Windows 2008 R2 server will not boot, may have been infected by virus

I have a major problem with both my network server (Win2008R2) as well as my Win7 workstation (although the workstation is up and running...I'm using it to enter this question).  The problem began on 2/15/2018 at around 10PM and the origin was either a virus or something I did myself (from a remote location).  The timing is what leans me in the direction of myself being the cause of this issue.  I had been out....had a few drinks....returned back and attempted to access the computer at approximately the time when the problem appears to have occurred.  That said, I can't rule out a virus since I've received some conflicting reports back from my customers who have been using my server over the past 8 months to connect to and work with a software application that I sold them and provide support for.  Now, let me get to the point.  My server will not boot into Windows, so, for all intents and purposes, the server is "dead" right now.  In my attempts to recover the server, I've realized that virtually every file on the computer has been "renamed" with the following appended string:

.id-B8D8CBA7.[decrypthelp@qq.com].java

This is the reason my server won't boot since this "appended file extension" has effectively renamed every file on my C: partition including the boot files.  The same string has also been appended to certain files on the workstation that I'm currently using, but not to the same extent and seems to have affected only certain partitions on this workstation.  My primary concern here is the server (the workstation is secondary and, since it is operable, I can restore it back to an image copy I made of the operating system back in the end of December and most of the other partition's files I backup on a weekly basis so they can be recovered as well).  The server is obviously the most important part of my network and I depend on it for hosting my software application that my customers use on a daily basis.  Needless to say, this has already become a crisis and I need to recover as quickly as possible.
Any thoughts or suggestions will be deeply appreciated.  Help!
Jim KlocksinOwner, Data ArchitectsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
the reason my server won't boot since this "appended file extension" has effectively renamed every file

You have been infected with Ransomware. So the only practical solution is to reinstall the server and restore the data from a good backup (not infected)
nociSoftware EngineerCommented:
IF you want to keep the bad harddisk for forensic/recovery use,  then first replace the disk with a fresh one (can be bigger as well) before restoring.
Before doing anything on the server besure to wipe the drive (complete drive, all partitions) from a readonly media. (rescue CD-rom etc.)
AND LABEL this disk as BAD/VIRUS/... etc. date/time/...

You should start restoring your backup and validate every step for updating to more recent ones.
Be sure the virus/ransomware is not on the (most) recent backups...  some virii (encryption type) will linger a few days/weeks before activating their payload.

success in recovering.
Maybe use various virusscanners to check media before restoring (i they can read the source).
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
I need to get this back up and running ASAP, so if I can't use the existing hard drives, then the fastest way for me to get things back up would be to purchase a refurbished server which could be shipped today or tomorrow.  Can either of you tell me whether or not I absolutely can NOT use the existing hard disks (after wiping them clean or reinstalling a fresh copy of Win 2008 R2 Server over the existing partition)?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

JohnBusiness Consultant (Owner)Commented:
If you format the hard drives to eliminate all data, you should be able to re-use them. People who get Ransomware format their drives, reinstall Windows, recover data from a good backup and move on.
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
I have absolutely no access to this server.  How can I re-format the drives?
JohnBusiness Consultant (Owner)Commented:
You must have access to it to fix it, or get someone who does have access to fix it.
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
I'm sorry, I wasn't clear in my question.  I have total physical access to the server (I'm sitting here looking at it now).  What I meant was that the computer doesn't boot up, so I can't format the drives via Windows.  Further, when I've attempted to install a "fresh" copy of my server operating system, it gets hung up looking for a device driver right at the point where the install process would typically be asking which partition to install into, so it appears that the Windows installation disk/process does NOT see any hard drives and is prompting me for some type of driver in order to find the hard drive(s) and/or partitions!?  At this point, I just feel like I'm totally screwed here and I'm watching my livelihood go down the drain!
JohnBusiness Consultant (Owner)Commented:
Can you (as you suggested) get a refurbished server?  Or can you get new hard drives for the existing one?
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
I should be able to get a refurbished server, but I can't even talk with anyone regarding that option until tomorrow (they don't work weekends).  That's the direction I'm leaning towards right now and I'm just hoping that the image copies I made in December and that are stored on my Buffalo Terastation didn't get infected since the server tied the whole network together, the Terastation is part of the network and, at the moment, I can't get access into that either (to make sure my backups are OK), unless you have some other idea on how I can access the Buffalo backup device by "going around" the network and the "hard-coded" IP address that I assigned to the Terastation?

