cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ransomware Lockbit and Windows Server 2019 DC

cosimo mercuro
Copper Contributor

‎Sep 12 2020 10:08 AM

‎Sep 12 2020 10:08 AM

Ransomware Lockbit and Windows Server 2019 DC

Hi. 

Today I've detected a Lockbit ramsonware attack  at 7.00 a.m (out of working hours) on my Windows Server 2010 DC that is actually unusable.

The question is: how is it possible that on a DC used exclusively by me - Domain Administrator - and only for maintenance purpose and not all days but few day at month I've detected this type of attack?

The DC as only two roles:

  • Active diretctory
  • WSUS server.

I don't use it to browse internet with exception when I must download installation file from site as Microsoft, Symantec, and so on...

In particular the last access to my DC was Friday while the attact detected was today (saturday) at 7.00 A.M. 

Any idea?

Thanks in advance

lockbit.png

 

 

3,019 Views
0 Likes
5 Replies
Reply
5 Replies
Dave Patrick

‎Sep 12 2020 11:46 AM

‎Sep 12 2020 11:46 AM

Re: Ransomware Lockbit and Windows Server 2019 DC

You can browse here to lean more about the ransomware. 

https://bfy.tw/P2gy

 

 

 

1 Like
Reply
cosimo mercuro

‎Sep 13 2020 03:29 AM

‎Sep 13 2020 03:29 AM

Re: Ransomware Lockbit and Windows Server 2019 DC

@Dave Patrick 

Hi Dave. 

The reason of my post is not to know what is a ransomware or how to fight aganist it and restore all things.

I know well this type of cyber attacks.

My doubts regards how this type of malware can affect a Windows Server DC that, for definition, is not used to browse internet, access mail, and do all other activities that usually a Client computer does any day.

This time the ransomware has attacked a server not a client.

And this server, in particular, fill only the AD role and WSUS role.

Nothing else.

 

0 Likes
Reply
Dave Patrick

‎Sep 13 2020 05:27 AM - edited ‎Sep 13 2020 06:26 AM

‎Sep 13 2020 05:27 AM - edited ‎Sep 13 2020 06:26 AM

Re: Ransomware Lockbit and Windows Server 2019 DC

You asked how it happens. The first step is understanding how it works. So you can browse the links in order to get an understanding. Asking here for help may be more appropriate.

https://answers.microsoft.com/en-us/protect/forum

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bd-p/MicrosoftDefenderATP

 

 

 

 

 

 

 

 

1 Like
Reply
SpartanWaycomau

‎Sep 13 2020 03:14 PM

‎Sep 13 2020 03:14 PM

Re: Ransomware Lockbit and Windows Server 2019 DC

Your DC patched?
There are many vectors.
You recording security logs and shipping them off to a SIEM/SOAR platforms?
SMB, SAM-R, RDP, PWshell, WMI...
0 Likes
Reply
Dayanand Gavas

‎Sep 13 2020 11:16 PM

‎Sep 13 2020 11:16 PM

Re: Ransomware Lockbit and Windows Server 2019 DC

@cosimo mercuro 

 

Do your servers are up to date with the below points.

- Are the security updates on the system are latest 

- Antivirus software on the server 

 

There are a lot of reasons due to which the systems are attacked and in my past, I saw the direct attack happened to DC sometimes the virus is already in your environment just the target gets changed and we realize it later on.

 

Go through the doc and follow the guidelines so that systems will be secure and how you can prevents the future attacks

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-c...

0 Likes
Reply