one of my customers was hit by a trojan called lockbit (version 2.0).
The Windows PCs are all closed and will be completely setup from scratch. My question is: does anyone know, whether the Nethserver is also affected? Of course I closed the encrypted share… this will be separated and deleted. Backup works, so that’s not the problem.
The customer does not use AD functions like central authentication, it’s just a small server for emails and some SMB shares and one of these was affected.
Does anyone know whether the regular Linux system itself can be affected and should be setup again?
Generally, Linux will not be compromised with Windows Ransomeware.
Sure, files on a samba accessible from a Windows PC can and will be encrypted, but that does not mean the ransomeware runs on Linux.
I would assume your NethServer is NOT compromised!
As I have about 30 clients, I’ve had experience with ransomeware / cryptolockers.
At worst, it took us 1.5 - 2 hours to restore the data from backup, and reimage the PC from a master Image and everythings back up & running…
But I do keep backups (several, each several generations to cover even an extended Weekend), and backups are never accessible from a Windows box (No sharing, NAS not in AD with different Admin password, etc). And I also have offsite backups…