Another question I'm asking myself now is how to prevent this from happening again in the future?  I felt relatively safe since I run my network behind a SonicWALL firewall, with some additional Norton AV protection on my workstation (which also got hit, just not as severely)?
JohnBusiness Consultant (Owner)Commented:
Most Ransomware comes via email from strangers. Up to data AV helps, but the best approach is to not open email from strangers. Your judgment on this may not have been the best on the day in question.  Also do not browse to dodgy web sites.
nociSoftware EngineerCommented:
Does the server have a CD-ROM?   Can you Download a CDROM image, Can you burn a CD-ROM?
http://www.system-rescue-cd.org/  for an image

Virus scanner & rescue disk:
https://www.eset.com/int/support/sysrescue/

Wiping data just destroys  any evidence or chance of recovering data on that disk. So to keep options open, use another disk, if not an option Wipe the drives.
Best been done from CDROM media. And the complete disk SHOULD be wiped, include bootsector, Track 0 (a place to store persistent data), 1st  2MB (reserved on flash disks)  and any recovery swap/ os, data parttion on the disk. (at least al Home blocks, and backups, of any filesystem)

in stead of CD-ROM a usb stick MAY work if you can write protect the USB drive. Otherwise you run the risk of infecting the USB stick.  Media should be read only.
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
Following up on what caused this to happen.  The day in question I was working remotely from Florida on my workstation in New Jersey.  All I was doing was rebuilding my software application due to some minor modifications.  I had completely rebuilt 2 out of the 3 applications and then "kicked off" the build for the 3rd and shortly afterward left to have dinner (and drinks) with friends in Florida.  So, point is, everything was working fine at the time I left my house that evening (ergo, no browsing of web sites, no checking on emails, etc.....which I'm extremely careful about anyway when I do those types of things.  In fact I have another workstation in Florida that I use for ALL of my web browsing (not affected at all by any of this) and I have a company owned computer that I use to connect to my client's corporate network, where I have a different corporate email address that they assigned to me, but I never browse the web on that computer).  Further, I know for a fact that this "attacK' occurred while I was out and no one was using my computers (in Florida), but any number of my 700 (at last count) client users could have been accessing my New Jersey network via Microsoft's RemoteApp in order to work with my application(s) from within the corporation.  When I returned, the only thing I did on the computer was to attempt to connect (i.e. remote desktop) to my server to check to make sure that my 3rd application was built and I intended to copy the newly built versions into my "production" folder for the next day.  Bottom line is that at that point I couldn't connect remotely to my New Jersey server (first time in over 8 months that I've been hosting the applications).  So, the only thought that I had (regarding my own actions) was that I really didn't NEED to rebuild that 3rd application at that point in time when I knew I was going out, but I had done this same type of thing so many times before that I really didn't give it much thought before I left.  And, following up on your last comment, that's always been my contention.  That these types of attacks are overwhelmingly caused by someone clicking on a bad link in an email or using a ridiculous password (like the word: password).  So, this has me a little shaken because I know for an absolute fact....beyond a shadow of a doubt, that I couldn't have caused this myself by doing any of the aforementioned, to say nothing of the fact the my computers in Florida were not in use during the entire time (5 to 6 hours) I was out that evening.

