On 2/22/2019 11:44 AM, mbsoftwaresolutions@mbsoftwaresolutions.com wrote:
Got a call from a client today who was having some sort of error with the program/website (WestWind WebConnection). I remoted in to see that EVERY file had been renamed to something like Filename.ext.decrypt12345@qq.com. Told them their IT vendor would have to restore from their last backup (which they said was just hours prior, thankfully).
Ouch. Especially when you're website is used all over the nation and Canada.
If they had been using MySQL/MariaDB/SQL-Server/PostgreSQL/etc instead of a file-server database, this wouldn't have been possible, right?
Well, if you mean only .dbf, .cdx, .dbc files had been renamed, then maybe Server DBs would have been safe. But if all kinds of files were renamed, then no, I doubt they would have been safe. Remember, even "server" database systems store their data in .... <gasp>... files.
It sounds like some very insidious code has infected their server. I'd recommend a complete wipe before a restore (or at least verify boot sectors or any other root/bootup software, etc).
-Charlie