Solved

Ransom Ware

Posted on 2014-03-12
8
440 Views
Last Modified: 2014-03-14
Hi I have a real-estate company  that has just had a ransom ware attack
this file on shared folders on the server

"All files including videos, photos and documents on your computer are encrypted.

In order to decrypt the files, open site 4sfxctgp53imlvzk.onion"

I can access files using previous versions without issue (lucky) sbs2011
question there running AVG Business on the server & workstation
is this program likely running on a PC that's doing this (how to locate?)

I'm hoping not to have to reload the server , but may have reload all workstations
or could I get away with a system restore?
0
Comment
Question by:Logical_Step
  • 5
  • 3
8 Comments
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39922975
0
 
LVL 1

Author Comment

by:Logical_Step
ID: 39923096
Thanks
It look similar
will check all PC's tomorrow morning
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39923129
Beware that the later versions can disable your shadow copies
This will leave you no way but to restore from backup or pay the ransom ( not guarantee or recommended)

Depending on your file sizes it may be useful to "restore from previous versions" using you shadowcopies  all critical data now to an alternative location Then take it offline
this should give you a safety backup if all else fails

I dealt with a case of this on two occasions
The entry point was a user opening an innocent looking .zip file  in an email attachment
So the infection will probably be on a workstation not the server itself

Good luck
keep us posted
0
 
LVL 1

Author Comment

by:Logical_Step
ID: 39928578
After disconnecting all PC from the Network
managed to recover all files from a few days earlier with previous versions off the server
I couldn't find any with Cryptolocker files on any PC's
in apps local or registry run
I did a system restore on all in case due to time issues (unplugged didn't loose trust)
All running fine for last couple of days

PS Couldn't find any email attachments either in the time period
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39928609
I would now scan all the pc ' s and servers with malwarebytes as a check and prevent reinfection (you can get the free version from the bleeping computers site)

Is it possible a pc or perhaps a laptop user (not presently on the network) has been missed?
0
 
LVL 10

Accepted Solution

by:
cpmcomputers earned 500 total points
ID: 39928620
I was just looking at the encryption message
Check out
http://botcrawl.com/remove-cryptorbit-virus/with malwarebytes
 
Looks like you might be lucky and have this rather than cyryptolocker itself

Is it possible a pc or perhaps a laptop user (not presently on the network) has been missed?
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39928641
0
 
LVL 1

Author Comment

by:Logical_Step
ID: 39928738
That link didn't work but this does

http://www.bleepingcomputer.com/virus-removal/cryptorbit-ransomware-information
& yes this look like it , all PC's were scanned with Malware Bytes  All Clean

Will keep checking
Thanks for your help
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Data Backup 7 47
Bitlocker  on a domain 10 76
Password protecting flash drive 13 73
Host based encryption in VMware ESXi 5 371
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now