My Uncles Windows Server was Infected with Ransomware

[Windows7ge]

My cousin contacted me this morning that his dad (My Uncle)'s server was infected with ransomware. My cousin was able to brute-force the encryption and regain control of the server so the situation has been resolved but there's two things missing.

 

1. How did the server get infected to begin with?

2. How can we increase the security to prevent this from happening again? Because it very well could.

 

The system runs Windows Server 2008 R2.

The server sits in a room that generally remains locked. The server doesn't sit at the desktop you must login with a user/pass to do any administrative maintenance.

The systems primary function is a file server to hold projects to be later cut out on CNC, Lazer cutter, & water cutting machines.

 

It seems unlikely that anyone was able to walk up to the server, download the ransomware and run it so I'm left wondering.

 

1. How can the system get infected remotely? (A worm? Can ransomware autorun? Someone move the infectious file to the share folder on the server and have it auto-launch?) To my knowledge no remote desktop software is ran on the server so nobody is remoting into it. What other ways can the system possibly get infected?

 

2. How can we increase the security on the server to possibly prevent this from occurring again? And don't say "Just install Linux." I proposed that to them a long time ago. They don't want to even though such a move would have prevented this fiasco.

[Electronics Wizardy]

1. I don't know without more access, but my it would easily be a vunrelability in the os or web browser, some one open a program. What all is on theis system.

 

2. Run server 2012r2 or 2016, keep it updates. Lower the amount of people with access. Install a antivirus and scub it every once in a while.

[Jiaweeeee]

Lmao there's no 100% solution , it could be a planned attack , phishing stuff or whatever but the best way would be to get a good Antivirus with real time scan and an Antivirus with web protection . Try bitdefender or malwarebyte . Just keep in mind there's no 100% way of stopping 

[3 Lions]

8 minutes ago, Windows7ge said:

2. How can we increase the security to prevent this from happening again?

Buy Symantec Endpoint. 

[MSWindowsinside]

I wonder if the server has any remote access tools like VNC or Teamviewer installed, there's a lot of servers that you can just remotely log in to with VNC if they're not password protected or run the latest versions. See this article: http://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/

[Electronics Wizardy]

22 minutes ago, MSWindowsinside said:

I wonder if the server has any remote access tools like VNC or Teamviewer installed, there's a lot of servers that you can just remotely log in to with VNC if they're not password protected or run the latest versions. See this article: http://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/

and please don't use teamviewer or vnc on a server, use rdp.

[Jiaweeeee]

6 minutes ago, Electronics Wizardy said:

and please don't use teamviewer or vnc on a server, use rdp.

LMAO the preinstalled one in Windows and Linux ? Ehhhh no

[Electronics Wizardy]

7 minutes ago, Jiaweeeee said:

LMAO the preinstalled one in Windows and Linux ? Ehhhh no

still much more secure and supports AD auth.

[leadeater]

42 minutes ago, Jiaweeeee said:

LMAO the preinstalled one in Windows and Linux ? Ehhhh no

RDS client can use Kerberos authentication, secure tunneling and be proxied through an RDS Gateway for much tighter control on who, what and where you can RDP to. It also has much better logging.

 

VNC and teamviewer are garbage in comparison for remote connecting to a Windows Server, that and installing either is extremely frowned upon.

[Sprawlie]

1 hour ago, Windows7ge said:

 

 

1. How did the server get infected to begin with?

2. How can we increase the security to prevent this from happening again? Because it very well could.

 

1. How can the system get infected remotely? (A worm? Can ransomware autorun? Someone move the infectious file to the share folder on the server and have it auto-launch?) To my knowledge no remote desktop software is ran on the server so nobody is remoting into it. What other ways can the system possibly get infected?

 

2. How can we increase the security on the server to possibly prevent this from occurring again? And don't say "Just install Linux." I proposed that to them a long time ago. They don't want to even though such a move would have prevented this fiasco.

1: Because this is a file server, depending on the type of virus, it will scan attached or available network drives and attempt to infect / change / lock the files it has access to. This does not require the server itself from running any of the virus code itself. If your user has full access to read/write files over the network, and his PC was infect (or another PC), it could devestate the files on the server.

