Sunday I got up and was looking for a file I had been working on. Looking through the directory I started noticing a lot of .RZN files. Thinking that was a bit odd, I kept looking, but when I saw them all over, I realized something was very wrong. <\/p>\n\n\n\n
First, I thought the only exposed server that was likely susceptible, was a terminal server that was exposed, but I hadn’t been using over the past few months. I jumped over to that server, and saw it too was cryptolocked. with ransom notes all over. I took the server off the network and closed the ports used by it on the firewall. <\/p>\n\n\n\n
My file server, I found a suspicious file “4004.exe” and killed and removed it. Initially it looked like I could still pull previous versions, and I had started recovering one of the file systems from the previous version. this only lasted about 5 min, then all of a sudden, all previous versions were removed on every volume. Oh well, I did get some stuff back, but what I got wasn’t really the important stuff. <\/p>\n\n\n\n
I moved on to the backup server to see if I could just restore the data from there. upon connecting, this server got hit also, and what made it worse, the ransomware app formatted all the usb disks I had been backing up to. Any chance of a fast recovery was out. <\/p>\n\n\n\n
I was glad I also do an online backup, going to that, I found just about everything was backed up to it! After rebuilding a new server, I kicked off a restore from that, fearing that recovery would be slow like the time I had done something similar to restore data to a server in Costa Rica. At least so far I’ve done well. the Costa Rica server took about a month to recover 300G, I’m at a little over 1T recovered in about a day and a half. <\/p>\n\n\n\n
Overall, i’m almost back to normal. Though I have some thoughts about it and what I could have done better. <\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Sunday I got up and was looking for a file I had been working on. Looking through the directory I started noticing a lot of .RZN files. Thinking that was a bit odd, I kept looking, but when I saw them all over, I realized something was very wrong. First, I thought the only exposed […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[3],"tags":[],"class_list":{"0":"post-218","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-it-blog","7":"entry"},"_links":{"self":[{"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/posts\/218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/comments?post=218"}],"version-history":[{"count":1,"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/posts\/218\/revisions"}],"predecessor-version":[{"id":219,"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/posts\/218\/revisions\/219"}],"wp:attachment":[{"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/media?parent=218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/categories?post=218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.davidhedges.info\/index.php\/wp-json\/wp\/v2\/tags?post=218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}