How can ransomeware .Adobe execute on a newly installed OS?

How can ransomeware .Adobe execute on a newly installed OS?  I have a email server running Windows Server 2016 and MDaemon Email software. Last week it was hacked probably by non-standard RDP port i had open and encrypted all files and most of my backups. I was able to recover the email files and configuration within the MDaemon directory. I wiped the hard drive and did a clean install of Windows Server, copied my recovered MDaemon files to the clean hard drive. Reinstalled MDaemon and was up and running. I also closed the RDP port previously open. No no public access to the server except for necessary ports.  Yesterday I was encrypted again. Again it seems to have been done from the email server as files on the desktop and everywhere else are encrypted. I have recovered again by the same methods plus a couple of other security enhancements such as new user name and password. My question is how in the hell are they getting into my server and what else can I do to prevent this from happening again. Thank you and happy holidays!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Typically, ransomware comes from email from strangers and users clicking on link which is a link to the ransomware. Did the user keep the email and click again on the link?  You need to get rid of these emails
JohnBusiness Consultant (Owner)Commented:
It also occurs to me the user is keeping the email and then clicking again thinking they are going to Adobe.  Get users to delete strange Adobe emails.
Dr. KlahnPrincipal Software EngineerCommented:
mDaemon has security holes, some of which have been known and reported for 12 years but have only been patched in the last year.  Given the software publisher's inattention to these issues (look down the Update Date column in the page below) IMO it might be prudent to choose another MTA with better security support.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

avscCEOAuthor Commented:
I maintain the latest version of MDaemon. I don't think any of these apply. But good to know. Thanks.
EirmanChief Operations ManagerCommented:
The most important thing is the education of your staff.
Teach them to be always wary and show them how to inspect attachments and links (without clicking on them).

Make sure that all users are ordinary Standard Users without Administrative priviledges.
Only experienced IT staff should have Administrative User accounts and only use them when necessary.

Make sure your backups are kept disconnected from you network & the internet.

Consider installing CryptoPrevent (It's not expensive).
It will work nicely alongside your present anti-virus/malware programs.
It's a great tool to use when GPO whitelisting is not setup.

Some ransomware articles I Bookmarked ....

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
avscCEOAuthor Commented:
I didn't really get my question answered but received some good input from some users. Thank you. I am pretty sure my first attack was my fault stupidly leaving RDP port open. Even though it was a non-standard port (not 3389) but they somehow found it and hacked my admin account. No one accesses this server but myself. It's only purpose is email hosting. I don't do anything else on the machine. My question was asking how I could have been attacked a second time after closing the RDP port, wiping and reloading the operating system, moving over only the email server directory and reinstalling the email software. I am still concerned as to how they got in the second time as it just doesn't make any sense. Thank you all for your input.
EirmanChief Operations ManagerCommented:
moving over only the email server directory
The problem may lie there.

Give Cryptoprevent a try in CUSTOM mode.  Turn on the Honeytrap feature.
Make sure that system files are hidden, otherwise you will see a load of unwanted icons on your desktop.
(Or turn off Desktop in Folder Watch)
Then add appropriate custom folders to folder watch & re-apply protection.

With Maximum or Extreme protection settings you can add wanted programs to the Cryptoprevent Whitelist.

Cryptoprevent Email Protection Features:
The Double File Extension naming exploit and the Right-To-Left naming exploits.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.