Jump to content
Posted 08 June 2017 - 08:04 PM
Posted 08 June 2017 - 08:43 PM
Windows Security logs might have a clue.
Some ransomware has been coming in via RDP and weak passwords.
Posted 08 June 2017 - 09:59 PM
Posted 16 June 2017 - 11:38 AM
I have had the same issue at a similar site, with SBS 2008 infected and I am struggling to find any info on how the infection occurred.
jdempsey_ajns Did you end out finding out what happened?
Posted 16 June 2017 - 12:36 PM
I didn't really find out for sure as the focus was on getting the systems back up and running. However the office did have weak passwords and rdp was enabled on each of the computers. Can't say for sure but it looks like somebody clicked on something that got them infected and it went from there. It appears they were infected for a couple days before they called me. I didn't get a call until the server had some of the files they use encrypted, they didn't notice before that but each desktop (no files stored on them) had already been infected.
The good thing, or bad depending on how you look at it, is there seemed to be a flaw in the way it attacked windows 7. The server booted fine but each of the windows 7 machines would not boot after a reboot. The office never reboots their desktops but when I rebooted them to scan them in safe mode the boot files were damaged and windows 7 wanted a repair run. I didn't spend much time trying to repair them but I tried on one of them and was not able to get it working and just wiped it.
Posted 16 June 2017 - 04:48 PM
Posted 18 June 2017 - 11:43 AM
This one seemed to act a bit odder than normal crypto I have seen though, as when infecting the server (file located C:\Intel\SVCHost.exe) it seemed to lock the data drive and then after a reboot takes it completely offline.
We are hoping to bring the server back up and complete some more sandboxed diagnostics of the infection. I will try and keep the thread updated with the findings.
0 members, 2 guests, 0 anonymous users