Just to throw a little more information into the mix here.  The entire reason I started "hosting" my applications on my own hardware to begin with was because my corporate customer had a MAJOR cyber-attack on their network towards the end of June, 2017.  Not only affected their individual computers and servers, but virtually all of their internal software systems were out of commission for months, including some systems that their production processes were dependent upon.  Knowing that their internal IT staff would not get to my application for several months, we quickly made the decision to host the software on my network and I had them back up and running in early July.  So, the other question I'm asking myself at this point, knowing that I have over 700 registered users on my network (only 10 to 15 concurrent users is the typical load...), is it possible that the attack on my system was caused by someone in the corporation using my application during that time period between when I knew (for a fact...) that my network was running (approximately 4PM) and later that evening when I returned and discovered that the network was not working (approximately 9:30 PM)?  Any thoughts?
JohnBusiness Consultant (Owner)Commented:
is it possible that the attack on my system was caused by someone in the corporation using my application during that time period between when I knew (for a fact...) .....

I think that would occur if they had some network activity going (network browsing or web mail). Non-network applications should not cause this.

If the users' computers were compromised and then hooked into yours, that is a possibility as well.
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
Yeah, I'm probably grasping at straws, but I've always felt the way you apparently feel, that "hacking" occurs due to some "human" action (e.g. clicking on a bogus link in an email, the simplified password, etc.) rather than some "TV-type" hacker who can crack into systems thru multiple proxy servers all around the world!  I may be naive in my thinking, but I've just never bought into the idea that someone can write some sort of "super" program (even at assembler or machine-code levels) that's capable of trashing a system, like mine's been trashed, without some inside information or help!  That said, this is one of the reasons that this situation has me so "shaken", since I really have no clue as to what happened and what to do about it.  "noci" has me thinking as well (more about getting things back up on my existing server...), but the one site you've directly me to, noci, would most likely allow me to at least access my hard drives and potentially format them.  I do have and use Acronis for my image copies, so if I "boot" the server using my Acronis "rescue" disk, I can see the Windows folders and that was how I determined, in the first place, that the files had been altered.  Problem is, that even if I download that software, all I can do is format my partitions since none of the data is of any value at this point.
David Johnson, CD, MVPOwnerCommented:
You really have to find the vector that allowed the attack to occur. This is why others have suggested replacing the hard drives. to attempt a forensic analysis.

My question is do your customers use a vpn to access your software for updates? i.e. can they map a drive to the software repository? Are they using a standard user account on your system?

The way ransomware primarily works is by starting a process and then encrypting any file it can access. It will also try and attach itself to any machine it can access by trying to set the software to run in any of the autorun locations on the target machines so when either the machine is restarted or a user logs in they execute their task.

