I'm new on those forums.
I'm an IT from Spain who have arrived here searching for the "R-E-A-D-M-E.txt" and the "backup don't delete" file symptoms on a server of a customer. In my case, the infected machine is an old 2003 server with Citrix and what it seems is the virus accessed through an email client running under Citrix with full domain admin privileges (hell yeah, I know, I know )
I've noticed that it deleted (and I suppose, encrypted on the "don't delete" file) the full DATA folder on the SQL Server on this server (hell yeah, round 2 ). I've found too remains on MSCONFIG to run an "_uninstall_[random numbers]" BAT archive on this admin user logon that i suppose the virus uses to delete it's components and make harder to found info about it. At least, antivirus tools have still found nothing on the systems. At this point I've thought "No problem mate, you have a daily full image with Veaam backup" (the server was virtualized two years ago).
But there was still one more surprise. I've found the backup disk on backup server EMPTY. More accurately, the Veeam backup files deleted, the structure folder remains (hell yeah, round 3, fatality ). I'm fearing that this bastard version of virus, if obtains admins rights, scans the network searching disks that contain backups to delete them (accessing through the admin [unit_letter]$ share that windows automatically creates; it was an USB disk).
I'm saying all of this to warn other people about the bad habit to maintain very old not-so-good tuned systems because customers don't wanna pay for upgrade and improve them (just unplug them or run for your lives far away, let others eat that bleep!). Also to see if what I'm saying is a behavior similar of what you have found on other infected systems. If it is, I've tried to found decryption tools (for example, on https://www.nomoreransom.org/) but I don't know if a tool for this bastard one exists or how it's identified. Is its "official" name Loveserver ramsonware? Should I search for other name? As I said, antivirus tools don't found nothing, so I only can identify it by its behavior.
Hope some of you could help me a bit.
Anyway, thanks a lot in advance for your attention and the work you do here, it has been very helpful for me other times.
PD: Please excuse me for the hundreds of times I've probably killed the Oxford grammar books writing this text. I don't speak english as well as I should.
Edited by Infoself, 21 February 2017 - 07:14 AM.