We've found (on some customers) a new wave of attacks over non-protected or up to date Microsoft Server 2003 (even there is no kind of support nowadays for it)
We think this attack and encryption has some similar actions as in 2014 appeared to be spreading but ...
Ok, the information:
Two Servers, both with Microsoft Server 2003 and remote access not secured (weak password)
First Server lost all data and after the attack only appears a big file named BACKUP (> 10GB) and the text (russian pirate) asking for 3000€ to recover the data sending an email to a 'mail.ru' address with the IP as reference (curious)
Second Server that performs the data backup over a NAS lost all data from it and also the NAS (which was linked to), appearing TWO big files named BACKUP-1 and BACKUP-2 also, theorically, encrypted
Seems they made somekind of encrypted wallet (as old time before) and put all the data inside, just moving it (so, no way to look for deleted data)
We can not send more info at the moment, we only have the big files and nothing more, a plain text with short instructions to do.
Any idea? We think this new wave of attacks respond to an old vulnerability not covered or repaired, so now the dammage is done and we would like to know if there is some kind of hope for these customers or the new ones that soon will appear.
Thanks for reading.