First off I'm not an IT professional and don't handle those duties for the company I work for. I do however enjoy learning more about IT security.
I work for a small business and sometimes need to work from home/out of town. We use the Windows remote desktop feature to login into our local server. From their I have access to our ERP system.
Last weekend we were hacked with some sort of ransomware. Everything was down Monday but we are back up and running now. Everything has been fixed but now our remote capabilities are turned off for the time being (closed port 3389). Apparently they are working on something so us outside employees can use the server again.
Our IT manager sent out what I thought was an interesting email. It's from a company we apparently contract with for IT assitance.
Worked to identify cause of problems on TS. Determined they had been hit with ransomeware. The port 3389 attack they had been experiencing eventually succeeded in breaching their network and when it did they took control of the local admin account and created many additional local user accounts with random names. This weekend they then infected the system with a cyprto virus. It appends each file name with 'lock'. I used the Everything tool to identify the files. It was the entire server. Opened ticket with ****** and he assisted with getting the restore of the system state, C drive, and E drive. Working on deleting the files that were locked now.
The sentence "port 3389 attack they had been experiencing eventually succeeded" jumped out at me. Is there a record somewhere that shows a history of someone looking for ports to try to get in? Is the 3389 port a know weakness for security purposes? Is this something that the company probably should have been more prepared for? I know for fact my password for remote login was VERY weak (I didn't set it).
Thanks
I work for a small business and sometimes need to work from home/out of town. We use the Windows remote desktop feature to login into our local server. From their I have access to our ERP system.
Last weekend we were hacked with some sort of ransomware. Everything was down Monday but we are back up and running now. Everything has been fixed but now our remote capabilities are turned off for the time being (closed port 3389). Apparently they are working on something so us outside employees can use the server again.
Our IT manager sent out what I thought was an interesting email. It's from a company we apparently contract with for IT assitance.
Worked to identify cause of problems on TS. Determined they had been hit with ransomeware. The port 3389 attack they had been experiencing eventually succeeded in breaching their network and when it did they took control of the local admin account and created many additional local user accounts with random names. This weekend they then infected the system with a cyprto virus. It appends each file name with 'lock'. I used the Everything tool to identify the files. It was the entire server. Opened ticket with ****** and he assisted with getting the restore of the system state, C drive, and E drive. Working on deleting the files that were locked now.
The sentence "port 3389 attack they had been experiencing eventually succeeded" jumped out at me. Is there a record somewhere that shows a history of someone looking for ports to try to get in? Is the 3389 port a know weakness for security purposes? Is this something that the company probably should have been more prepared for? I know for fact my password for remote login was VERY weak (I didn't set it).
Thanks