My client's Windows Server 2003 R2 standard edition (64bit) being hacked through Remote Desktop Connection.

I think this is their attack method,

1st, the hacker use the port scanner to scan all the Malaysia IP, see which IP is open with port 3389.

Then, for those open port 3389, they use the brute force method key in the username and password, so happen that one of my client account is using the weak password, the hacker manage to go in the server.

2nd, the hacker go in the server, promote the user account to administrator using windows server bugs, then uninstall all the firewall and antivirus software

3rd, the hacker put the ransomware and auto encrypt all documentation and server data file with random password. Then he delete the original files.

4th, the hacker asked for 3000USD as minimum charges to give you the password to decrypt the files.



Ok, so far, 2 of my client server who using windows server 2003 R2 face this kind of problem, anyone of you also face this problem?

Any solutions can be provided?

I know this is the security issues, please don't give the opinion said this is your fault, all the problem happens due to customer budget, now the problem happens, we need the solutions then only we can change the customer mindset.

You all can see the virus picture from the attachment.


Attached thumbnail(s)

HI 5 bros! we are in the same ship now, no solutions i believe, pay or you have backup. or neither them

after it has been hacked nothing much you can do. The encryption password is needed to decrypt the files. You can try to decrypt it but this will take up to years using some methodological way.

However, to prevent this from happening again, you should have installed some sort of security measures like below:
1) change remote desktop port to another number
2) set your firewall to limit only allow login from your set of IPs
3) use cert which I believe new version of remotedesktop support
4) implement some anti-bruteforce attack like locking the IP after it failed login attempt for 5 times.

With 1-4 implemented you are pretty much 99% secure. I believe all these can be implemented at very minimum cost. Some even does not cost anything to implement.

This post has been edited by abubin: Oct 31 2013, 12:07 PM

It is Cryptolocker right?

If no backup then gg already...

Nop, not cryptolocker.

Sorry to say TS, but if your client had no bkacup, only method is to pay up.
Else all is lost

Thanks for all the advice.

My customer had paid to that online account.

At last, all files saved, but sql file corrupted. Spend about 2 weeks time to repair fix the corrupted database (one file 4 gig and one file 9 gig)....

Anyway, just to remind everyone, always check your password and backup your files