Your personal files are encrypted. Ransomware

Normally ransomware comes from an email from a stranger that you opened and clicked on a link.

You do not get ransomware from a router, but the developer could have been spreading it (even if they did not know).

You should not pay (zero guarantee) but you really should have a backup.

How do I get my system or files working now..

If they have been encrypted and you have no backup then they are gone. You need to start again and make new documents

There is a slim chance that you got infected with a poorly coded virus or one that has the master key made public.
Go to https://www.nomoreransom.org/en/index.html and see if you were lucky.

HTH,
Dan

1. Where is the issue most likely from.. is it from the router?... or from other sources?

As has been suggested, often they come in through email attachments but it's possible they could come in from malicious web sites.  

2. Do I actually have to pay them to get my system back up.. cos I don't really have  a backup..

There is ZERO guarantee that paying them will unlock the file.  Really, what motivation does the extortionist have to decrypt the file?  It's not like you're going to be a willing repeat customer?  Further, from what I've read, evil people (terrorists, organized crime, etc) use these attacks to make money and fund their activities.  Do you really want to be pay them in the hopes you get your files back and HOPE your money isn't used to bomb a religious building?
 
3. How do I prevent this?
Use MULTI-LAYER security and security best practices.  And BACKUP.  Off site.  If your data is valuable, why wouldn't you have backups?  What happens if your drive fails?  The bad guys want to attack you and they will do everything they can to exploit common ignorance and poor security.  In a sense, it's like your own health - how do you prevent yourself from getting sick?  Don't do risky things that could get you sick.  But you have to decide what the acceptable level of risk is.  Hiding in a bubble and you'll probably never get sick... and never do many other things... But routinely doing unclean things will likely lead to illness more regularly.  

4. How do I backup my local server.. it's  VM ware?
There are plenty of backup solutions out there.  Altaro and Veeam are two that offer free products you can use.  You can also use offsite products like Carbonite.

You can identify the ransomware and possible decryptor using ID Ransomware (on top of nomoreransom).

https://id-ransomware.malwarehunterteam.com

Chances are slim to find a decryptor to restore back your files, backup is the SURE way - not paying the ransom. Don't get into unnecessary (or more) trouble with legal implication. You can report to your local cyber authority on the incident.

From the reading of the remote access through the router, there already some potential weakness

1. Make sure the router is not accessible by other machine other than those developers. In the first place for remote access, use VPN instead for secure channel

2. Make sure the router is harden, change any weak password (this is the weakest point for penetration) and always consider 2FA for any remote access.

3. Make sure the machine connected remotely are in good hygiene state, some uses NAC to enforce AV signature are of latest and scanned free of machine. Latest OS patches should be applied too.

4. Make sure the machine connected,if within  your control does not have admin right. Developer can still do their work in user accounts.

5. Consider investing in beyond just AV in those machines. Malwarebytes Anti malware, anti ransomware site. There are more and the idea is have other layer of checks using the appropriate security software.

6. Consider restricted use of USB or portable media in the machine as they are likely going to introduce virus and trojan if issued ones are not used instead unknown or personal shared media is used.

Ransomware are introduced normally through phishers email, attachment and visit to compromised website as well as infected USB drive. The weak point lies in the machine connected through the internet and there is no proper checks or segregation of internal servers from the internet.

Ransomware will spread through RDP using weak password and SMB file shares too. So disable those ports if not using.

>>> "Last week. I gave my indian developer RDP access to my local server on a zte f660 router." <<<

>>> "Today,  I got the shock of my live, was like a movie. ransomeware." <<<

Are you suspicious that the "developer" may have uploaded malware to your server?

Thank you very much for the feedback so far. It’s great being here.

I have some really old back up.

My fear is. The way they got in is still opened..

How can I be sure to avoid this?

Some suggestion:

Suggest RDP to be removed for time being as you may even spread the virus.

Have to scan all developers' machines and any used external USB drives for the server too.  If possible ask which machine is found infected and there may be related to this incident.

