Warning - Ransomware attack


Author
Message
mhlangensiepen
mhlangensiepen
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)
Group: Forum Members
Posts: 1, Visits: 2
Hi all, Just a warning that the ransomware is getting even more sophisticated.

We just got a hit on one of our MS Server 2008 R2 systems. Somehow a hacker got in via RDP and deposited ransomware on the server. If the IP wasn't spoofed then the attack came from Belize. The ransomware executed and proceeded to encrypt various data files and we ended up with over 100,000 encrypted files. There were a few nasty things that happened that we were surprised to see:

1) The ransomware was not detected by the server virus checker (Clam). It also was not detected by ANY of 8 other virus checkers I ran over it when I isolated the exe file and ran a sandboxed VM of the server to investigate the issue.
2) It messed up local drive access in the RDP environment (which is used by the users to transfer server PDFs locally)
3) It messed up VSS and no matter what I tried, I could not get Macrium to run again
4) After encrypting the usual files it then started encypting Macrium backups - luckily it did not get to the one from the night before as we alternate our external hard disk storage.

We did a full server restore from an uninfected/encrypted backup (which only took 4 hours) and then changed all our passwords. The ransomware was an AiraCrop (NMoreira) variant.

So, just a warning to be even more vigilant.


Drac144
Drac144
Guru
Guru (1K reputation)Guru (1K reputation)Guru (1K reputation)Guru (1K reputation)Guru (1K reputation)Guru (1K reputation)Guru (1K reputation)Guru (1K reputation)Guru (1K reputation)Guru (1K reputation)
Group: Forum Members
Posts: 688, Visits: 2.7K
Thanks for the input.  It seems like the ransomware is getting more sophisticated. 
Seekforever
Seekforever
Expert
Expert (944 reputation)Expert (944 reputation)Expert (944 reputation)Expert (944 reputation)Expert (944 reputation)Expert (944 reputation)Expert (944 reputation)Expert (944 reputation)Expert (944 reputation)Expert (944 reputation)
Group: Awaiting Activation
Posts: 615, Visits: 12K
Thanks for posting the warning. So much for the "it only attacks common file formats".
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search