 

2. Security is a big thing that encompasses more than just turning on some piece of software. It requires constant vigilance to ensure that the best practices are met. 

This might mean not giving users administrative access ot their own machines. Blocking websites and services that might be an entry vector. Removing filesystem shares and being more granular with regards to who has what permissions to write / modify what files on disk

 

Don't worry, if this is a case where someone's desktop PC was infected and it managed to scan out to the network and spread that way, or at minimum lock / encrypt files on the fileserver, it's unlikely that Linux would have prevented this either.

 

You need to put in place proper and robust security. make sure virus scanners are up to date and finally, give the right education to the users how to avoid opening and being subjected to certain attacks.

 

[leadeater]

5 minutes ago, Sprawlie said:

give the right education to the users how to avoid opening and being subjected to certain attacks.

This is the only defense that you can count on to work. Everything else is in hope of catching someone when they do something stupid and save their ass, parachutes have a reserve just in case and that is what Endpoint Security software is for.

[Windows7ge]

1 hour ago, Sprawlie said:

Don't worry, if this is a case where someone's desktop PC was infected and it managed to scan out to the network and spread that way, or at minimum lock / encrypt files on the fileserver, it's unlikely that Linux would have prevented this either.

It seems he didn't tell me if it was the entire OS or individual files that got encrypted. I just asked him and he informed me that it was individual files. Which means any end client could have cause this. To my knowledge every office computer and workshop floor computer has full read/write/execute privileges to the servers file share. There could be a rouge computer (infected) or worse a rouge employee.

[Electronics Wizardy]

4 hours ago, Windows7ge said:

It seems he didn't tell me if it was the entire OS or individual files that got encrypted. I just asked him and he informed me that it was individual files. Which means any end client could have cause this. To my knowledge every office computer and workshop floor computer has full read/write/execute privileges to the servers file share. There could be a rouge computer (infected) or worse a rouge employee.

Do you have backups?

 

Cryptolocker was probably at work here.

 

Id personally not give the user any execute permissions on folders they can write to(so home dir).

[Windows7ge]

16 hours ago, Electronics Wizardy said:

Do you have backups?

 

Cryptolocker was probably at work here.

 

Id personally not give the user any execute permissions on folders they can write to(so home dir).

They do not.

 

My cousin is in the process of trying to figure out the cause/source.

 

Restricting access would be the best way to increase security. I don't think the network is on a domain. It really should be it'd make managing user permissions much easier.

 

 

[Electronics Wizardy]

2 minutes ago, Windows7ge said:

They do not.

make backups, then you can't lose data

 

Putting stuff on a domain makes adming it much easier, id suggest it. 

[Windows7ge]

23 hours ago, Electronics Wizardy said:

Cryptolocker was probably at work here.

I got an update. He tells me it was a program called Globe and as it turns out it wasn't just affecting the server he found it on just about every workstation in the shop and a few of the computers had encrypted system files.

 

Can a virus exist that is capable of having the qualities of a worm (infect networks) self replicate & be ransomware all at once? I'd think with programming anythings possible.

[Guest]

Coming from someone who sees this about once a week, the usual way that a server is infected is via a connected client as suggested. Aside from restricting permissions, there isn't much you can do about preventing a cryptolocker attacking shared network drives. It ultimately comes down to user training and preventative maintainence. Vigilance and education are the best ways to combat this.

 

Moving forward I'd look into the way backups are run and test those backups to ensure you can recover the data. Scheduled availibility of shared containers is also a good security protocol to implement. For our clients that have a server > NAS > NAS replication, at least one of those NAS' are scheduled offline at any one point to ensure that in the worst case, an attack can't tunnel through.

[Windows7ge]

10 minutes ago, Windspeed36 said:

Coming from someone who sees this about once a week, the usual way that a server is infected is via a connected client as suggested. Aside from restricting permissions, there isn't much you can do about preventing a cryptolocker attacking shared network drives. It ultimately comes down to user training and preventative maintainence. Vigilance and education are the best ways to combat this.

