Link to home
Create AccountLog in
Avatar of Tony Hudziak
Tony HudziakFlag for Ireland

asked on

Ransomware on System

Hi
Has anyone come across this ransomware "CCF25092017.pdf.id-006C0843.[sqlbackup40@cock.li].adobe".  This was a small system I put together for a friend of mine, 3 PC's and a small server running Zentyal 4. All data on PC's and server were encrypted. PC's were Windows 10 running Eset AV, using a 1 year old Sonicwall Soho Firewall.
Email runs through the Zentyal, but it's first filtered through Elive (Like Messagelabs).
PC's were so bad they would not boot, no usual message for ransom, only infected TXT files. This happened last Saturday around 3pm when nobody was on the system. There is one person who works remotely, but she say she was not on the system at that time.
No biggie here as I had it all backed up with the Proxmox hypervisor, had it all restored in an hour, then just rebuilt the PC's.
I'm just trying to figure out what happened here?
Avatar of Dr. Klahn
Dr. Klahn

Suspicion:  Check the remote logins for several hours previous to that time for users with admin rights.  Somebody's password may have been obtained, or was weak.
As above, OR, someone opened an email from a stranger with a link that caused the ransomware.

Very common, so:

1. Backups - as you had.
2. Top notch Spam Filter to stop the strange emails.
3. User training - don't open this stuff.
Does the SonicWALL have logging enabled? Check there.

Some of the craftier baddies now hang around in memory for a while then execute after things get quiet.

The baddie probably came in on an e-mail. There may be a follow-up e-mail explaining how to pay the ransom and get the data back.

Maybe. If not, then someone decided to make some else's day miserable.

On a Windows Server setup we can usually recover using Volume Shadow Copy snapshots with backups as a secondary.
Usually encryption viruses in zentyal setups will change the owner and permissions of the files encrypted. This way you can see which user had the virus when it started encrypting files on the server. The time stamp on the files will change as well so you can see what time the virus activated.

If you have already restored the data you might not have this info anymore. One las place to check is on the users computer for txt or html files with the ransom instructions. Th we too will hav date and time stamps.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account