Just thought I would share an incident that occurred with a client of mine. Ive dealt with several randsomware infections in the past but this one is a bit different.
Three days ago they received a notice from the ISP that attacks had been detected from their IP. I was notified yesterday and assumed one of the workstations must be infected. Usually not a big deal so I had them shut down the systems until this morning when I was able to have a look onsite. Last night I tried to remote into the server and I was concerned when I no longer had access.
I quickly found the source of the outgoing attacks was the "server". Basically a windows 7 system running raid 0 to host basic shared documents. This computer is not being used directly by anyone, it is under lock and key, so the infection was not due to user interaction in anyway shape or form. It is used ONLY to share files. I was able to see quite quickly that the criminals behind these randsomeware schemes gained access via rdp. The password was not the most secure, but it also was not something easily guessed. After they were able to connect via rdp they used the server to start sending out various port scans, participating in DOS attacks and so forth. They also created their own user account with admin rights.
I was not happy to find that my clients data had been encrypted. The shadow volumes erased and the external drive obviously also infected. At this point I have no options for my client, save for the fact various proprietary files formats were unaffected. The only real saving grace is that there was not a tremendous amount of data.
Needless to say the client is now on board for a better server solution as well as secure online backups. Has anyone had experience with a direct attack like this on a PC that is not actually being used? None of the other computers show any sign of infection, in fact all but one have been off for at least a week (very small office). This Obamausa7@aol.com variant seems quite new, it leaves a com file with the ID number and name for every file it encrypts.