Skip to content

Website & Server Help

Unlimited Webspace Help

Menu
  • Home
  • Apps
  • Website
    • Sending email from a WordPress website hosted on an IONOS server
    • How to increase Upload Max Filesize
    • How to reset a WordPress password
    • 22 Ways To Speed-Up A Plesk Website
  • Server
    • Linux or Plesk Server Error 500
    • Windows Server: File cannot be loaded. The file is not digitally signed.
    • Adding or modifying IP addresses on a Linux server
    • Installing Remote Desktop on Debian 12
    • Installing Remote Desktop on Ubuntu 22.04
    • How To Install a Let’s Encrypt SSL in Apache on Debian/Ubuntu
  • Favs
    • How to Connect to a Server
    • The Ultimate Guide to Setting Up a Proper Plesk Email Server With IONOS
    • The Ultimate IONOS Migration Guide
    • Help! My Plesk Websites Are Down!
    • Running tests for a slow server or dropped packets
    • Checking File System and Hard Drive Health
Menu

Your Windows Server Was Encrypted, What Next?

Posted on February 28, 2024July 10, 2024 by admin
Updated June 10, 2024 to include DoNex Ransomeware decryptors from Avast.

It can happen to the best of us. You open an unknown attachment from an email, install sketchy software, or the latest unpatched 0Day is running wild on your Windows Server 2022. What’s next?

These are some of the possible options you have if your Windows Server has been hacked and encrypted. However, none of them are guaranteed to work or to be risk-free. Therefore, you should consult a professional IT expert before taking any action, and you should report the incident to the relevant persons and/or authorities.

Disconnect the networking

If the compromised system is still online, it could be used for outgoing DoS and other malicious attacks. You should disable networking on the server.

How to Enable or Disable Network Connections in Windows

Recover from backup

If you have a full image backup like IONOS Cloud Backup, then you could reinstall the operating system, reinstall the backup agent, and then restore your backup. However, you should first make sure that your backups are not infected or encrypted by the ransomware.

Installing the Backup Agent

Restoring Backups

Downloading files from the cloud storage

You may also be able to restore your files from shadow copies, which are snapshots of your files created by Windows. However, some ransomware may delete or encrypt your shadow copies, so this option may not work. You can use tools such as ShadowExplorer to access and recover your shadow copies.

Identify the ransomware

Some ransomware variants may leave clues about their identity, such as ransom notes, file extensions, or encryption keys. You can use online tools such as ID Ransomware or No More Ransom to try to identify the ransomware and see if there is a known decryption tool available.

On July 7, 2024, Avast released a decryptor application for DoNex Ransomware, as well as it’s predecessors Muse, fake LockBit 3.0, and DarkRace.

Fake BitLocker 3.0
DoNex

If you are affected by one of the DoNex ransomware attacks, first back up your encrypted file(s) (in the rare case the decryptor corrupts the file), and then download the application from Avast’s site here, or our mirror here.

Ransomware attacks are illegal and can be reported to the authorities. You can contact your local law enforcement agency. You can also contact a local FBI Field Office or the Internet Crime Complaint Center in the US for assistance. Reporting the incident may help the investigation and prosecution of the attackers, as well as prevent future attacks. You may also receive assistance or guidance from law enforcement on how to deal with the ransomware.

Special Offer

The internet's fastest, cheapest, unlimited bandwidth VPS

VPS
1core | 1GB RAM | 10GB NVMe
Unlimited Bandwidth | 1Gbps
$2/month - risk free