I've just realized that the policies on one of our Windows domain have been failing.
I've traced the problem and it turned out the INI files were encrypted by Globe ransomware (or one of its variants).
The files affected were all the policy INI files (internal location: C:\Windows\SYSVOL\domain\Policies
, external link used by GPUpdate: \\<domain.name>\sysvol\<domain.name>\Policies
) and a single ASP file from C:\Windows\System32\CertSrv\CertEnroll
.
I've checked for other traces of the ransomware, and found none - no suspicious files, no registry entries. It seems the DC itself is clean.
The ransom note was created about a month ago.
I also know that some time ago (albeit I think it was over a month ago, tho I'm not 100% sure) one user of our domain was indeed struck with ransomware. Unfortunately I don't remember what kind of ransowmare it was, nor the exact date that it happened. His computer has been cleaned up (Nuked From Orbit).
I'm scratching my head thinking how could those DC files get encrypted. It seems to me that they were encrypted from an external source - i.e. some computer on the domain gained access and encrypted those few files. Possibly the users infected computer? But still, the policy INI files are (or should be) read-only when viewed from an external source.
Now I'm getting really paranoid, and I'm not sure how to proceed. Nuking the DC is an option, of course, but it really does seem only a few files were changed, and those files seem to expose some kind of outside access as well. BUT at the same time, that shouldn't have happened anyway.
Could those locations be affected by ransomware running on a different domain computer? How else could those files be changed?