 

Moving forward I'd look into the way backups are run and test those backups to ensure you can recover the data. Scheduled availibility of shared containers is also a good security protocol to implement. For our clients that have a server > NAS > NAS replication, at least one of those NAS' are scheduled offline at any one point to ensure that in the worst case, an attack can't tunnel through.

My cousin discovered the affecting ransomware to be a program called Globe. It apparently didn't just affect the server but all the workstations in the office had the program on it and a few systems had some encrypted system files.

 

Also the manager at this office opened some ports on the router for no real good reason so the attack could have been internal or external.

[Scheer]

I always think it is best to just assume there is nothing you can do to stop it from happening. So while you should take precautions to securing the network, more time should be spent creating a disaster plan consisting of a lot of backups.

 

This also might be worth looking into, there has been lots of talk about it recently: https://ransomfree.cybereason.com/

 

Supposedly it predicts possible ransomware based on patterns and behavior.

[Windows7ge]

18 minutes ago, Scheer said:

This also might be worth looking into, there has been lots of talk about it recently: https://ransomfree.cybereason.com/

I'll pass the message on in case he decides to want some dedicated ransomware active protection.

[Falconevo]

https://www.nomoreransom.org/decryption-tools.html

 

These tools may help you sort it, its an inventory of 99% of the availabile tools for dealing with the 'type' of ransomware you are being affected by.  Some of the really new variants don't have tools yet.

 

Regarding the way you got infected, if its a file share then it was likely infected by a remote target.  99% of ransomware incidents occur due to people opening unsanctioned email on a remote desktop.  If the end user running the unwanted ransomware executable had any access to the file server, it would of got nuked.  I would be starting with revoking all access permissions for the file share and sorting permissions out for individual users, its a really common mistake people make by handing out full permissions to everyone because they can't be arsed or go via the 'it won't happen to me'.

 

I would be checking every desktop in the company for malware, locking down file server permissions and doing a full sweep of any other devices attached to the network.  Implementing bans for personal laptops would be a good start too.

[KuJoe]

I highly recommend installing Two Factor Authentication for RDP on all Windows boxes that are accessible from the outside world. Personally I use DuoSecurity for my servers and desktops, it's 100% free and extremely easy to install and implement. The Android app is really nice also.

[Windows7ge]

6 hours ago, Falconevo said:

Regarding the way you got infected, if its a file share then it was likely infected by a remote target.  99% of ransomware incidents occur due to people opening unsanctioned email on a remote desktop.  If the end user running the unwanted ransomware executable had any access to the file server, it would of got nuked.  I would be starting with revoking all access permissions for the file share and sorting permissions out for individual users, its a really common mistake people make by handing out full permissions to everyone because they can't be arsed or go via the 'it won't happen to me'.

 

I would be checking every desktop in the company for malware, locking down file server permissions and doing a full sweep of any other devices attached to the network.  Implementing bans for personal laptops would be a good start too.

The ransomware was discovered to be a program called Globe. My cousins has gone through the procedure of installing anti-virus, anti-malware, and now anti-ransomware on all the workstations. It appears that the ransomware was able to spread over the network because every system in the shop had it and a few of them had encrypted system files. The server had encrypted files on it but he didn't see the Globe program on the system which leads me to believe the program accessed and encrypted data on the server but didn't install itself yet.

 

We're still speculating what the exact cause of this aggressive ransomware was. So far what seems most plausible is someone downloaded and ran something they shouldn't have on their computer. It then spread and installed over the network. My theory is it was some type of Worm with a payload of Ransomware. However another theory is someone attacked the network externally which might be true because a manager unintelligently opened a bunch of ports on the router for who knows what reasons and any of the open ports may have pointed to the server.

 

Locking down user permissions and putting the network on a domain is a good step in the right direction that I'm going to propose the company do because right now everybody is an admin with full read/write/execute permissions and the only thing keeping people off the computers is a login screen with password which I think is the computers local account.

