The timestamps on the files are from before the oldest backup so restoring those files won't help. Most AV options want to take this approach. Again, this is the lone server and domain controller. Malwarebytes wants to quarantine but many are system files and would probably break the server if they went missing. I run a Malwarebytes scan and no ransomware, but there are now dozens of instances of the Neshta virus. Next day, I return to make sure everything is working as expected. The server is virtual so did a VM restore from before the ransomware hit. So closed RDP at the firewall and changed all the admin passwords. The server was constantly being hammered with exploit attacks. It wasn't until later that I discovered that they had open ports to RDP after everyone, even the previous IT rep, told me otherwise. I've also never seen or read about a ransomware doing that. All of the ransom gotcha files showed the owner was 'domain\administrators' group. Malwarebytes reported it was Jerry_Glanville, a form of Balaclava. I've never heard of a ransomware proliferating like that. In other words, all of the files on the server, even the root of C:, and several client computer's desktops and document folders. The source appears to be the server itself and then spread to other computers on the domain. Of course the owner wants to know who-dun-nit. Got a call Sunday they were hit with ransomware. I have recently taken over a client from their previous MSP and I just keep finding new fun problems seems like every day. Single server: Windows 2012 r2, AD, file, app. Looking for some feedback before I proceed with my plan this weekend.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |