[SOLVED] Server hit by ransomware...how did it get there?

whitenack

Distinguished
Jun 26, 2012
177
0
18,680
Hi all,
We got hit by a ransomware attack yesterday morning. From what I can tell, it only affected our server, not any of our workstations. We have a backup, so I am working on that. But the question I have is how it got there and how to prevent it from happening again.

Since it showed up on the server and not any of the workstations, does this mean that the attacker was able to access our server directly (as opposed to a workstation accidentally clicking on an email or downloading a virus file)?

If so, is there any way to find out how they were able to do that? Do I have an open port somewhere? What can I do to prevent it from happening again?
 
Solution
You need to think about the 'attack vector', ie how did it get in your network--Internet, physical media, guest wifi? Then you can work on locking down that vector better.

One of the things that has increased many times since the pandemic is these type of attacks from china and russia (cyberware 1-2 punch followup on the biowarfare 'pandemic' component). Geoblocking your Internet access directly from your isp can help tremendously with thwarting these attempts.

Also, don't use vlans on critical separations--physically separate them--it has been proven that you can craft packets that can get between vlans, and while it's not been revealed by security experts in the wild atm, I have no doubt that such exploits could be utilized by...

Wolfshadw

Titan
Moderator
Since it showed up on the server and not any of the workstations, does this mean that the attacker was able to access our server directly (as opposed to a workstation accidentally clicking on an email or downloading a virus file)?

No. The Ransomware could have been written to spread throughout the accessible network, looking for a specific service running on a computer, typically something specifically running on the server that was hit. Once it finds that service, execute the attack on that system.

What can I do to prevent it from happening again?

Aside from locking down the network (no open ports, no Internet Access, disable all USB ports, floppy drives, CD/DVD-ROM Drives. and card readers) there isn't much you can do to prevent this type of thing happening. All you can do is what you're doing right now. Have a ready, available, and up-to-date backup (Kudos to you for that!) for just these occasions.

-Wolf sends
 
You need to think about the 'attack vector', ie how did it get in your network--Internet, physical media, guest wifi? Then you can work on locking down that vector better.

One of the things that has increased many times since the pandemic is these type of attacks from china and russia (cyberware 1-2 punch followup on the biowarfare 'pandemic' component). Geoblocking your Internet access directly from your isp can help tremendously with thwarting these attempts.

Also, don't use vlans on critical separations--physically separate them--it has been proven that you can craft packets that can get between vlans, and while it's not been revealed by security experts in the wild atm, I have no doubt that such exploits could be utilized by the enemy.

Also, disconnect or block Internet access for devices that don't need it. If it's a once a year firmware update, let it have access once a year, not 24x7.

Locking out all physical media can restrict certain communications, but it also prevents things like this from happening. Also, usb port being used for personal cell phone charging is a HUGE attack vector that is very often used. Our POS vendor was telling me about a credit card breech that started that way.

Compute safe! It's a terrible world out there!
 
Solution