[Falconevo]

18 minutes ago, Windows7ge said:

The ransomware was discovered to be a program called Globe. My cousins has gone through the procedure of installing anti-virus, anti-malware, and now anti-ransomware on all the workstations. It appears that the ransomware was able to spread over the network because every system in the shop had it and a few of them had encrypted system files. The server had encrypted files on it but he didn't see the Globe program on the system which leads me to believe the program accessed and encrypted data on the server but didn't install itself yet.

 

We're still speculating what the exact cause of this aggressive ransomware was. So far what seems most plausible is someone downloaded and ran something they shouldn't have on their computer. It then spread and installed over the network. My theory is it was some type of Worm with a payload of Ransomware. However another theory is someone attacked the network externally which might be true because a manager unintelligently opened a bunch of ports on the router for who knows what reasons and any of the open ports may have pointed to the server.

 

Locking down user permissions and putting the network on a domain is a good step in the right direction that I'm going to propose the company do because right now everybody is an admin with full read/write/execute permissions and the only thing keeping people off the computers is a login screen with password which I think is the computers local account.

That's a good plan, start with domain management and permission lock down.  Users will have to go through pain but its for the best in the long run, set people's expectations that this stuff is not easy to just 'shoe horn' in to place and their lack of diligence is what caused the change in the first place.

 

Anti-Virus won't save you from Cryptolocking/ransomware if the malware is run by an administrative user, it will just sit there and do nothing.  I run some pretty hefty Intel/Mcafee platforms and it really does not intervene at the stage the malware has already triggered the request.  The malware is certainly unwanted but the request from the malware to the OS to start encryption is fully legitimate.

 

Here's some food for thought on what topics I would start with;

• Educate users with brute force, hitting people round the head with an open palm is acceptable in my eyes
• Create domain and permission hierarchy (piss people off with complex passwords :P)
• Disable Macro's within any Office based application
• Disable local administrator accounts for all users
• Keep all operating systems and software up to date where possible
• Revoke permissions where possible and be very strict on requested permissions (aka manager/md sign off for permissions)
• Improve mail filtering platform that users have access to
• Utilize a proxy (squid etc) for local user internet access and lock down unwanted sites/services
• Look in to DNS based filtering for malicious 3rd party sites
• Have backups of all the things

I have quite literally seen Crypto's wipe out a business that did not take their I.T seriously, companies going completely bankrupt even after paying the ransom and not getting the correct decryption method.   Always play it safe, consider every user as a serious security risk and run the domain like an old age pensioner keeps footballs out of their front garden.

[Windows7ge]

1 hour ago, Falconevo said:

That's a good plan, start with domain management and permission lock down.  Users will have to go through pain but its for the best in the long run, set people's expectations that this stuff is not easy to just 'shoe horn' in to place and their lack of diligence is what caused the change in the first place.

 

Anti-Virus won't save you from Cryptolocking/ransomware if the malware is run by an administrative user, it will just sit there and do nothing.  I run some pretty hefty Intel/Mcafee platforms and it really does not intervene at the stage the malware has already triggered the request.  The malware is certainly unwanted but the request from the malware to the OS to start encryption is fully legitimate.

 

Here's some food for thought on what topics I would start with;

• Educate users with brute force, hitting people round the head with an open palm is acceptable in my eyes
• Create domain and permission hierarchy (piss people off with complex passwords :P)
• Disable Macro's within any Office based application
• Disable local administrator accounts for all users
• Keep all operating systems and software up to date where possible
• Revoke permissions where possible and be very strict on requested permissions (aka manager/md sign off for permissions)
• Improve mail filtering platform that users have access to
• Utilize a proxy (squid etc) for local user internet access and lock down unwanted sites/services
• Look in to DNS based filtering for malicious 3rd party sites
• Have backups of all the things

I have quite literally seen Crypto's wipe out a business that did not take their I.T seriously, companies going completely bankrupt even after paying the ransom and not getting the correct decryption method.   Always play it safe, consider every user as a serious security risk and run the domain like an old age pensioner keeps footballs out of their front garden.

I passed on all your recommendations to my cousin and he said he plans to implement some of them.

 

I'm curious. You mentioned Macros in any Office based program. Isn't that like shortcut keys? How can that be attacked and used against you?