Two days ago, two users reported they were unable to log onto our non-profit's constituent database. When I did so today, I could log on as the administrator; the error indicated that the database was not present.
I found that there were several scores of files on the server entitled "How to repair.txt". They were in the public directories and sub-directories, such as "C:\documents and Settings \All Users\Documents", and in the subdirectories of two specific users, out of about 15.
The contents of all of the files were similar:
If you reading this,it means your`s important files(photos,videos, documents,archives,bases, backups, etc.) are locked with military cifer.
Nobody can help you restore files without our decoder.
If you want recover files,
send e-mail to the email@example.com WITH "how to repair.txt" and 1-2 encrypted files less than 1MB . After checking you will receive the decrypted files and our conditions how you'll get the decoder . Follow the instructions to transfer payment.
The files showed up in folders in which there were files with the ".doc", ".xls", ".mdb", '.jpg"extensions, as well as in many other folders. The files seem to be identical.
In many of the user folders, the original files with the above named extensions were converted to files with ".doc.done", ."xls.done", and .mdb.done" extensions. In some of the driver directories, the conversions were not so clear. I tried to rename one of the files to its original suffix, but that was unsuccessful; the re-renamed file was not a valid file of the given type.
In viewing the security properties of the alien files, they seemed to have derived their permissions from one of two specific users, because they had a line for those users in the security properties page. These were the only users in whose private sub-directories the alien files were found.
The server uses Symantec EndPoint Protection system. I scanned the server with MalwareBytes Anti-malware, and the Microsoft Safety Scanner. None of these reported a virus, or malware of any type.
Can these files be restored?
Can the source of the infection be another of the trusted computers within the domain?
How can such an infection be prevented?