Welcome to City-Data.com Forum!
U.S. CitiesCity-Data Forum Index
Go Back   City-Data Forum > General Forums > Science and Technology > Computers
Reload this Page Life after Ransomware (laptop, flash, server, sounds)
 [Register]
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
View detailed profile (Advanced) or search
site with Google Custom Search
 Search Forums  (Advanced)
 
Old 06-15-2019, 06:00 AM
 
3,288 posts, read 2,358,240 times
Reputation: 6735

Advertisements

My friend’s business was hit by Ransomware. Every file on the server had a long extension added to them. Removing the extension did not make the file usuals so they must be encrypted. He isn’t going to pay and he has a recent backup of everything. I provided him with a new server, different name and ip address. I restored the Quickbooks Company file to the new server. When I tried to open that file from his computer, the file on his server immediately had the long extension added to it. How did that happen? The file is good because I installed AB on my laptop and opened it locally and the data is there. I just cannot open it from their current computers when it is located on a new server. There must be something on their computers (maybe a Trojan horse). Has anyone experienced this before?
Reply With Quote Quick reply to this message

 
Old 06-15-2019, 08:46 AM
 
Location: Florida
6,627 posts, read 7,342,677 times
Reputation: 8186
My guess is you have to reformat the disk on the original computer and rebuild it. If running windows you might be able to down load the software and call Microsoft for the key number.

You might have moved the virous to the servier so I would also check that the servier is ok for other files.
Reply With Quote Quick reply to this message
 
Old 06-15-2019, 10:43 AM
 
Location: Sweet Home Chicago!
6,721 posts, read 6,481,316 times
Reputation: 9915
sounds like their computers are infected. Are they running Anti-Virus software and have you scanned them with malwarebytes or similar?
Reply With Quote Quick reply to this message
 
Old 06-15-2019, 08:58 PM
 
41,813 posts, read 51,045,587 times
Reputation: 17864
I'm no security expert but if we me I'm going to hit it with a sledge hammer and set up the network and computers from scratch. Reset the router(s) and reflash with latest version, reinstall windows on every machine and be sure to understand the security implications of anything you are enabling such as if the machines are setup for remote access outside the network. Carefully migrate any data from the backups.
Reply With Quote Quick reply to this message
 
Old 06-16-2019, 07:58 AM
 
Location: The DMV
6,590 posts, read 11,286,252 times
Reputation: 8653
Quote:
Originally Posted by trusso11783 View Post
My friend’s business was hit by Ransomware. Every file on the server had a long extension added to them. Removing the extension did not make the file usuals so they must be encrypted. He isn’t going to pay and he has a recent backup of everything. I provided him with a new server, different name and ip address. I restored the Quickbooks Company file to the new server. When I tried to open that file from his computer, the file on his server immediately had the long extension added to it. How did that happen? The file is good because I installed AB on my laptop and opened it locally and the data is there. I just cannot open it from their current computers when it is located on a new server. There must be something on their computers (maybe a Trojan horse). Has anyone experienced this before?
The issue is that the bolded part is just the result (or one of the results) of said attack. Unless you've done the investigation and determined the attack vector/kill chain, simply restoring the server may not have actually removed the threat.

You may need to bring in a security expert - and one that is experienced with handling security incidents. Unfortunately, the success of any investigation is based on the logs/data available to trace back to the attack. If you don't have anything to go by, you'll likely have to assuming anything can be compromised has been compromised and work from there. Which could mean having to rebuild not only the server, but also all workstations and any other servers that exist.
Reply With Quote Quick reply to this message
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.

Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Reply
Please update this thread with any new information or opinions. This open thread is still read by thousands of people, so we encourage all additional points of view.

Quick Reply
Message:

« Previous Thread | Next Thread »

Over $104,000 in prizes was already given out to active posters on our forum and additional giveaways are planned!

Go Back   City-Data Forum > General Forums > Science and Technology > Computers
Similar Threads

All times are GMT -6. The time now is 07:28 PM.

© 2005-2024, Advameg, Inc. · Please obey Forum Rules · Terms of Use and Privacy Policy · Bug Bounty

City-Data.com - Contact Us - Archive 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37 - Top