Z
Zack
Guest
Hi,
We just got attacked with Johnycryptor ransomware, where it looks like they logged into our RDP served as a user and ran the encryption program. The username they used had an easy password, which is probably how they got into the system. They encrypted all of the files in all of the drives they had access to, and posted a message on the desktop background with an email address (johnycryptor@aol.com) saying we needed to email them to get the software to decrypt our files.
Luckily, we had backups of our drives so we were able to restore to an earlier time before they got encrypted.
I'm still concerned about these two things, and I was hoping I could get some input:
1. Is it possible/ likely that they downloaded copies of all of our files before they encrypted them? I've done a lot of research on this ransomware (and found this useful post: https://www.technibble.com/forums/threads/johnycryptor-aol-com.68448/ ), and nobody has said anything about them actually stealing the files. It seems like they just go in, encrypt it, and hope to get the reward. We have a lot of files with sensitive information, and I just want to make sure we don't need to be worried about that information getting out there.
2. The username that was logged in to run the virus is a generic username that doesn't belong to anybody in our company anymore and hasn't been used in several years. When I look at the event log on our server, it looks like the user logged in at least a few times in the few weeks before the files actually got encrypted. What would be the reason they would have logged in before without encrypting the files? Is it actually a person doing this, or is it a computer program that automatically logs in to do the work?
We got our backup restored and beefed up our security software, and changed all of the passwords of all users (and disabled inactive accounts). Is there any reason to still be worried that they could have left something in there that could cause more problems?
Thanks.
We just got attacked with Johnycryptor ransomware, where it looks like they logged into our RDP served as a user and ran the encryption program. The username they used had an easy password, which is probably how they got into the system. They encrypted all of the files in all of the drives they had access to, and posted a message on the desktop background with an email address (johnycryptor@aol.com) saying we needed to email them to get the software to decrypt our files.
Luckily, we had backups of our drives so we were able to restore to an earlier time before they got encrypted.
I'm still concerned about these two things, and I was hoping I could get some input:
1. Is it possible/ likely that they downloaded copies of all of our files before they encrypted them? I've done a lot of research on this ransomware (and found this useful post: https://www.technibble.com/forums/threads/johnycryptor-aol-com.68448/ ), and nobody has said anything about them actually stealing the files. It seems like they just go in, encrypt it, and hope to get the reward. We have a lot of files with sensitive information, and I just want to make sure we don't need to be worried about that information getting out there.
2. The username that was logged in to run the virus is a generic username that doesn't belong to anybody in our company anymore and hasn't been used in several years. When I look at the event log on our server, it looks like the user logged in at least a few times in the few weeks before the files actually got encrypted. What would be the reason they would have logged in before without encrypting the files? Is it actually a person doing this, or is it a computer program that automatically logs in to do the work?
We got our backup restored and beefed up our security software, and changed all of the passwords of all users (and disabled inactive accounts). Is there any reason to still be worried that they could have left something in there that could cause more problems?
Thanks.
