Ransomware on my network, what to do?
Well my worst nightmare has come true and my network was hit with ransomware. I don't know where it started or what variant it is. I have Trend Mirco on my network which I thought would protect me but alas it did not. I have reached out to Trend to help me with this issue but they were no help at all. Looks like I am going to another AV solution, Suggestions?
Anyway, I am here asking if anyone has encountered this issue before and what steps they took to recover files and rebuild their network. Right now my SQL server and Exchange server are running but for how long? I have connected to those servers and the desktop files look all encrypted so my fear is if I restart these servers they will get fully encrypted but I can't let them sit in the state they are in now. I really don't know what to do or where to start. I have been going one by one to machines and correcting/reinstalling the applications but to what end? If the ransomware is still on the network which it still is because a user came in stating his desktop icons are turning into encrypted files. This seems to be only affecting Windows 7 and below as well as servers but my system a windows 10 machine is not having issues.
What to do and where to start.?
Anyway, I am here asking if anyone has encountered this issue before and what steps they took to recover files and rebuild their network. Right now my SQL server and Exchange server are running but for how long? I have connected to those servers and the desktop files look all encrypted so my fear is if I restart these servers they will get fully encrypted but I can't let them sit in the state they are in now. I really don't know what to do or where to start. I have been going one by one to machines and correcting/reinstalling the applications but to what end? If the ransomware is still on the network which it still is because a user came in stating his desktop icons are turning into encrypted files. This seems to be only affecting Windows 7 and below as well as servers but my system a windows 10 machine is not having issues.
What to do and where to start.?
As with all ransomware, the only hope is to restore a backup.
Not all ransomware attacks are created equal! Some were able to decrypt information from attacks but I would expect that is a very low probability event. So restore from backup may be the only choice. Still reach out to the authorities for support and investigation. You'll want to know how this got started to prevent future situations. Staff training and security awareness are critical for your future survival.
And yes BACKUP YOUR DATA! Keep a hot copy on site, a warm copy securely in the cloud, and a cold copy in a third secure location.
And yes BACKUP YOUR DATA! Keep a hot copy on site, a warm copy securely in the cloud, and a cold copy in a third secure location.
"a user came in stating his desktop icons are turning into encrypted files": this points to one of two things: either that computer has the ransomware virus actively running on it (more likely) or the desktop is shared and is being hit from another computer (less likely).
No disagreement with the previous advice about restoring from backup, but it's also useful to know how it got there in the first place.
Assuming that this computer doesn't have the desktop shared (pretty easy to check) then a user of that computer likely invited the virus in without knowing it. If the encryption is happening on other computers to which that user doesn't have shared access, then it's either multiple sources of infection or a single infection that got shared.
Looking at what folders have been getting encrypted and who has access should give you some clues.
I would think that SQL and Exchange are relatively safe, assuming that no one has been using those computers directly (risk of infection) and that their folders aren't shared. Regardless, new backups and restore/rebuild are in order.
No disagreement with the previous advice about restoring from backup, but it's also useful to know how it got there in the first place.
Assuming that this computer doesn't have the desktop shared (pretty easy to check) then a user of that computer likely invited the virus in without knowing it. If the encryption is happening on other computers to which that user doesn't have shared access, then it's either multiple sources of infection or a single infection that got shared.
Looking at what folders have been getting encrypted and who has access should give you some clues.
I would think that SQL and Exchange are relatively safe, assuming that no one has been using those computers directly (risk of infection) and that their folders aren't shared. Regardless, new backups and restore/rebuild are in order.
First step is definitely to take your systems off the network to prevent further spreading of the infection to other computers. You especially want to isolate the infected systems from the network. Then you need to use a scanner that will determine what type of ransomware you are infected with. There are some tools that may help you to decrypt the files or you may just need to restore the data from any backups as suggested by other contributors to this thread. Once you know what ransomware you are infected with this website has tools to help decrypt your data; https://decrypter.emsisoft.com/ or https://www.nomoreransom.org/en/decryption-tools.html
To ID what ransomeware you are infected with go to https://id-ransomware.malwarehunterteam.com/index.php You submit a sample of an encrpyted file and it will tell you what you are infected with. The site wont remove the infection but will ID it. https://id-ransomware.malwarehunterteam.com/index.php
If you have a original file and an encrypted version of the same file you can send a sample of both files to these organizations so the can calculate the how the file is encrpyted and create a tool to decrypt your files.
