Friends old server tower keeps getting ransom ware on it.

[trainergames]

My friend has been trying to setup an old server tower as a game server and every time he installs windows on it it ends up getting ransom ware.

He has tried 2 different hard drives and 2 different USB drives for installing windows, which he has always gotten straight from Microsoft's website.

The first time it happened around a week after setting it up, he reused the same hard drive and USB drive and reinstalled, and it went a month before it happened again.

The he changed hard drives to one from a broken Xbox one and got a brand new USB drive, and it happened  again in less than a day...

How does this keep happening and what can we do to stop it?
Is it maybe somehow in the BIOS?  Would a re-flash fix it?

If it helps it is a Dell Poweredge R310 with a Xeon X3470

[The_russian]

What is he doing to set up the computer? It sounds like a program he installs may be malicious, is he using any pirated programs?

[trainergames]

2 minutes ago, The_russian said:

What is he doing to set up the computer? It sounds like a program he installs may be malicious, is he using any pirated programs?

He would setup the media creation tool from Microsoft and install it on a USB drive.  The first 2 time he only installed stuff for he game server FiveM to be exact, but the last time all he did was install chrome and Bit Denfender and that was it. He has never installed or use any pirated programs.

[shark103]

Did he use the same pc to create installation usb drive ? Maybe that's where the problem is.

[trainergames]

32 minutes ago, shark103 said:

Did he use the same pc to create installation usb drive ? Maybe that's where the problem is.

Yes he did, but he has had no ransomware problem at all on that pc.

[ROBiMS]

How did he find out that he has got ransomware? 

 

Maybe the game server software is exploitable and someone is doing a joke on him. 

[trainergames]

1 minute ago, ROBiMS said:

How did he find out that he has got ransomware? 

 

Maybe the game server software is exploitable and someone is doing a joke on him. 

He would log into the pc the screen would be black with a black and red box saying his files are encrypted and to email them to unlock.

Here is a pic of something that looks kinda like the box that was on the screen. 
This may not exactly match what it was like but it looks kinda like what i rmemeber.

I don't think it was anything to do with the game server, because it was not public yet, we were still testing and build the game server to our liking.
Also on the last time when he used a fresh drive and USB drive he never even downloaded or installed any files relating to the game.

Also a weird thing i remembered is that on the most recent time he had installed chrome,but when the ransomware showed up it no longer had chrome and firefox was installed instead.

[ROBiMS]

That sounds kinda random. Especially that it happened not just once...

 

Set up the server on the main PC and transfer it over usb or something like that.

 

And maybe he could do a fresh install and stick with Microsoft Edge and the Windows Defender for a little while just to see what happens?

[Nutra1]

Check to see if this is not just a fullscreen popup in Chrome that's on display. Might be a plugin in Chrome that's causing this. If the frame pops up, just press F11 to turn off fullscreen mode. If so, you need to remove the malicious Chrome add-on.

[shark103]

7 hours ago, trainergames said:

Yes he did, but he has had no ransomware problem at all on that pc.

May be a case that on main one it's inactive. Worth a try creating install media on another machine, full clean boot drive (zero it from bootable tool) before install.