Ransomware in Windows Servers

(Dave Stewart) #1

We just had a fileserver get totally encrypted, even though we had fileshares on a D drive and the OS (2008R2) on C. I have never heard of a server OS getting encrypted unless a user was using its console or RDP session. No mapped drives, but there are some Line of business app services running that are cloud based.

Anyone had any similar experiences?

(Will Leuschen) #2

No, I haven’t had this happen yet, but like all OS servers are just as vulnerable as any other system. It could have ended up as a secondary infection from a user with access to the file shares. Or any user with access that had their credentials compromised. Worst case scenario is they used a powershell script on a compromised system with access.

It is for this reason I had started backing up the event logs from our servers. It can allow someone to narrow down the source of infection, since restoring a backup will just make all the footprints disappear.

(Kal Heet) #3

Make sure the File server is not accessible from outside . We say that in the past, where the server RDP was opened from public network.

Also check your firewall rules to make sure only the necessary ports are opened

(Collin) #4

Does that user have local admin rights to the server?
Is the C drive an open share on your network?

I’ve read about some variants being able to browse open shares not just mapped drives but haven’t witnessed any.
Locking down your shares and rights should fix this.

(Dave Stewart) #5

i always make sure shares are given, at most, modify perms to the group that consists of users that need access. I have two master admins I login to administer server with, no one else has admin rights. I have never heard of a virus that can ‘jump’ the share onto the OS.

But I have dealt with the software folks that developed the LOB app …they often like to give everyone full control to the folder with the share. Maybe a virus could exploit this?