Ways to move ahead after Ransomware has afftected the Exchange server?

We have DAG with 3 Exchange servers. Today morning one server has been affected by Ransomware and we have shutdown the server immeditialy and we are not going to on the server again.

Now what should we need to do?

Case1 :  Do we need to build the new server again and will install the Exchange on it. After it we will try to remove the server? If this is best approach then can you please let us know any best method to remove the server from the DAG and then from Exchange environment?

Case 2: Can we restore the server from snapshot or from backup software? Is it fine to restore the server from backup in DAG environment?  As I have heared or read somewhere that resote of server from snapshot can be catastrophic. Please comment.
LVL 2
Muhammad AsifSenior Solutions ArchitectAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ste5anSenior DeveloperCommented:
Definitivly number 1. Cause this is the only way to be sure that the software installation is free of infection. You cannot know for sure that the ransomware isn't in your snapshot or backup.

Handle it like the server died physically. Do a clean reinstall.
4

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Agree to (1) as well.

What is the ransomware gotten? Good to check out against ID Ransomware (some may have a decryptor but I would not put my bet on that https://id-ransomware.malwarehunterteam.com/)

Since it is unknown how it gotten into the servers, err on the safe side and rebuild. Take a backup of the server just in case you need for trace or in future recovery assuming decryptor exist. But if you have already the data backup then this should not bother you. Nonetheless user should have their offline archive.

 You should re-evaluate what file shares you have open on your Exchange servers and why and who has access to them.  It's unlikely the infection actually originated on the Exchange server, though chances there is email containing it still exist. Check if any other users gotten the ransomware too. I would also make sure other PC on your network are in good shape as well.  

Consider a check on the AV signature and patch status of the system as supposedly if the ransomware is known, it would be flagged and alerted. As you rebuilt the system, do review the hardening aspect to restrict access of trusted machine and whitelisting only authorised software to run on the system.
1
AlanConsultantCommented:
Just to add another 'vote' for wipe and start from scratch.  I always do this for any malware infection, since once the machine has been taken over, you can never be sure it is yours again unless you completely wipe it and start again.

Alan.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Muhammad AsifSenior Solutions ArchitectAuthor Commented:
Hi All,

Thanks to all for your guidance on this case.

@btan,  thanks for your guidance on this case in detail.  Can you please let me know or guide me how ransomeware can be injected in Exchange server?  

Question 1: Some infected user has access the Exchange server and transfer some files which have ransomeware or is there any other way to transfer the virus or ransomware to Exchange server?


Question 2: Can you guys please let me know how to remove the affacted server which has been shutdown, from DAG and Exchange environment?

Question 3:  Is it fine or easy to recover the server with the command:  Setup /m:RecoverServer /IAcceptExchangeServerLicenseTerms or would need to point 2, add the new server with new name and IP. After it will remove the affected server from environment.
0
AlanConsultantCommented:
Hi,

I would go with completely removing and adding a brand new VM server.

Alan.
0
Muhammad AsifSenior Solutions ArchitectAuthor Commented:
Hi Everyone,

I am going to install the Exchange on brand new machine. However, Exchange 2016 CU1 is installed on other servers and I am not able to find the download of Exchange 2016 CU1 as it seems that this is not available on Microsoft website.

What should I need to do now?  If I install the latest Exchange 2016 CU8 on one server then I have to update all other servers as well?
0
Naveen SharmaCommented:
Worth reading these articles:

Five steps to cleaning a virus-infected Exchange server:
http://searchitchannel.techtarget.com/tip/Five-steps-to-cleaning-a-virus-infected-Exchange-server

What should you do if you catch encryption ransomware mid-operation:
https://security.stackexchange.com/questions/120748/what-should-you-do-if-you-catch-encryption-ransomware-mid-operation/120788

What can you do if you’ve become the victim of a ransomware attack:
https://www.lepide.com/blog/what-can-you-do-if-youve-become-the-victim-of-a-ransomware-attack/
0
btanExec ConsultantCommented:
Question 1: Some infected user has access the Exchange server and transfer some files which have ransomeware or is there any other way to transfer the virus or ransomware to Exchange server?
This will be better answer if we can (1) trace down the creation and modification timestamp of the malicious file containing the ransomware. Most of the time, the infected files may not have the ransomware and there is called back to mother ship remotely to download the actual ransomware. So checking the (2) firewall log can gives some hints on any unknown call back URL. Another carrier worth checking is (3) portable external media and if the admin has used it and any unknown or unauthorised media used in the machine. Possibilities will be confirmed through the checks, and even other (4) infected user machine can spread via file shares (exploting SMB vulnerability).

Just a suggestion that for the question on the recovery steps, may be worthy another new question to garner more insights from expert community.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.