Beeeater Posted February 20, 2019 ID:1299687 Share Posted February 20, 2019 Not sure if this is the appropriate forum but as close as I could find. My Windows 2012 server was taken out by ransomware despite having a Malwarebytes Premium account as well as Symantec Endpoint protection. Three hard drives full of data completely trashed. I cannot understand how this could happen? As a clue - I was informed of Windows Updates in the usual way, and I downloaded and installed them. I was told the PC needed to be restarted but I could not do this immediately as users were working so I left it in this state for about five hours. When I did restart, the system was trashed. I am wondering whether I was somehow duped into installing false Windows updates or if the delay between installing and restarting had anything to do with it? Would appreciate feedback as this is extremely concerning. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 26, 2019 Root Admin ID:1300845 Share Posted February 26, 2019 (edited) Hello @Beeeater and Very sorry for the delay as I was out on vacation and many of the other helpers here don't perform Server support. After the fact is very difficult to tell how it happened without potentially having imaged the server to do forensic analysis. Typically forensic analysis is very costly or used in criminal cases. If the server is still running (not advisable) you could potentially review Event Logs and other logs to see if something is found. In the case of a server, once it has been attacked at that level it's highly recommended to clear partitions and reinstall and update the server. Then restore the data from backups. Not having backups is and always has been a recipe for disaster for any business. If there is something else I can assist you with please let me know. As a side note, neither Symantec Premium or Malwarebytes Premium are designed to support and protect a server. Both companies have other products designed for Server support. Thank you Ron Edited February 26, 2019 by AdvancedSetup Updated information Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 16, 2019 Root Admin ID:1304012 Share Posted March 16, 2019 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts