Today I have had three customers (here in Australia) all hit with ransomeware that encrypts without an extension.
I think it looks a lot like the "DMALocker 4.0". They are all running Microsoft servers that have been hit, one Windows Server 2008 (SBS2011), two Windows Server 2012R2.
Personally I am suspecting it is an IIS or RDS vulnerability that has been cracked rather than the usual email/web download delivery vector. One of the attacks was on a web server that does not get used for desktop type functions and nobody has interactively logged into it since before Christmas.
In all cases the attack started at about 2AM Eastern Australian time today, 5th February 2017. Nobody was actively using the systems at that time. Of course there may be a delay mechanism in the attack. It may be that the attackers wanted the encryption to start when nobody was watching for maximum impact.
One client has had systems restored from backup. Another, we shut the servers down and will restore data tomorrow. A third we are restoring overnight. In all cases we had a good backup that was stored on a network device that requires specific credentials to access and only the backup system is programmed with these credentials.
Rebooting the servers seems to have stopped any further encryption, but I am still paranoid as AV (Webroot) did not pick up anything at all.
One client was using GoodSync to replicate data to another office and it has a nice feature that halts the sync until user intervention when mass file changes occurs. That may have saved the client from redoing the work they did the evening before.
Edited by ScaryMary, 05 February 2017 - 05:59 AM.