thing, and if creditors lose money, then it is very common that the directors will be pursued for negligence (especially if you have advised them to upgrade to a supported server OS and they refused).

You might want to distance yourself from the fallout.

Alan.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Chris Kenward

ASKER
Hi there

Does the link I'm about to paste below look reasonable?

https://sensorstechforum.com/libbywovasdr-com-gr3g-files-virus-remove-restore-files/

I've just looked at the files within the backup and they are all encrypted in there as well so there's another plan down the drain.

Cheers
Chris
William Miller

Unfortunately when dealing with most any ransom-based malware attack the odds of you recovering data that you don't already have backups for is pretty slim. I would say you MAY be able to send it off to a recovery service but this will only be useful if the service has successfully decrypted this specific attack before (Which again, is stepping into unlikely waters). Now is the perfect time to play your hand and strongly push for an upgrade. If they still refuse to do so, like Alan stated, it would be a good idea to distance yourself. The last thing you want to have happen is have your name dropped when the auditors ask "Why?"
Chris Kenward

ASKER
I have informed them that one of their users has had to have clicked on a link or downloaded an infected file or Email to make this happen. They were thinking of decommissioning the server at the end of the month but I'm pretty sure they wanted the database data etc off of it.

I'm assuming that because the SQL files are all encrypted that's a non-starter too?

Cheers
Chris
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
SOLUTION
William Miller

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Alan

Hi Chris,

My experience is that you are highly unlikely to be able to recover that SQL data.

What can we say that you probably haven't told them many times over the months / years?  They needed to have a proper backup regime in place, and they ignored the professional advice they received.

Like having a car crash, then wishing they hadn't decided the premiums were too high to warrant insurance - they made a decision, and now they have to live (or die) with the consequences of the decision they made.

I realise this sounds harsh, but those premiums were spent elsewhere - if the owner(s) had a holiday in the last few years, or bought coffees or whatever, that could have paid for a proper backup system with multiple offsite drives etc.


I am still inclined to say that you should walk (run) away from this mess lest your reputation gets damaged - the directors won't admit to having received good advice, especially if it means that they are more liable for creditor losses, and they may choose to blame you.

On that note, assuming that *you* have PI insurance, you should make sure your broker is up to speed on this as you almost certainly have a duty to disclose immediately you know there could be any chance of a claim against you.

Alan.
ASKER CERTIFIED SOLUTION
☠ MASQ ☠

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
serialband

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Chris Kenward

ASKER
Looks as though Safe Mode has been disabled as I cannot boot into safe mode with networking or with command prompt. I think we're done!

Thanks for the help folks. Not sure how really to allocate points as there hasn't been a solution but will do my best.

Cheers
Chris
☠ MASQ ☠

If fairness Chris, with the scenario you described, a solution that was going to recover the server was never really an option.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Chris Kenward

ASKER
True! Thanks to all for your responses that helped get to where we are at the moment.

All the best
Chris