How Ransomware affects windows server

Ransomware affected majority of the system in the recent days.So it has been added in the severity threat category. This attack make the end users and business people puts into a shock when it gets hits them. It also ask money from the owners of affected system to recover the files that is encrypted. It is not sure that after making the money the files will be recovered. These kind of uncertainty puts a question mark in the business people about their reliability of data.

There are other kind of ransomware virus like Crowti, Tescrypt, Teerac, Locy, MSIL/Samas, WannaCrypt [ Recent hit most of the systems ].


The malware is installed in the system folder as samsam.exe with a key compname_publickey. This key is used to ecrypt the files. From the attacking server it scans the network and find possible vulnerable entry point to affect the system. It uses stolen login details to access the remote system. It deployes malware files using psexec tools and delete shadow files using vssadmin.exe. Finally it installs its virus in the remote client system and encrypt the data.


This malware is installed from a infected word file which is sent in a spam mail. When a client opens a spam mail and download the infected .doc file then the malware gets downloaded in their system and start create its own files and modify the registry values. Then it will start encrypting the data. It uses other attachments like to .js or .bat files to infect the system.


This malware will be downloaded via other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. It can also be downloaded when you click on a link in a spam email with a file name similar to Fax<randomnumber>.zip or It injects code into system processes such as explorer.exe or svchost.exe.


This threat comes to the system in two ways.First using a component that attempts to exploit the CVE-2017-0145 vulnerability in other computers and second using ransomeware component. It tries to connect to the few infected domains. If the treat successfully connected to the domain then it stops running. So administrator no need to try to block these domain names. Because this threat is not proxy-aware,so a local DNS record may be required. Even it does not require to point to the internet but can resolve to any accessible server which will accept TCP 80 connections.

This trojan creates a service named mssecsvc2.0 whose function is to exploit the SMB vulnerability in other computers accessible from the infected system.This threat uses publicly available exploit code for the patched SMB vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. The exploit code used is designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this exploit attack. The said vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.

Such kind of vulnerabilities puts the business in risk.So hosting online business in dedicated server should have multiple backup for their data.