We're into day 2 of a Windows Server 2012 R2 ransomware infection. Have yet to identify the specific ransomware or find the source of the infection.
After an attempted server and workstation cleanup yesterday, and file server recovery from shadow copies, the ransomware did it dirty work again overnight.
The Ransomware leaves a ransom note in each affected directory with a filename of recoveryinstruction.txt The contents are as follows:
What happened to your files ?
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.
CONTACT US BY EMAIL: firstname.lastname@example.org
Each encrypted file has the following extension: !email@example.com__.v8
For example, an encrypted powerpoint file might have this name: MyPresentation.firstname.lastname@example.org__.v8
The malicious encryption got all the way into our Sage300 accounting system so it if affecting more that just common file types.
We've analyzed who has access to which damaged file shares on the server and narrowed down the list of likely infected workstations to 6. So far have scanned with AVG cloudcare and Malwarebytes Anti-Malware on the server and workstations with no infection found.
Any targeted advice would be greatly appreciated!