cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Jacob_H
Lansweeper Employee
Lansweeper Employee

ransom ware jpegransom ware jpeg

The year was 2016.  I was sitting at my desk, doing work as usual.  I over-sugared my coffee again, but didn't feel like walking back to the breakroom to make a new cup.  The other Sr. Engineer was training one of the Jr. Engineers.  A normal day.

Our phone rang.  "Infrastructure Dept. - How can we help you?" the Jr. Admin said.  "Your files on the public drive won't open?  Weird, that's the fourth call within the past 30 minutes.  I'll see what I can find out."

He then turned to me and asked "The user said it was their G: drive.  Do you know what server hosts the G: drive?"  Full disclosure, I was the "new guy" so I didn't have all of that stuff memorized like the older admins.

But - being a Sr. Admin, I came in and insisted on the purchase of Lansweeper in order to get their environment in order.  "Pull up the mapped drives report in Lansweeper - start typing the username, it will tell you what their G: drive maps to.

"Ah cool, thanks." -  It was that easy.  "You know, this tool is pretty handy."     "yeah, for real. career advice - wherever you go, get them to purchase Lansweeper - it will make your admin life much, much easier."

I sat back and started working again, importing IP locations from their IPAM application into Lansweeper - and in one fell swoop, hundreds of locations were instantly categorized.  Boom.

"Uh - hey, some these files on the file server have weird extensions, and I can't open them."

I froze.  "Oh crap. what's the file extension?"   - "Dot ENC".  "Go tell Security, NOW." - i blurted - I was logged on to VCenter already, so I immediately disconnected the virtual NICs from the VM, and notified my boss, and the security team.

"Go find where its coming from and kill it!" my boss said - and the security team scrambled.  He turned to me - "Aren't they supposed to know about things like this before we do? See what you can find"

"I'm on it."   -  The only thing is, I was the new guy, and I wasn't on the Cyber team - I had limited tools... but I had my SysAdmin experience, and, Lansweeper.  "Let's do this." I almost said out loud.

I consoled into the VM and navigated through the public share, sorting by last modified date, and found the oldest encrypted files and their directory.  I saw the ransom .txt note, and pulled up the file metadata.  "Created by John Shipman (not his real name)"

In an instant, I knew what machine he used via Lansweeper -  "His computer is LPT03281 - it's a laptop and he works out of the corporate location on the 7th floor - the MAC and IP address are this.."

"I'm calling him now" the Jr. Admin said - and quickly got on the phone.

I saw the look on my boss's face as he saw the cyber team around my desk.  To be honest, I was used to it - I knew what he was thinking - "Why are they looking to us for the information? Don't they have their own tools?"

 One of the security team's workers came by - "I don't see that MAC address or IP address in the logs"   "How is that possible?" another security team member said.  "I dunno - it's just not there - I double-checked."

 "The user is on Vacation," the Jr. Admin said.  "We are trying to reach him now."

Dang.  Something isn't right - Lansweeper can't be wrong, but then neither could Cisco ISE that the security team uses.  I went back to Lansweeper.  Ok, it's a laptop.  Let me look to see if there are multiple IP addresses. VPN? Attached network device?

Then, I found it. 

A docking station.  Lansweeper showed that it was connected on both the wireless, and wired via the docking station.  "Stupid Dells!" I actually said out loud (nothing unusual)  "They are supposed to switch from wireless to wired when you dock - this one kept both on"

"Here's the IP and MAC - it's the wireless and not the wired."

“Oh dang – we missed that wireless subnet when setting up ISE” one team member said.  The security team lept into action, and worked quickly to resolve the issue. 

"Restore from Backups," our boss said.  This part WAS our responsibility - which was perfectly fine.  I had set up an import from the backup system into Lansweeper, updating the 'Last Backup' field for each respective asset.  Everything that should be backed up, was, and I could quickly see that without logging in to the backup system.

"yessir - we have a good backup from an hour before it started.  Restoring the files now."

I sat back, and sighed a deep sigh of relief.  Lansweeper once again helped me find an issue, and my experience as an Admin armed me with the knowledge of what to do.  Four things happened that day - my fellow admin team quit giving me a hard time about relying on Lansweeper so much and questioning my admin abilities, by boss was impressed that his Infrastructure team was on-point,  the CyberSecurity team found a missing subnet, and also all asked how they can have access and use Lansweeper.

Just one of the many true stories I have of how Lansweeper helped prevent a bad dream from becoming an unmitigated true Horror story!

 

Comments
Mister_Nobody
Honored Sweeper II

Good story!

MisterP2
Engaged Sweeper

Awesome Halloween AND SysAdmin story as well!

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now