Stefan Tahitu
asked on
SYSVOL Encrypted by Ransomware but AD still running
Hello,
I have server infected by Ransomware and sysvol including script was encrypted,with file name :
gpt.ini.id-96EA6CAA.[backd
I don't have good system state backup at all.
My question, is that possible to create new policy for :
Default Domain Controllers Policy
Default Domain Policy
Is OK for me to setting the policy as long user & security on AD still there, because our AD sync to Azure AD.
Thank You Very Much
I have server infected by Ransomware and sysvol including script was encrypted,with file name :
gpt.ini.id-96EA6CAA.[backd
I don't have good system state backup at all.
My question, is that possible to create new policy for :
Default Domain Controllers Policy
Default Domain Policy
Is OK for me to setting the policy as long user & security on AD still there, because our AD sync to Azure AD.
Thank You Very Much
Yup, I second Philips comments here. You need to do a restore. Long shot but check if you have a previous version enabled on the folder...
If you don't have a good backup then you're going to need to setup a new DC and then do a re-sync to Azure.
If you don't have a good backup then you're going to need to setup a new DC and then do a re-sync to Azure.
ASKER
Hi Phiplip,
I don't have the backup for the AD, Actually I still can create & delete user and maintain the security fir share folder.
I only cannot change the Policy.
Are you sure that I can't create the policy manually?
how about this link
https://support.microsoft.com/en-sg/help/556025/how-to-manually-create-default-domain-gpo
https://www.experts-exchange.com/questions/29002511/SYSVOL-corrupted.html
Regards
I don't have the backup for the AD, Actually I still can create & delete user and maintain the security fir share folder.
I only cannot change the Policy.
Are you sure that I can't create the policy manually?
how about this link
https://support.microsoft.com/en-sg/help/556025/how-to-manually-create-default-domain-gpo
https://www.experts-exchange.com/questions/29002511/SYSVOL-corrupted.html
Regards
My point is to address the trust aspect of what happened.
You can go ahead and recreate the two default GPOs without an issue.
The question is, should you? I don't believe so. The perps may have dropped something that will wait and then boom, the company is worse off than they already are given the DC being encrypted means either Emotet (unpatched) or users running as domain admins.
You can go ahead and recreate the two default GPOs without an issue.
The question is, should you? I don't believe so. The perps may have dropped something that will wait and then boom, the company is worse off than they already are given the DC being encrypted means either Emotet (unpatched) or users running as domain admins.
I agree with the experts above, with the addition: Erase the drive using a drive eraser such as Darik's Boot and Nuke, then rebuild the system.
Even assuming that the system could be brought to an apparently repaired state, once any system has been infected by a virus it can never be trusted again. Polymorphic viruses can hide anywhere, even in apparently unused segments of disk, and look completely innocent until they pop up months later. The only 100% cure is to erase the drive and (a) restore from a known clean backup, or (b) rebuild from scratch.
Yes, this is annoying. Yes, you shouldn't have to invest that much time in it. Yes, people will be angry while the server is down. Yes, your boss will be massively annoyed at you personally. But they'll be a lot angrier if it happens again.
This has happened to all of us at one point or another, and it's why we make periodic full (not incremental) backups. Hopefully this issue will be just enough of a bee sting to re-evaluate your backup policy and go to a solid, frequent, air-gapped backup method.
Even assuming that the system could be brought to an apparently repaired state, once any system has been infected by a virus it can never be trusted again. Polymorphic viruses can hide anywhere, even in apparently unused segments of disk, and look completely innocent until they pop up months later. The only 100% cure is to erase the drive and (a) restore from a known clean backup, or (b) rebuild from scratch.
Yes, this is annoying. Yes, you shouldn't have to invest that much time in it. Yes, people will be angry while the server is down. Yes, your boss will be massively annoyed at you personally. But they'll be a lot angrier if it happens again.
This has happened to all of us at one point or another, and it's why we make periodic full (not incremental) backups. Hopefully this issue will be just enough of a bee sting to re-evaluate your backup policy and go to a solid, frequent, air-gapped backup method.
ASKER
So, I need to create from the scratch?
All the users & security cannot be transferred?
Then their email account on Office365 also need to delete
All the users & security cannot be transferred?
Then their email account on Office365 also need to delete
O365 should have Multi Factor Authentication (MFA) set up by default with all users required to use the Microsoft Authenticator app or its equivalent.
Log on to the O365 admin account and jump into the Security Assessment Centre and get to following the guidelines in there.
And yes, a fresh start. Avoid using the exact domain name so as to not hit Group Policy Tattoos and AD GUID issues.
A good backup is not to be had?
Log on to the O365 admin account and jump into the Security Assessment Centre and get to following the guidelines in there.
And yes, a fresh start. Avoid using the exact domain name so as to not hit Group Policy Tattoos and AD GUID issues.
A good backup is not to be had?
ASKER
Well, O365 MFA not related with this, I just try add try to Make changes on the DC for security and it is working.
I think I need to manually create Default Domain Policy
I think I need to manually create Default Domain Policy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Philip, I will try
ASKER
Thank You for all your input
Regards
Regards
There is absolutely no way trust can be maintained with the domain in its current state given the domain controller was compromised. None. Nada. Zippo.