spent the last few days recovering from a nasty ransomware (22-07-16)

One of my customers was affected by a locker ransomware. vegclass@aol.com.xtbl

It was reported that a strange user has login to their server and affected their windows 2003 server which was their domain server. Then it started encrypting all their files. The files on the other computers was also affected. It even started to affect the files on windows server 2008 r2. Also alot of the share folders was also infected. The installer files in the asustor which was linked to the domain was also affected. Even though the server was affected by the ransomware normal operations for the ERP system was able to proceed normally because the sql server seems to be functioning per normal. First the 2013 server was switched off because I didn’t want it to affect the other computers. Since my client said that there wasn’t anything important on the domain server we decided to just took just reformat. The problem was. We tried to use bootable usb it didn’t boot. CD rom it didn’t boot. usb cd rom it also didn’t boot. Then we decided to install a new domain server on the vmware esxi server and we decided to use windows server 2012 just to become the new domain  controller. After installing the domain on the new domain server we created a new forest so we had to establish the trust between the different computers on the domain. So at this time the IT staff that was attached to me by my client had to go to all the computers of all the staff and rejoin the new domain. Then we noticed that after joining the new domain the PCs were creating new user accounts for the new users. So the files on the other account needed to be transferred to this new domain account. With so much PCs and so much work I wondered if we could just just rejoined the domain as the new domain controller.

Then after that we tried to do backup of the sql server. We installed microsoft sql management studio on another computer to try to recover. After we installed the Microsoft SQL management studio on another computer and connected to the server that we wanted to restore. We tried to backup using the preset backup plans. Microsoft sql management studio seem to support 2 ways of backing up the database. One way is to the local drives on the computer. Another one is to a network drive. We didn’t seem to be able to connect to the network drive or it kept seem to be failing. We first thought that the domain services was affecting the shares so we switched on the server 2013. Then it started infecting more files on the windows server 2008 r2. So we switched it off again. After that we tried another method. We used another software to do backup and it was sqlbackupandftp. I tried to backup the database from a remote computer. It gives some warning about backing up remotely from another computer and I waited for the backup to complete and so I waited. I will get back to this later.

Since there seems to be no leads to try to recover from the microsoft sql management tool from another computer. We decide to try another method. To re install microsoft sql management tool on the server we are trying to recover on. Even though there was another version of microsoft sql management tool already installed on the server it seem to be able to install. After that I ran the newer version of microsoft sql management tool on the server and attached a external hdd and started the preset backup plans. It still didn’t work. It seems that the preset backup plans was just doom to fail. Then we tried to backup one by one the database on the storage and it worked. After backing up all the database one.  We started to initiate backup on the server infected with the ransomware. At this time the backup that was initiated by sqlbackupandftp just about completed. It took around like 6 hours according to the log and it backuped around 1400+ sql files the database it was backing up is around 80gb though.

So after the backup. We cloned the old image of the server into the server and then we continued to restore the database one by one into the server. We had to click replace on some of the database when it prompted out a warning.

No comments yet.

Leave a Reply