Some ransomware waits a random length of time before executing, others execute immediately By waiting a day or so the risk of being detected by AV is higher but lowers the chance of someone associating an action with the ransomware attack.
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
Frankly, I would have no clue as to how to perform a "forensic analysis"....I'm guessing that you're saying to take the hard drives to someone that specializes in that area!?  As far as your questions go, 1) my customers access MS RemoteApps thru a link that I've provided for them that utilizes a Remote Gateway Server/Host Session Server (both with SSL Certificates) in order to run my software application that resides on my network server (they have NO ability to map drives or access anything other than the software applications that I've set up as RemoteApps) and 2) they each have their own login accounts which are all maintained in Active Directory.  So far, I've been able to restore all of the corrupted files on my workstation (which was also affected, but not to the same extent as my server) AND I've been able to overwrite my C: partition on the server to replace all of the corrupted files on the C: partition (this I was able to accomplish with an image copy of the C: partition that I made back on 12/29/2017 using Acronis True Image software).  Unfortunately, I still have corrupted files on my D: partition on the server and, as of this moment, the server still will not boot up into the Windows Server 2008 R2 OS.  That's where I'm at as of tonight....any suggestions are always helpful and appreciated.
nociSoftware EngineerCommented:
Please be aware the one of the NON-corrupted files on your workstation may still hold the virus/ransomware
So restoring files may only be a temporary stop gap... And the places where the virus can hide are the areas i also told to wipe.
(Bootsector, track0, first 2 MB, "unsused"  storage on disk + some activator that can still run)...
Does the server need a boot from rescue mode, and then FIXBOOT?  (then i am no windows expert by a long shot).
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
Just one additional piece of information I want to get "into the record", so to speak.  There was no request/demand for any type of payment so, as I understand it, my system was attacked by a virus, not ransomware.
JohnBusiness Consultant (Owner)Commented:
It was a virus, however, that changed all / many of your key file extensions.  I continue to think rebuilding your server is the best course of action.
nociSoftware EngineerCommented:
rebuilding from either empty wiped or new disks. Just to prevent any leakage from the previous virus contamination.
Scott SilvaNetwork AdministratorCommented:
The fact that your local system was also compromised tells me that your win 7 machine is the source of the infection and it encrypted your server...  If you look at the "owner" of the encrypted files I bet it will be your username...
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
I paid for and got some DELL support to reinstall a "fresh" copy of my Windows 2008 R2 OS.  So, now I have a different situation from what this question started out as, but I'm struggling, trying to just set up my own network so that everything on the network connects and I can connect to the internet thru my SonicWALL device.  Problem for me is that I haven't had to do anything like this since 2013, when I first set up my server and I'm lost.  I can't get the basic network set up and this is, obviously, delaying my restoration of my Remote Desktop Setup (which I've worked on more recently, so I think if I can get the basic network up and running (and I mean "just the basics"), then I'll be able to move on and set up everything else I need to provide remote access to my application.  Being a programmer first and technician last, I just don't have the experience setting up networks, OS setup, etc. that other people in this forum have.  So the question at this point is how do I set up the server OS to connect to the rest of my network and the internet?
JohnBusiness Consultant (Owner)Commented:
Can you connect to Internet?

Can you ping the Sonic Wall?

Try running TCP / IP Reset.

Open cmd.exe with Run as Administrator
Then: netsh int ip reset c:\resetlog.txt
Then also run: ipconfig /flushdns

Now restart the server and see if you have made progress.

Also, it may be better to start a new question for this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
John, my experience level with this is basic at best.  I can only access the internet when I plug my computer and/or server directly into my cable modem.  Before the virus, the cable modem connected to the SonicWALL, the SonicWALL connected to my 16-port switch, and all my computers and NAS devices connected to the switch.  Been that way since 2013 and I haven't had to "deal" with any of this since then.  I can confirm that I can NOT ping my SonicWALL, but the rest of your instructions are really beyond my realm of expertise (remember I'm a programmer, that has to work with all these other technical issues when (and only when) problems arise.  Last issue I remember having was an issue with the SonicWALL and some settings on that device.  I had to pay for support on that issue, since it was too difficult to explain to people on EE exactly what my situation was and I really needed someone that worked on SonicWALL devices day-in/day-out.  Unfortunately, I'm finding myself in that same position with this situation.  I got rid of the virus infected files and got the server operable, but only after paying for support from DELL.  I try to do as much as I can before I have to pay for support (EE, which IS a pay-for forum helps and is my first avenue for support).  That said, I will start another question for this situation and close this out.  Hope to see you on my next "question"!
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
Everyone helped me to at least understand what had happened to my network and I appreciate everyone's comments.  John responded the most, hence the "Best Solution" recipient.  I'm going to take his advice and start another question for my new issues with setting up my network from scratch (which I haven't done for over 5 years) which is proving difficult for me since I lack the depth of knowledge that others have regarding anything other than programming.  So thanks for all your responses and hopefully I'll "see you" on my next question.
JohnBusiness Consultant (Owner)Commented:
Thank you and I will watch for you as I am sure others will as well
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
attack

From novice to tech pro — start learning today.