The attack didn't start with a phishing email or a tricky download. It started with a port left open on a firewall, a server that hadn't seen a security update since January 2020, and passwords that wouldn't pass muster at a high school login screen. When we got the call on April 14, 2023, the damage was already done.
How They Got In
The business was running a Windows Server 2008 R2 machine as the heart of their network. That server had RDP enabled and exposed directly to the internet. RDP, or Remote Desktop Protocol, is the built-in Windows tool that lets someone control a computer remotely. It's a legitimate and useful feature when it's set up properly. Exposed to the open internet on an old, unpatched server, it's an open invitation.
When we pulled the Windows event logs, we counted more than 230,000 failed login attempts. Attackers had been hammering the server for long enough that, eventually, they got lucky. With weak passwords in the mix, including accounts set to "password" and others with nothing but lowercase letters and two numbers, it wasn't hard.
Windows Server 2008 R2 officially reached end of life in January 2020. That means no more security patches from Microsoft, no more fixes for newly discovered vulnerabilities. The attackers knew exactly what they were looking for.
What the Ransomware Did
Once they were in, the malware went to work fast. It encrypted files across both the C and D partitions of the server. The D drive was where the company's actual business data lived. It also encrypted the internal backup drive that was connected to the server for Windows Server Backup. That's a common tactic because attackers know that if they take out the backup at the same time, recovery becomes much harder.
On top of the encryption, the attack left the server in a state where normal login wasn't possible. The User Profile Service, which handles loading a user's desktop and settings at login, had failed. Trying to log in normally just kicked back an error.
We booted the server into Safe Mode and used a temporary default profile to get access. From there, we identified which files on the D partition hadn't been encrypted yet and started a backup. The volume of data meant it was going to be a long process, so we set it running and kept monitoring it.
The Ripple Effect: No Internet for Anyone
This is the part that catches a lot of business owners off guard. Because this was a domain network, the server was also handling DNS for every device on the network. DNS is essentially the phone book of the internet. It translates the website names you type into the actual addresses computers use to connect. When the server went down, client computers and Wi-Fi couldn't reach the internet at all.
We reset the router and reconfigured it to bypass the server entirely, pointing DNS directly to public DNS servers instead. That restored internet access to the rest of the network while we continued working on the server.
It's a reminder that in a domain environment, the server isn't just a file cabinet. It's doing a lot of jobs at once, and when it fails, things you wouldn't expect stop working.
What Made This Worse
A few things turned a bad situation into a serious one. Any one of them alone would have been manageable. Together, they let a successful attack spiral into major data loss.
Unsupported operating systems. The server was running Windows Server 2008 R2, and several of the workstations were on Windows 7. Both had been out of support for years, meaning known security holes existed with no fix coming.
Weak passwords across the board. Some accounts used "password" as the password. Others used short, all-lowercase combinations with two digits. That's all it takes for an automated attack to guess its way in.
A consumer-grade firewall. The router protecting this network wasn't built for business use. It lacked the controls needed to properly restrict what traffic could reach the server from the outside.
The backup drive was local and attached. Because the backup drive was physically connected to the same server being attacked, the ransomware encrypted it right alongside everything else. An off-site or cloud backup would have survived.
Where Things Stand and What Comes Next
The immediate priority was recovering what data we could before the encryption spread further, and getting the rest of the network back online. Both of those happened. The longer recovery of restoring the full business data set was underway.
For the long term, the path forward is a full rebuild. That means a new server running a supported operating system, workstations upgraded to solid-state drives and Windows 11 Professional, a business-grade firewall with proper access controls, and a network architecture designed to be both secure and recoverable if something goes wrong again.
If your business is running older equipment, or if you're not sure whether your server is exposed to the internet in ways it shouldn't be, that's worth a conversation sooner rather than later. We see this pattern often enough to know how it ends.
Call us at 808-468-4416 or reach out at https://www.smartcows.com/contact. We're local, we'll give you a straight answer about where your network stands, and we can help you put a plan together before a situation like this one lands at your door.