Last Sunday I received a call from a new customer who found a disturbing message on their Small Business Server 2003 box. The message text advised them that their files had been encrypted and asked them to send a Western Union or MoneyGram order to the value of $4000.00 USD if they want to recover their data. The prompt could not be closed off and it blocked access to Task Manager. The desktop was only visible on immediate logon or logoff. The backup drive connected to the server was formatted.

Thankfully the customer had a second backup drive from the day before. However, their backup had been poorly configured and only contained copies of their important files and folders – it didn’t contain a System State backup. We would normally format and restore from the last known good backup, but in this case the customer stood to lose their Active Directory and Exchange installation since it was not backed up. Instead the best course of action would be to remove the hackers message and restore the affected files from backup.

Another technician had already encountered this issue with another server in the past so he was able to provide some more information. The hacker scans for publicly accessible servers listening on the default RDP port 3389. Once they get a hit, they use a dictionary attack to exploit weak passwords. Once logged in, the hacker disables the antivirus and installs malware to encrypt specific files on the system and delete the originals. It also deletes folders that contain the word “backup” and formats removable drives connected to the system. The message is displayed once encryption is complete. See http://www.bleepingcomputer.com/forums/topic449398.html for more details.

This is how we resolved the issue:

  1. Boot from the LiveCD of your choice. I prefer Hiren’s, but it wouldn’t load on this HP Server. Instead I used RegRun’s Warrior as it has a copy of Regedit as well as a DOS based file manager.
  2. Load the “Software” registry hive from C:\Windows\System32\Config\Software and label it “OfflineHive” using regedit. Remove the suspicious entries from HKLM\OfflineHive\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Unload the Hive.
  3. Load your Administrator NTUser.dat hive from C:\Documents and Settings\Administrator\NTUser.dat and label it “UserHive” using regedit. Remove the suspicious entries from HKLM\UserHive\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Unload the Hive.
  4. Archive or Delete suspicious files named similar to “ncomqrzsoa” in the following locations:
    C:\
    C:\ProgramData
    C:\Documents and Settings\All Users\Desktop\
    Use “attrib -s -h <foldername>” if you are unable to move or delete these folders.
  5. Delete the following files if you find them:
    c:\WINDOWS\system32\NoSafeMode.dll
    c:\WINDOWS\system32\svschost.exe
    c:\WINDOWS\system32\nsf.exe
    c:\WINDOWS\system32\sdelete.dll
    c:\WINDOWS\system32\default2.sfx
  6. Restart into Windows. You’ll find that it will take a very long time to startup as the Active Directory services (and a lot of other services) had been disabled. I logged into a healthy SBS 2003 server and made sure that the list of services set to start automatically matched on both services.
  7. Restart server after appropiate services were enabled.

After another restart, the SBS server was almost good to go. We changed the RDP port to something different and reset the passwords on all accounts. We also disabled any older accounts or user accounts that the customer didn’t recognise. Workstations had to be restarted and logged in with the new password to connect to the server. Additionally, we ran a full virus and malware scan on the server and all workstations which came up clean.

It is worth considering using a non-default port for RDP for this reason. Also make sure you have a password complexity policy enabled on your domain to avoid weak or dictionary passwords.

Here is a  list of services that were set to “Automatic” startup in a healthy SBS 2003:

Application Experience Lookup Service
Automatic Updates
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
DHCP Server
Distributed File System
Distributed Transaction Coordinator
DNS Client
DNS Server
Error Reporting Service
Event Log
Fax
File Replication Service
Help and Support
IIS Admin Service
IPSEC Services
Kerberos Key Distribution Center
License Logging
Logical Disk Manager
Machine Debug Manager
Messenger
Microsoft Exchange Information Store
Microsoft Exchange Management
Microsoft Exchange Routing Engine
Microsoft Exchange System Attendant
Microsoft Firewall
Microsoft ISA Server Control
Microsoft ISA Server Job Scheduler
Microsoft ISA Server Storage
Microsoft Search
MSSQL$MSFW
MSSQL$SBSMONITORING
MSSQL$SHAREPOINT
MSSQLSERVER
Net Logon
Plug and Play
Print Spooler
Protected Storage
Remote Procedure Call (RPC)
Remote Registry
SBCore Service
Secondary Logon
Security Accounts Manager
Server
SharePoint Timer Service
Shell Hardware Detection
Simple Mail Transfer Protocol (SMTP)
SQLAgent$SBSMONITORING
SQLSERVERAGENT
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Volume Shadow Copy Service
Windows Internet Name Service (WINS)
Windows Management Instrumentation
Windows Time
Workstation
World Wide Web Publishing Service