What I Did During and After a Ransomware Attack

in GEMS2 years ago (edited)

A message asking for a ransom
20201224_222428.jpg

It was a wonderful morning when I found out that one of our Windows servers is under a ransomware attack. I immediately knew that it is a ransomware attack because the files that were already encrypted has the .banjo in their filename.

Here's the chronology of events and what I did during and after the attack:

  1. I found out about the attack while it is still ongoing. I immediately unplugged the network connection of the server. I disabled all enabled ports on our Cisco router including Remote Desktop Protocol, VPN, and FTP. At this time only the SQL databases and the SQL backup databases were all encrypted. Files on the documents folder, downloads, and desktop are all untouched. During this time there is no message of asking for a ransom since the encryption is still ongoing. I did not panic because I knew that the server has a daily automatic backup and those backups were being sent automatically to another uncompromised computer (an on-site and off-site backup is also available).

  2. I left the computer turned-on and called my superior to report that one of our servers was infected by Phobos ransomware (.banjo). After I ended the call a message that is asking for a ransom in bitcoin is now displayed at the desktop of the server. At this time all of the important files on the server are now encrypted.

  3. I momentarily checked the server so that I could see how a computer that fell victim to ransomware looks like then I shut down the computer.

Some encrypted files with .banjo in their file name
20201224_222859.jpg

What I did next

I never entertained the idea of decrypting the files and removing Phobos since I knew that reformatting is faster and safer (to me at least).

  1. I downloaded the latest Windows Server and SQL Server installers (ISO) since the installer in my possession is about a year and a half old. The download took about 3 minutes to finish.

  2. I saved the Windows Server ISO on a newly formatted USB flash drive, turned-on the server, then reformatted the server by way of Intelligent Provisioning. The reformat took about 15 minutes to finish.

  3. I installed SQL Server. The installation took less than 5 minutes to finish.

  4. I restored all the databases from the backup. The restoration took less than 5 minutes to finish.

  5. I configured the security and connectivity settings of Windows and SQL to make sure that it is secured and all of the current clients can connect automatically once I connect the server to the network. The configuration process took about 10 minutes.

  6. Finally, on a separate computer I downloaded an antivirus application, put it on a USB flash drive then installed it on the server, activated it with our current license. This is the safest way to install antivirus on a server without connecting it to the internet. The antivirus installation took about 3 minutes

  7. I connected the server to the network.

  8. It's done.

An app used by the attacker
20201224_222220.jpg

43 Minutes

It took me more than forty minutes to get the server up and running again.

Backup Automation Saves the Day

If you visit the website "The Hacker News" and subscribe to their daily news updates you will be surprised that almost everyday vulnerabilities are being discovered on Windows machines. Linux, Android and Mac are not exempted.

With that said, one of the most effective way of mitigating a ransomware attack is to have a backup of your data. If you can do an automated backup process, much better. Another layer of security is to have an off-site backup.

How the Attack Happened

Most ransomware is commonly spread through phishing emails. Occassionaly, hackers do targeted attacks.

In our csse I think it's the latter. I think the hackers got hold of one of our remote connectivity username and password through a compromised computer outside of our network (a computer that connects to our network from the outside).

Additional security I put in place after the Attack:

  • No more automated remote login (from outside of the network).
  • No active remote connection is enabled or installed on any computers.
  • Remote users need to call me by phone before I grant them remote access.
  • Remote connections and remote application is only installed when needed or requested by remote users.



I am an I.T. professional (Computer Engineer) working in a private company, a blogger, a father, and a husband.


Sort: