Quote:
Originally Posted by trusso11783
My friend’s business was hit by Ransomware. Every file on the server had a long extension added to them. Removing the extension did not make the file usuals so they must be encrypted. He isn’t going to pay and he has a recent backup of everything. I provided him with a new server, different name and ip address. I restored the Quickbooks Company file to the new server. When I tried to open that file from his computer, the file on his server immediately had the long extension added to it. How did that happen? The file is good because I installed AB on my laptop and opened it locally and the data is there. I just cannot open it from their current computers when it is located on a new server. There must be something on their computers (maybe a Trojan horse). Has anyone experienced this before?
|
The issue is that the bolded part is just the result (or one of the results) of said attack. Unless you've done the investigation and determined the attack vector/kill chain, simply restoring the server may not have actually removed the threat.
You may need to bring in a security expert - and one that is experienced with handling security incidents. Unfortunately, the success of any investigation is based on the logs/data available to trace back to the attack. If you don't have anything to go by, you'll likely have to assuming anything can be compromised has been compromised and work from there. Which could mean having to rebuild not only the server, but also all workstations and any other servers that exist.