To ID what ransomeware you are infected with go to https://id-ransomware.malwarehunterteam.com/index.php You submit a sample of an encrpyted file and it will tell you what you are infected with. The site wont remove the infection but will ID it. https://id-ransomware.malwarehunterteam.com/index.php
If you have a original file and an encrypted version of the same file you can send a sample of both files to these organizations so the can calculate the how the file is encrpyted and create a tool to decrypt your files.
Looks like I am going to another AV solution, Suggestions?
I've had nothing but good experiences with Avast, but that being said Trend Micro may not be totally at fault.
Events like this can occur when a "new" variant is encountered prior to its signature being added to the AV's database.
As noted above your best course of action is to segregate the infected PC's from the network and restore from backup (if available)
@CompProbSolv
I would think that SQL and Exchange are relatively safe
Agreed, however files on shares (especially mapped drives) are at risk
1. Disconnect your network from the internet. Most Ransomware can't encrypt files if it can't call home to get encryption keys.
2. Identify the user(s) and station(s) that are infected. You can look at one of the encrypted files and find the owner in properties. This will typically indicate the user and domain that was used. Disable that users account and isolate the station with the domain you found. You can also figure out what station by motioning the firewall and see who is making a lot of calls to a website or sites. Many calls are typically made to the same site or a handful of sites.
3. Start restoring files.
and as the others have said, you can't blame Trend. Good ransomware prevention requires a multi-pronged approach. ie. proper domain security, AV software, and Firewall setup.
Jim.
2. Identify the user(s) and station(s) that are infected. You can look at one of the encrypted files and find the owner in properties. This will typically indicate the user and domain that was used. Disable that users account and isolate the station with the domain you found. You can also figure out what station by motioning the firewall and see who is making a lot of calls to a website or sites. Many calls are typically made to the same site or a handful of sites.
3. Start restoring files.
and as the others have said, you can't blame Trend. Good ransomware prevention requires a multi-pronged approach. ie. proper domain security, AV software, and Firewall setup.
Jim.
I have Trend Mirco on my network which I thought would protect me but alas it did not. I have reached out to Trend to help me with this issue but they were no help at all. Looks like I am going to another AV solution, Suggestions?AV alone is NEVER going to protect you entirely from ransomware, no matter what protect you pick. Lots of other things are involved, such as sound security policies and user education. That's how you minimize the risks.
Not sure the size of your network, but you definitely have to get systems disconnected from the network so that you don't put more systems at risk. If you've been able to identify which systems were hit, disconnect those. If you have absolutely no idea but know for certain ransomware is floating around you may be forced to disconnect everything from the internet, then work on identifying which systems to disconnect from the network.
One of the most important things to have, which has been identified earlier, are backups.
You also need to figure out your risk points. For example, can people RDP directly to servers or workstations from the outside? Get rid of that ASAP. Servers that need to be access remotely should only be access through a jump server.
You'll need to figure out which system got hit first. That may require digging through multiple systems. This will help you in determining the root cause.
Right now my SQL server and Exchange server are running but for how long? I have connected to those servers and the desktop files look all encrypted so my fear is if I restart these servers they will get fully encrypted but I can't let them sit in the state they are in now.Where are the desktop files kept? Redirected to a file server or purely on the servers themselves? If the prior, look deeper into the file server. If the latter, see my comment about identifying risk points. (I have seen cases where accounts got compromised and servers were accessed via RDP)
This seems to be only affecting Windows 7 and belowWhich Windows 7 is still supported (for now), I noticed the "and below" part of that comment. This is a major red flag. Unless you have a good reason for preserving systems older than Windows 7, you should replace them. If you're in a situation where you must keep them running, then you should be isolating them for the sake of the rest of the network (or at the very least taking extra steps in protecting them).
Since Windows 7 goes EOL in January 2020, you would be well served to start migrating Windows 7 systems to Windows 10.
Just one other point on the Win 7; the major way most Ransomware gets in is through the SMB1 protocol. Microsoft now disables that in Win 10 by default as it was depreciated long ago.
If your going to hang onto Win 7, you should try and get it disabled. Details can be found here:
https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server
and no user should have admin rights on the PC's they use. It really opens the door to a virus gaining a foothold.
Jim.
If your going to hang onto Win 7, you should try and get it disabled. Details can be found here:
https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server
and no user should have admin rights on the PC's they use. It really opens the door to a virus gaining a foothold.
Jim.
Check the computers that are showing signs of encyption (icons turning into encryption?) Take those computer off the network immediately. Document, which drives are mapped as most RANSOMWARE variants follow drive mappings. Using Windows Explorer, check your data files and their extensions. You might have to turn this feature on to see them. If the extension is not 3 characters then it will be the name of the RANSOMWARE. I know we are all hoping that you have good backups that were not affected. But no backup is good unless you have done a test restore from time to time. Any computer that is infected, needs to wiped out and have windows reinstalled. Hopefully you have done a Windows image of your machines and this can be used to restore them. Depending on how many computers you have, if you can create one good computer, then use a cloning software package like Acronis and create an image of this good install and then use it on all the same computers. This is why standardization is necessary from a disaster recovery/business continuity planning point of view. Disconnect everyone from the network. Shut it down. Investigate each computer to see if it is infected. Run MicroTrend and MBAM full scan on each one. Depending on the size and complexity of your network, you might be better off calling in an outside company to help you. As for a recommendation for a new software package, Use one that uses whitelisting. Only previously approved programs are allowed to run. If something new gets thru, then most apps will let it go by because they don't understand it. Whitelisting doesn't care about that. If it isn't on the list, it doesn't run!
Prevention better than cure
Get rid of over privileged users, such as ones in DA
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
Implement a delegation model
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
Securely manage local admin passwords, and administrator members
https://www.experts-exchange.com/articles/31583/Active-Directory-Securely-Set-Local-Account-Passwords.html
https://www.experts-exchange.com/articles/30617/How-to-manage-local-account-passwords-from-Active-Directory-without-LAPS.html
https://www.experts-exchange.com/articles/29652/Strategy-to-centrally-manage-Local-Administrators-group-from-Active-Directory.html
Get rid of old accounts that might be used maliciously
https://www.experts-exchange.com/articles/30820/Active-Directory-Cleanup-Tool-ADCleanup.html
Implement tier-isolation to prevent tier jumps from lateral movement
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
Create intelligence password policies
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html
Utilize host-based firewalls, Windows or otherwise
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
Do AD password audits
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
Create your file server structure using the least privilege principle
https://www.experts-exchange.com/articles/32349/FSMainFolder-Files-Server-Structure-Automation-Tool.html
Implement Security Hardening Policies
https://www.cisecurity.org/
Get rid of over privileged users, such as ones in DA
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
Implement a delegation model
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
Securely manage local admin passwords, and administrator members
https://www.experts-exchange.com/articles/31583/Active-Directory-Securely-Set-Local-Account-Passwords.html
https://www.experts-exchange.com/articles/30617/How-to-manage-local-account-passwords-from-Active-Directory-without-LAPS.html
https://www.experts-exchange.com/articles/29652/Strategy-to-centrally-manage-Local-Administrators-group-from-Active-Directory.html
Get rid of old accounts that might be used maliciously
https://www.experts-exchange.com/articles/30820/Active-Directory-Cleanup-Tool-ADCleanup.html
Implement tier-isolation to prevent tier jumps from lateral movement
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
Create intelligence password policies
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html
Utilize host-based firewalls, Windows or otherwise
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
Do AD password audits
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
Create your file server structure using the least privilege principle
https://www.experts-exchange.com/articles/32349/FSMainFolder-Files-Server-Structure-Automation-Tool.html
Implement Security Hardening Policies
https://www.cisecurity.org/
Your best bet is to resote from backup.
The reason why backups are the most important mitigation technique.
Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
Also, you have some tools like; Varonis and LepideAuditor which provides deep insights into every changes takes place in the form of real-time or threshold alerts, allow you to spot the symptoms of a ransomware attack and take appropriate action.
The reason why backups are the most important mitigation technique.
Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
Also, you have some tools like; Varonis and LepideAuditor which provides deep insights into every changes takes place in the form of real-time or threshold alerts, allow you to spot the symptoms of a ransomware attack and take appropriate action.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lot of good advice and helpful suggestions, I will point you to Emsisoft, Robert R pointed in that direction and they are some of the most helpful people even if you didn't have their software to begin with they will do all they can to help you decrypt if possible and get you moving in the right direction.
As for TM, yeah, you are on the right track they aren't much help, and like a load of the usual AV companies out there, they claim to stop it, until they don't. A quarter of a century in this business has shown me that most of them blow real hard when they want your money, but when the blacktop ends, they tend to disappear.
I am so impressed with the support and history of Emsisoft that i recently started setting up an affiliation with them. It's worth contacting them to get their help.
https://www.experts-exchange.com/questions/29143630/Ransomware-on-my-network-what-to-do.html?anchorAnswerId=42848809#a42848809
As for TM, yeah, you are on the right track they aren't much help, and like a load of the usual AV companies out there, they claim to stop it, until they don't. A quarter of a century in this business has shown me that most of them blow real hard when they want your money, but when the blacktop ends, they tend to disappear.
