After deploying TSPlus in the company we had a ransomware attack via the HTML5 portal. While I am still trying to figure out how it could be possible for a virus to enter the server and affect other servers via TSPlus, I wanted to pass this along.
Can someone please explain how this could be possible, in our environment users are not given anything but the point of sale application which doesn't have access to a web browser, nor does it allow for directory browsing. It would appear the users laptop was infected and spread to the server and other servers also. Below is info on the virus:
Dharma ransomware family
.Arrow derivative
Name: .id-.[].arrow
Ransomware After Install
Re: Ransomware After Install
Because i dont have access to private message yet, i would like to thank those who messaged me. i would like to reply however unable to given to stringent board rules.
Re: Ransomware After Install
Hi cheex.
Do you use TSplus Web Credentials for the authentication process?
If not, your user's laptop could have a virus which stole the TSplus Windows Server username and password as he typed them in at logon.
After that, someone could have used it to Remote Desktop the server with valid credentials.
Best.
Ivan
Do you use TSplus Web Credentials for the authentication process?
If not, your user's laptop could have a virus which stole the TSplus Windows Server username and password as he typed them in at logon.
After that, someone could have used it to Remote Desktop the server with valid credentials.
Best.
Ivan
Re: Ransomware After Install
Hello,
Virus can attack from multiple places. Most of the time, opening an email attachment on the server or accessing a malicious website is at cause. I have made a documentation on how to provide more security to your server : https://www.terminalserviceplus.com/doc ... lus-server
RDP can also be at risk if your users password are weak, you might be interested by our latest security tool : RDS Knight
Developed especially for RDP defense, it can also secure your user account to prevent them to have sufficient right to launch a ransomware.
It adds an extra security with a protection from brute force attack and allow you to provide a more restricted environment to your users.
Find out more here : https://www.terminalserviceplus.com/rds-knight.php
You could also try out Server Genius, our most recent add on for TSplus.
Server Genius, Which provides a various set of log of all activities on the server, creating comprehensive charts and can send alerts if CPU or memory is too high.
Find out more here : https://www.terminalserviceplus.com/server-genius.php
Virus can attack from multiple places. Most of the time, opening an email attachment on the server or accessing a malicious website is at cause. I have made a documentation on how to provide more security to your server : https://www.terminalserviceplus.com/doc ... lus-server
RDP can also be at risk if your users password are weak, you might be interested by our latest security tool : RDS Knight
Developed especially for RDP defense, it can also secure your user account to prevent them to have sufficient right to launch a ransomware.
It adds an extra security with a protection from brute force attack and allow you to provide a more restricted environment to your users.
Find out more here : https://www.terminalserviceplus.com/rds-knight.php
You could also try out Server Genius, our most recent add on for TSplus.
Server Genius, Which provides a various set of log of all activities on the server, creating comprehensive charts and can send alerts if CPU or memory is too high.
Find out more here : https://www.terminalserviceplus.com/server-genius.php
Olivier
TSplus support team administrator
TSplus support team administrator