Information Request for mitigating Ransomeware attack
Currently, we have an active ongoing attack by randsomeware that we are trying to mitigate.
One, server is already infected and there two other servers that we are trying to stop the encryption process.
Is there anyone who has any information to mitigate this attack
Apperciate your assistance in advance.
> One, server is already infected and there two other servers that we are trying to stop the encryption process.
Usually servers are not infected, per se, since working by locally logging in to a server computer is not recommended practice. What usually happens is:
- Server has public net visible remote access enabled with a weak password. Some hackers, usually from India, find it and they log in, install a legitimate crypto suite (so that AV alert is not generated), encrypt all the data and leave behind a ransom note. This victimization scenario is suprisingly frequent e.g. in Hungary.
- A workstation used by an admin rights account is infected with ransomware and it encrypts local drives, accessible networks drives (including shares on the server) and cloud storage sites that have been forgotten in a logged-in state, as well as backups that haven't been removed and remained online.
AFAIK, this is by far the most prevalent victimization scenario (and a competitor has already developed a fileserver-specific AV solution to protect against this kind of mishap).
- Rarely, a workstation is infected with such a ransomware that can spread in worm-like manner over the LAN and also infects the server OS. I think this is a rather rather occurance, however.
Best Regards: Tamas Feher, Hungary.1 1Like