How can ransomeware .Adobe execute on a newly installed OS?

avsc
avsc used Ask the Experts™
on
How can ransomeware .Adobe execute on a newly installed OS?  I have a email server running Windows Server 2016 and MDaemon Email software. Last week it was hacked probably by non-standard RDP port i had open and encrypted all files and most of my backups. I was able to recover the email files and configuration within the MDaemon directory. I wiped the hard drive and did a clean install of Windows Server, copied my recovered MDaemon files to the clean hard drive. Reinstalled MDaemon and was up and running. I also closed the RDP port previously open. No no public access to the server except for necessary ports.  Yesterday I was encrypted again. Again it seems to have been done from the email server as files on the desktop and everywhere else are encrypted. I have recovered again by the same methods plus a couple of other security enhancements such as new user name and password. My question is how in the hell are they getting into my server and what else can I do to prevent this from happening again. Thank you and happy holidays!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Typically, ransomware comes from email from strangers and users clicking on link which is a link to the ransomware. Did the user keep the email and click again on the link?  You need to get rid of these emails
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
It also occurs to me the user is keeping the email and then clicking again thinking they are going to Adobe.  Get users to delete strange Adobe emails.
Dr. KlahnPrincipal Software Engineer

Commented:
mDaemon has security holes, some of which have been known and reported for 12 years but have only been patched in the last year.  Given the software publisher's inattention to these issues (look down the Update Date column in the page below) IMO it might be prudent to choose another MTA with better security support.

https://www.cvedetails.com/vulnerability-list/vendor_id-465/product_id-809/Alt-n-Mdaemon.html
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

avscCEO

Author

Commented:
I maintain the latest version of MDaemon. I don't think any of these apply. But good to know. Thanks.
Chief Operations Manager
Commented:
The most important thing is the education of your staff.
Teach them to be always wary and show them how to inspect attachments and links (without clicking on them).

Make sure that all users are ordinary Standard Users without Administrative priviledges.
Only experienced IT staff should have Administrative User accounts and only use them when necessary.

Make sure your backups are kept disconnected from you network & the internet.

Consider installing CryptoPrevent (It's not expensive).
It will work nicely alongside your present anti-virus/malware programs.
It's a great tool to use when GPO whitelisting is not setup.

Some ransomware articles I Bookmarked ....
https://www.lepide.com/blog/nine-ways-to-address-ransomware-attacks-in-todays-security-landscape/
http://expert-advice.org/security/ways-to-protect-yourself-from-ransomware-attack/
avscCEO

Author

Commented:
I didn't really get my question answered but received some good input from some users. Thank you. I am pretty sure my first attack was my fault stupidly leaving RDP port open. Even though it was a non-standard port (not 3389) but they somehow found it and hacked my admin account. No one accesses this server but myself. It's only purpose is email hosting. I don't do anything else on the machine. My question was asking how I could have been attacked a second time after closing the RDP port, wiping and reloading the operating system, moving over only the email server directory and reinstalling the email software. I am still concerned as to how they got in the second time as it just doesn't make any sense. Thank you all for your input.
EirmanChief Operations Manager

Commented:
moving over only the email server directory
The problem may lie there.

Give Cryptoprevent a try in CUSTOM mode.  Turn on the Honeytrap feature.
Make sure that system files are hidden, otherwise you will see a load of unwanted icons on your desktop.
(Or turn off Desktop in Folder Watch)
Then add appropriate custom folders to folder watch & re-apply protection.

With Maximum or Extreme protection settings you can add wanted programs to the Cryptoprevent Whitelist.

Cryptoprevent Email Protection Features:
The Double File Extension naming exploit and the Right-To-Left naming exploits.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial