We help IT Professionals succeed at work.

2003 Server infected with Ransomware

578 Views
Last Modified: 2017-11-07
Hi there, Folks

I have a Windows 2003 server which we run for a customer. Someone, somehow has managed to get the server infected with the .libbywovas@dr.com.gr3g files ransomware and boy has it made a hash of the server.

I'm looking for help getting the server back to a state where I am able to login. I'm told I can manually remove the ransomware by logging in safe mode. However, logging in in safe mode requires F8 to be sent while in boot stage. I'm finding this impossible because the server is a VPS (VMWare) and it doesn't seem to let me send the F8.

Does anyone know how to get this server cleaned? I would sincerely appreciate the help.

Best wishes
Chris
Comment
Watch Question

Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now...
AlanConsultant
CERTIFIED EXPERT

Commented:
Hi Ken,

My suggestion would be not to bother.

Server 2003 is so old that it is not even a joke - it has no support, including security updates.

The time (and implicitly, if not explicit, dollars) that you would spend getting it back, would leave you with a Server 2003 machine still, and you can never trust that machine again no matter what anyone or any anti-malware vendor might like to get you to believe.

Purchase Server 2016, restore the data from backup, and have a much better outcome.

Alan.
CERTIFIED EXPERT
Most Valuable Expert 2013
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Scott CSenior Engineer
CERTIFIED EXPERT

Commented:
How to clean the server?  Restore from backup of course.  You do have current backups right?

Next....GET RID OF THAT SERVER.  It is YEARS out of support.
you may try this on yr own risk
got to know from google research
William MillerIT Specialist
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Chris KenwardIT Tech Support

Author

Commented:
Hi Folks and thanks for the fast responses:

@parshu ram sharma: I cannot create a new file as the Windows File Explorer app has been encrypted and cannot be launched.

@Alan: This is a customer server. I have tried to get them to upgrade but have not succeeded. Easy to say "dump it" but it has data on it that I would need to try and restore even if I was going to dump the server.

@☠ MASQ ☠: Thank you for the link. I'll have a look at that. I'm using a MAC which does increase the complication as I have to send fn+F8 which is slow.

@Scott C: The backups I have are only kept for 7 days and sadly they only picked this up now. The server has obviously been infected for longer than 7 days as my oldest backup has the ransomware infection on it. Good suggestion though... if I had a backup without the infection.

Looking forward to some further comments and ideas.

Cheers
Chris
AlanConsultant
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Most Valuable Expert 2013
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
AlanConsultant
CERTIFIED EXPERT

Commented:
Be aware that it is not uncommon for businesses to go under due to this kind of thing, and if creditors lose money, then it is very common that the directors will be pursued for negligence (especially if you have advised them to upgrade to a supported server OS and they refused).

You might want to distance yourself from the fallout.

Alan.
Chris KenwardIT Tech Support

Author

Commented:
Hi there

Does the link I'm about to paste below look reasonable?

https://sensorstechforum.com/libbywovasdr-com-gr3g-files-virus-remove-restore-files/

I've just looked at the files within the backup and they are all encrypted in there as well so there's another plan down the drain.

Cheers
Chris
William MillerIT Specialist
CERTIFIED EXPERT

Commented:
Unfortunately when dealing with most any ransom-based malware attack the odds of you recovering data that you don't already have backups for is pretty slim. I would say you MAY be able to send it off to a recovery service but this will only be useful if the service has successfully decrypted this specific attack before (Which again, is stepping into unlikely waters). Now is the perfect time to play your hand and strongly push for an upgrade. If they still refuse to do so, like Alan stated, it would be a good idea to distance yourself. The last thing you want to have happen is have your name dropped when the auditors ask "Why?"
Chris KenwardIT Tech Support

Author

Commented:
I have informed them that one of their users has had to have clicked on a link or downloaded an infected file or Email to make this happen. They were thinking of decommissioning the server at the end of the month but I'm pretty sure they wanted the database data etc off of it.

I'm assuming that because the SQL files are all encrypted that's a non-starter too?

Cheers
Chris
William MillerIT Specialist
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
AlanConsultant
CERTIFIED EXPERT

Commented:
Hi Chris,

My experience is that you are highly unlikely to be able to recover that SQL data.

What can we say that you probably haven't told them many times over the months / years?  They needed to have a proper backup regime in place, and they ignored the professional advice they received.

Like having a car crash, then wishing they hadn't decided the premiums were too high to warrant insurance - they made a decision, and now they have to live (or die) with the consequences of the decision they made.

I realise this sounds harsh, but those premiums were spent elsewhere - if the owner(s) had a holiday in the last few years, or bought coffees or whatever, that could have paid for a proper backup system with multiple offsite drives etc.


I am still inclined to say that you should walk (run) away from this mess lest your reputation gets damaged - the directors won't admit to having received good advice, especially if it means that they are more liable for creditor losses, and they may choose to blame you.

On that note, assuming that *you* have PI insurance, you should make sure your broker is up to speed on this as you almost certainly have a duty to disclose immediately you know there could be any chance of a claim against you.

Alan.
CERTIFIED EXPERT
Most Valuable Expert 2013
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Chris KenwardIT Tech Support

Author

Commented:
Looks as though Safe Mode has been disabled as I cannot boot into safe mode with networking or with command prompt. I think we're done!

Thanks for the help folks. Not sure how really to allocate points as there hasn't been a solution but will do my best.

Cheers
Chris
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
If fairness Chris, with the scenario you described, a solution that was going to recover the server was never really an option.
Chris KenwardIT Tech Support

Author

Commented:
True! Thanks to all for your responses that helped get to where we are at the moment.

All the best
Chris

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions