# Issue Log ### 2025 — Crypto/Ransomware Attack - **Severity:** Critical - **Symptoms:** Ransomware encryption across network - **Impact:** AD2 wiped and rebuilt. Many files lost including C:\DFWDS\, scheduled tasks, service configs. Test datasheet pipeline (DFWDS.exe, VB6) destroyed. - **Resolution:** AD2 rebuilt. Pre-attack backup exists on HGHAUBNER D: drive. TestDataDB pipeline rebuilt 2026-03-27–29. - **Lessons Learned:** No adequate backup existed. Flat network allowed lateral movement. --- ### 2026-03-27 — DF-JOEL2 Workstation Compromise - **Reported By:** Mike Swanson - **Severity:** Critical - **Target:** Joel Lohr's workstation (DF-JOEL2, 192.168.0.174) - **Vector:** Phishing email to personal Yahoo account - **Attacker:** "Angel Raya" via ScreenConnect social engineering - **C2 IPs:** 80.76.49.18, 45.88.91.99 (AS399486, Virtuo, Montreal QC) - **C2 Cloud:** instance-wlb9ga-relay.screenconnect.com - **M365 Impact:** jlohr account compromised from Turkey/UK/Germany - **Resolution:** - C2 IPs blocked at UDM firewall (iptables rules — need permanent UniFi UI rules) - 3 rogue ScreenConnect clients uninstalled - jlohr AD password reset, M365 sessions revoked - 32 machines scanned clean, 28 unreachable (offline) - No lateral movement detected - IC3 Complaint: 1c32ade367084be9acd548f23705736f - ConnectWise Case: 03464184 - C2 hosting SUSPENDED by provider - **Follow-up:** Joel Lohr retired 2026-03-31. Auto-reply set to Dan Center. - **Lessons Learned:** Personal email on work machines is a phishing vector. ScreenConnect brand used for social engineering. --- ## Known Issues & Risks (from 2026-04-02 audit) ### Critical - All Windows Firewall profiles **DISABLED** on AD2 - Windows 7 machines still on network (LABELPC, LABELPC2, D2-RCVG-003) - AD1 and AD2 are Windows Server 2016 (end of mainstream support) - AD1 C: drive at **90% capacity** (C:\Engineering = 787 GB) ### High - Joel Lohr account (jlohr) needs to be disabled post-retirement (March 31) — **OVERDUE** - 28 machines not scanned during security incident (were offline) - C2 IP blocks are iptables rules on UDM — need permanent UniFi UI rules - No reverse DNS zone for 192.168.0.x - MFA enforcement deadline April 4, 2026 — 19 users still need to register - Website upload mechanism broken (old ASP.NET endpoints return 404) ### Medium - D2TESTNAS uses root SSH with password authentication - Multiple DESKTOP-* computer names suggest unmanaged/BYOD devices - ~845K test records pending ForWeb export - Some computer accounts have stale/conflicting IP addresses - TestDataDB Server scheduled task still exists (disabled, replaced by service) ### Low - DVD ISO still mounted on AD2 D: drive - ClaudeTools-ReadOnly AD account — purpose unclear - Multiple duplicate/old computer accounts in AD