This is really worrying: my window sever box is updated to the minute. Id downloads and installs updates as soon as they are released, automatically, and it did reboot tonight around 3:00am, so right AFTER the boox.exe file had been placed on the HDD. Unfortunately, too late.
This machine is exposed to the internet via IIS (web and ftp servers) and RDP, via ports 80, 21, 22, 443, and 3389). All other ports are closed both on the server and on the edge router in my home.
MS has issued security updates/bulletins yesterday. I wonder if those are related to this.
What do you guys think? Any help in sorting this out is more than welcome.
It's sadly not uncommon for exploits to be in wide use ahead of patches making it out to secure machines. Up to the day patching still has an unknown vulnerability time prior to the patch being coded, tested and distributed.
There are also entire groups dedicated to tearing apart the patches themselves to discover the exploit. They quickly update exploit kits to take advantage of the time gap between a vendors release and when machines get updated. This is a factor in why Microsoft made changes in Windows 10 home editions to mandate and not defer patches, along with using torrent like distribution. To at least try to close this gap a little in the consumer market while also ensuring a DDOS against their patch server CDNs isn't as effective.
To discover how it got in, I'd recommend looking through the list of what Microsoft patched in that latest round of updates. If anything IIS shows up, check your logs for any out of the ordinary traffic. Same for RDP. It's also possible it didn't go directly through IIS, and instead a flaw in whatever you are hosting on that web instance.
Ransomware is getting to be more and more common. There's a lot more money in this sort of stuff then there used to be ages ago. Larger groups will intentionally horde exploits not known by the vendor to sell
to the rich, and smaller groups or individuals buy these exploits to turn around and hit machines like yours. There are literally point and click malware creator programs that wrap up processes like your build.exe that use those latest exploits.
For your machine, was it running any virus/malware protection?
This is crypto-ransomware of some kind. It is encrypting your files, then deleting the originals. At some point there would be an offer to sell you the decryption keys.
On Windows, the ransom notes tend to show up in My Documents somewhere. There's a chance there's something already there depending on what variant hit your machine.