Yesterday morning i saw that a little server 2008r2 was attacked in the night and all files are encrypted with an .ZERO extension.
A small HELP note ""_HELP_INSTRUCTION.txt" tell me to wrote to firstname.lastname@example.org. No background image or alert with instructions.
As nobody use the server, it seems the attack was possible by RDP. The system is uptodate (except the last monthly security patch) but the smbv1 is on (is needed) (but no 445 port open on the net).
Probably with no rapport but a month ago i've noticed an infection by a bitcoin miner (minergate) (probably infected by an hacked website where i downloaded 7zip) but i disinfected it with Bitdefender and malwarebytes.
Few hours before the attack i've analyzed the computer with Malwarebyte which only noticed 2 files about the bitcoin malware that i'ved put in the trash.
The computer is protected by Bitdefender endpoint security.
IDransomware identify the ransomware like "Cryptomix revenge" (but when i read this description is not him).
As i rebooted the server Bitdefender found nothing after an complete analysis.
As the server is used only to turn an app that not affected by the ransomware and i've backups, these not really bad but before i reintroduce the server in the network i want to be sure there is no more menace. If i know what ransomware attacked me i could disinfect the server (or verify that is really disinfected) and verify there is no more security break.
I found the guilty in allusers : here the link to the analysis in virustotal : https://www.virustotal.com/fr/file/36b7f06afc92dbbb9ae973c0ce7ae69c6c49a62df9d1d42c64fe9266f560d539/analysis/1501232977/
Thank in advance for any info !
Edited by Hellomorld, 28 July 2017 - 04:59 AM.