Group: Forum Members
Hi all, Just a warning that the ransomware is getting even more sophisticated.
We just got a hit on one of our MS Server 2008 R2 systems. Somehow a hacker got in via RDP and deposited ransomware on the server. If the IP wasn't spoofed then the attack came from Belize. The ransomware executed and proceeded to encrypt various data files and we ended up with over 100,000 encrypted files. There were a few nasty things that happened that we were surprised to see:
1) The ransomware was not detected by the server virus checker (Clam). It also was not detected by ANY of 8 other virus checkers I ran over it when I isolated the exe file and ran a sandboxed VM of the server to investigate the issue.
2) It messed up local drive access in the RDP environment (which is used by the users to transfer server PDFs locally)
3) It messed up VSS and no matter what I tried, I could not get Macrium to run again
4) After encrypting the usual files it then started encypting Macrium backups - luckily it did not get to the one from the night before as we alternate our external hard disk storage.
We did a full server restore from an uninfected/encrypted backup (which only took 4 hours) and then changed all our passwords. The ransomware was an AiraCrop (NMoreira) variant.
So, just a warning to be even more vigilant.