I am so impressed with the support and history of Emsisoft that i recently started setting up an affiliation with them. It's worth contacting them to get their help.
https://www.experts-exchange.com/questions/29143630/Ransomware-on-my-network-what-to-do.html?anchorAnswerId=42848809#a42848809
ASKER
I wanted to update you all to what I have found and what issues I am having and to thank you all for the suggestions you have provided. I am going to look into all the suggestions and try to figure out which solution works best for me.
First, I found the computer in which the assailant got into my network. It was through an RDP port that I had set up for a Third Party vendor which I have closed and found the server in which the attacks were carried out. It has been a little over a day now and no files have been encrypted since I shut down that server but I still don't feel confident that the threat is gone but with each day I feel a little better.
I have been restoring data to all the servers I have backups for but due to the backup window I am allowed to back up in I was only able to backup the most critical of my systems. The servers that weren't backed up were hit hard and we lost data but not data that really important. We are in the process of rebuilding servers and fixing workstations but this is a long process.
In my process of rebuilding I have found that the applications on one of my SQL servers have been encrypted but the data those servers contain is still good however I cannot back up any of that data due to the application files being encrypted. I am doing some testing on one of my test SQL servers and I am trying to do a repair but each time I try to do a repair on the SQL portion of the server it tells me
'The English-language version of SQL server is not supported by this SQL server media. Use the matching language-specific SQL server media; or install the language specific MUI, and change the format and system locales through the regional settings in control panel.'
What do I do here? I have verified that the regional settings are set to English but each time I try repair the system I get that message. What can I do?
First, I found the computer in which the assailant got into my network. It was through an RDP port that I had set up for a Third Party vendor which I have closed and found the server in which the attacks were carried out. It has been a little over a day now and no files have been encrypted since I shut down that server but I still don't feel confident that the threat is gone but with each day I feel a little better.
I have been restoring data to all the servers I have backups for but due to the backup window I am allowed to back up in I was only able to backup the most critical of my systems. The servers that weren't backed up were hit hard and we lost data but not data that really important. We are in the process of rebuilding servers and fixing workstations but this is a long process.
In my process of rebuilding I have found that the applications on one of my SQL servers have been encrypted but the data those servers contain is still good however I cannot back up any of that data due to the application files being encrypted. I am doing some testing on one of my test SQL servers and I am trying to do a repair but each time I try to do a repair on the SQL portion of the server it tells me
'The English-language version of SQL server is not supported by this SQL server media. Use the matching language-specific SQL server media; or install the language specific MUI, and change the format and system locales through the regional settings in control panel.'
What do I do here? I have verified that the regional settings are set to English but each time I try repair the system I get that message. What can I do?
First, I found the computer in which the assailant got into my network. It was through an RDP port that I had set up for a Third Party vendor which I have closed and found the server in which the attacks were carried out. It has been a little over a day now and no files have been encrypted since I shut down that server but I still don't feel confident that the threat is gone but with each day I feel a little better.Positive: You found and identified a security hole. Did you check which account was compromised? Did you change the password? If the account is no longer required, did you disable the account (and just as importantly, remove the rights the account had)?
What do I do here? I have verified that the regional settings are set to English but each time I try repair the system I get that message. What can I do?So you checked the Format setting? Change it to something else, save and close the window. Then reopen that setting and change it back to what it should be (English). Save and close window again. Then try running the SQL repair again.
As a safety precaution, how recent is your last known good SQL backup?
Read how you found the culprit computer and accounts. This is just a tip we learned from another ransomware infection we worked on. The client leased a new copy machine which included having the ability to receive faxes and save those faxes into personal folders on the sole server. The vendor created an account and gave it admin rights. This is why it is so important to run audits on your equipment. No one even remembered when the vendor made the account.
Good luck and lotsa hot coffee (and maybe a few cases of red bull)
Good luck and lotsa hot coffee (and maybe a few cases of red bull)
ASKER
Thanks for all your suggestions and help on this. We were able to recover from backups and patience.
Glad to hear your set.
Tough situation to be in.
Jim.
Tough situation to be in.
Jim.
From the tone of your message I assume you do not have a Disaster recovery site, systems, or plans so first priority is to preserve what you have.
Have you contact the authorities, FBI, police, etc.? They may be able to offer assistance
Hard to say what next steps should be without knowledge of your environment. You mention Exchange and SQL. What are other business critical applications, your DFS or file servers? You want to try and isolate the infection to limit its spread. Identify quickly what is critical and difficult to recover and take it offline.