Sunday I got up and was looking for a file I had been working on. Looking through the directory I started noticing a lot of .RZN files. Thinking that was a bit odd, I kept looking, but when I saw them all over, I realized something was very wrong.
First, I thought the only exposed server that was likely susceptible, was a terminal server that was exposed, but I hadn’t been using over the past few months. I jumped over to that server, and saw it too was cryptolocked. with ransom notes all over. I took the server off the network and closed the ports used by it on the firewall.
My file server, I found a suspicious file “4004.exe” and killed and removed it. Initially it looked like I could still pull previous versions, and I had started recovering one of the file systems from the previous version. this only lasted about 5 min, then all of a sudden, all previous versions were removed on every volume. Oh well, I did get some stuff back, but what I got wasn’t really the important stuff.
I moved on to the backup server to see if I could just restore the data from there. upon connecting, this server got hit also, and what made it worse, the ransomware app formatted all the usb disks I had been backing up to. Any chance of a fast recovery was out.
I was glad I also do an online backup, going to that, I found just about everything was backed up to it! After rebuilding a new server, I kicked off a restore from that, fearing that recovery would be slow like the time I had done something similar to restore data to a server in Costa Rica. At least so far I’ve done well. the Costa Rica server took about a month to recover 300G, I’m at a little over 1T recovered in about a day and a half.
Overall, i’m almost back to normal. Though I have some thoughts about it and what I could have done better.
- I should have kept the RDP host updated, or just shut it down. Big mistake there.
- The other servers that got hit, also should have been updated a bit more often as well.
- Though I had good local backups, offsite backup or online backup saved me from total loss or needing to pay the ransom.
- I was also thankful that the issue was isolated within a single vlan and didn’t spread to the other networks.
Leave a Reply