CASE STUDY: A small medical practice called in and reported unability to access any files, as well as loss of ability to send/receive email, as well as accessing their electronic medical records software. 

Case Study Initial Diagnosis and Environment: Upon arrival, All IT Supported discovered the following environment:

•           1 Small Business Server 2003
•           3 workstations
•           1 main file share for documents
•           1 main file share for server-based medical records application
•           Kaspersky Antivirus on all workstations
•           No antivirus on the server
•           Inability to access the main file share for documents*
•           Inability to access main file share for medical records application

*Prior to losing access to the main document file share, the client reported that all documents became renamed with the .DONE extension and were unable to be opened in any normal viewer programs

Diagnosis: Upon analysis, All IT Supported diagnosed the following issues.

-          The server was infected with a ransomware  virus that encrypted all key documents, several critical medical records application files, and several critical system files. This resulted in data corruption of  the medical records software, loss of file sharing capability, and inability to access any documents.  The ransomware virus also left a note offering an email where to send a sample of the encrypted files, as well as a generated key.

-          All IT Supported determined that the most likely point of entry for the virus was the server’s open port 3389. The server was incorrectly setup as the router/gateway with the client’s wireless router setup as an access point.

Solution:

-          Upon researching this virus, it was determined that the files were encrypted with a 1024-bit key and would be impossible to decrypt without the help of a decryptor. As a backup method, All IT Supported sent several files as well as a copy of the key to the email address listed, to explore the possibility of paying the ransom. No reply or headway was ever made from this method.

-          All IT Supported determined that the Server required a complete reinstall to be functional. The ransomware virus corrupted key areas of the system directory and would not allow the server to be repaired. The Client had recently ordered a new server, with no O/S. All IT Supported performed a fresh install of  Small Business Server 2008 on the new server, upgraded all drivers and latest software Service Packs and Patches, and migrated Exchange Mailboxes. It was determined that the Microsoft Exchange 2003 component of Small Business Server 2003 was not damaged, and an import/export was performed to import all the mailboxes into the included Exchange 2007.

-          All IT also loaded the most recently available backup of file documents. Unfortunately the backups were very old, and the client had to work to re-enter a substantial amount of data to bring the documents up to currency.

-          The hardest step was bringing back the medical records application. The vendor was no longer in business, and the original consultant who set up the system had to be located, and utilized to re-mount the most recent copy of the data from backups. Once again, the backups were very old, and the Client had to begin the ardurous process of rebuilding the database and re-entering recent data from scratch.

-          All IT Supported setup the Small Business Server as the DHCP server, but changed the client’s wireless router as the gateway, to add an additional firewall to the network. The Small Business Server’s remote desktop (RDP) functionality was also disabled to add a further layer of safety.

-          All passwords were changed, and a new password policy was implemented with a higher level of required complexity.

-          As a last step, All IT Supported, setup an online backup system through Ibackup, as well as setup volume shadow copies, and a full backup to an external hard drive as a 3-way data backup strategy.  Additionally All IT Supported installed Avira Server Antivirus on the Small Business Server 2008 to improve protection against future threats.