Suggest you called for change of password to a stronger one too for all RDP accounts.

If possible find out the creator of the ransomware payload files, there may be hint of the host or user that can traced further on infection source.

I don’t think developer had anything to do with this. He’s been the best for the past 4years.

You may be lucky and have "shadow copies" of some of your files.
This is a Windows server 2012 guide

Also worth looking at ...
https://www.experts-exchange.com/articles/30742/A-Guide-to-Volume-Shadow-Copy.html
https://thesolving.com/storage/configuring-volume-shadow-copies-vss-on-windows-server-2012-r2/

https://www.shadowexplorer.com/

Fire that Indian developer.  He likely put the ransomware there.  You should give limited access to remote devs that are from other countries, so they don't have access to all your systems.  You should have backups that are saved offline, so that you can recover from ransomeware.

If you really want to know how it got there, make a copy of the VM and start it in a separate virtual network with no internet access.  Then start doing some forensics.  Look for the date and time of the first file modification (odds as, as it started encrypting, files started having very similar dates and times... ).  Then look through the event logs - who was logged in at the time.  If it was accidental, then someone probably just opened a malicious email or web site without realizing.  If it was intentional, then it was probably done right after someone logged in.

Problem is, if you weren't careful about backups and security to begin with, you probably don't have the necessary mechanisms in place to properly identify the origins.

I didn't see if you forwarded rdp 3389, I really looked for it.  If I forward ports I make sure they are way higher, like 9000 and above, and use crazy passwords, and make sure the local accounts are disabled.

Someone here posted this to make sure you don't get infected, I bought it, but havent tried it yet.

https://www.d7xtech.com

On the paying thing, I had one client that payed and he got decrypted, another tried to pay, but the ransom dude didn't respond, hopefully he died!!!  LOL.

You mentioned two areas of concern regarding the breach but unless I missed something you've only addressed one. 1. the developer and 2. the router config changed.

Normally I was using the HP MSR930 JG511A, but there was connectivity issues as we switched ISP, and they recommended we don't use it the HP anymore. strictly been relying on the zte.

Have you checked the ZTE router and make sure the password is not to default admin/admin, is web access open and not secure, was something overlooked while working with the ISP? Any ports left open. The zte misconfigured could easily be the source of the attack, not "from" the router but if someone can gain access to your network via an open port they can spread ransomeware. How long after changing the router did the attack open. I'd perform a port scan against the firewall and check the logs.

I wouldn't pay the ransom there's plenty of reports showing this only makes you an easier target in the future. If you don't already have a backup plan moving forward I highly advise making this a priority. Use a backup solution that you encrypt onsite prior to moving offsite. Provide backups to the cloud as well local backups like a BDR server.

I don’t think developer had anything to do with this. He’s been the best for the past 4years.

Don't assume. Safer to check the developer's system...

1. Where is the issue most likely from.. is it from the router?... or from other sources?

Could be a number of vector. Could be from an email attachment that came into the network. Could be the result of someone's account (including possibly that of the developer) being compromised. Could be a compromised system that entered the network.

2. Do I actually have to pay them to get my system back up.. cos I don't really have  a backup..

The current situation is one of many reasons to have a backup.... but think of it this way: you want the data, they want money. If you pay the ransom, that doesn't guarantee that you get the data. That said, do you have another way to recover the data. And if the answer is no, what is that data really worth to you?

3. How do I prevent this?

Well implemented backups (advice for that has already been provided). Multifactor authentication where possible. User training. Minimizing the methods of remote access, and opting for the most secure method of doing so. If you're going to allow RDP to servers, force users to connect to a VPN first. (Basically, if you *have* to make use of RDP, only allow it from within the network!) Improve over all security posture: audit your firewall rules, strength your security policies, minimize the access provided to any given account, create separate accounts for users to do administrative functions (basically they will have a user account and an admin account).

4. How do I backup my local server.. it's  VM ware?
See Lee W's response. However, get a consultant to come onsite and provide assistance if required.