Some Hacker with Ransom Virus using Team Viewer to Infect Our Servers
hi
we have major problem with one of my clients
we use Team Viewer to give him technical support , a few days ago , we left the team viewer open so i can access this pc at any time for support and backup for files , and when i access it today i see all files goes encrypted with virus and i found the txt files next any encrypt files
and here is the txt file said :
------------------------------------------------------------------------------------------------------------------------------
[Content removed]
----------------------------------------------------------------------------------------------------------------------------
i setup that team viewer password to be fixed so i can access at any time with restart the team viewer
this issue was happen servral time at more than one of our client
can you help us with these ,,, and how can we prevent that ?
Best Regards
Comments
-
Hi @mohammedemad,
Thanks for your query. What indication do you have, that the hacker actually used TeamViewer to install the ransomware onto the other computer? It's possible they gained access to the computer using some other method.
In any case, it's not possible for someone to connect to a computer with TeamViewer unless they know both the ID and the password of that computer. It's therefore important to make sure that the TeamViewer password is kept safe and secure, and furthermore that the password is unique - ie. not used anywhere else.
As an additional security measure, you can enable the whitelist feature in TeamViewer's options on all of the computers that you need to connect to. This setting can be found by going into the Options, then to the Security page, and clicking the "Black and whitelist" Configure button.
Then you can, for example, set "Allow access only for the following partners", and add your own TeamViewer account to the list below.
That means only you - signed in with your TeamViewer account - will be able to connect to the remote computer that is using this whitelist. If someone else tries to connect to that computer - even if they know the computer's ID and password - they won't be able to, as the whitelist will block them.
Regards,
Jeremy
TeamViewer Quality Assurance Engineer1 -
Do you have opened port for MS RemoteDesktop 3389 ?
Close them now !Regards,
mLipok , AutoIt MVP2 -
thank you Eny.Jermey for response , but how these hackers can access this servers ? we have antivirus Avast with powerfull firewall ?
i hope you guide me to protect these from the same problems in future
thank
1 -
thank you mLipko for response
but if i close the RDP port ( 3389 ) , the clients can't access the server remotely the server that i connect our software with it
what other option for this port ?
thank you
1 -
Hi @mohammedemad,
Ransomware usually gets onto a computer in the same way as many other viruses: through phishing attacks. For example, a fake email that is made to look like a legitimate email from someone you trust (eg. your bank or ISP or IT Department, etc), or perhaps a fake website that is made to look like a legitimate website. Then you are instructed to download a file, which contains the ransomware virus, and that's how it gets onto your computer. (There are other methods used too, but this is a common method: tricking the computer user into downloading an infected file, or visiting an infected website).
If you search on Google, you can find lots of articles on security or tech websites that discuss ransomware and how to prevent it or remove it. For example, I found these helpful articles:
- http://time.com/4303129/hackers-computer-ransom-ransomware/
- http://www.pcworld.com/article/2084002/security/how-to-rescue-your-pc-from-ransomware.html
Depending on the type of ransomware that has infected your servers, you may or may not be able to remove it yourself. You will probably need to do further research to find out if it's possible, or get help from a security expert.
Closing port 3389, which is used by the Microsoft Remote Desktop protocol, isn't necessary to avoid ransomware, as ransomware doesn't get into your computer through RDP.
Regards,
Jeremy
TeamViewer Quality Assurance Engineer1
