1

I've just realized that the policies on one of our Windows domain have been failing.

I've traced the problem and it turned out the INI files were encrypted by Globe ransomware (or one of its variants).

The files affected were all the policy INI files (internal location: C:\Windows\SYSVOL\domain\Policies, external link used by GPUpdate: \\<domain.name>\sysvol\<domain.name>\Policies) and a single ASP file from C:\Windows\System32\CertSrv\CertEnroll.

I've checked for other traces of the ransomware, and found none - no suspicious files, no registry entries. It seems the DC itself is clean.

The ransom note was created about a month ago.

I also know that some time ago (albeit I think it was over a month ago, tho I'm not 100% sure) one user of our domain was indeed struck with ransomware. Unfortunately I don't remember what kind of ransowmare it was, nor the exact date that it happened. His computer has been cleaned up (Nuked From Orbit).

I'm scratching my head thinking how could those DC files get encrypted. It seems to me that they were encrypted from an external source - i.e. some computer on the domain gained access and encrypted those few files. Possibly the users infected computer? But still, the policy INI files are (or should be) read-only when viewed from an external source.

Now I'm getting really paranoid, and I'm not sure how to proceed. Nuking the DC is an option, of course, but it really does seem only a few files were changed, and those files seem to expose some kind of outside access as well. BUT at the same time, that shouldn't have happened anyway.

Could those locations be affected by ransomware running on a different domain computer? How else could those files be changed?

Shaamaan
  • 380
  • 3
  • 12
  • 2
    I would recommend taking a close look at the permissions on those directories. – Bill_Stewart Nov 07 '16 at 18:07
  • 1
    You said it yourself. The files are, **or should have been**, read only. They clearly weren't. I second @Bill_Stewart 's suggestion. The server is in all likelihood clean, but you may have a meddlesome user around. – LSerni Nov 07 '16 at 21:03

1 Answers1

2

It seems ransomware itself, or the person who planted it, removed traces.

How this could happen? I think he gained himself access to it using stolen credentials, and if there's ransom note on the server, I don't think it would be clean, I think it may have some sort of backdoor, which means, it would have to be rebuilt and all passwords re-set.

Aria
  • 2,706
  • 11
  • 19