Avatar of Logical_Step
Logical_Step asked on

Ransom Ware

Hi I have a real-estate company  that has just had a ransom ware attack
this file on shared folders on the server

"All files including videos, photos and documents on your computer are encrypted.

In order to decrypt the files, open site 4sfxctgp53imlvzk.onion"

I can access files using previous versions without issue (lucky) sbs2011
question there running AVG Business on the server & workstation
is this program likely running on a PC that's doing this (how to locate?)

I'm hoping not to have to reload the server , but may have reload all workstations
or could I get away with a system restore?
Encryption

Avatar of undefined
Last Comment
Logical_Step

8/22/2022 - Mon
cpmcomputers

ASKER
Logical_Step

Thanks
It look similar
will check all PC's tomorrow morning
cpmcomputers

Beware that the later versions can disable your shadow copies
This will leave you no way but to restore from backup or pay the ransom ( not guarantee or recommended)

Depending on your file sizes it may be useful to "restore from previous versions" using you shadowcopies  all critical data now to an alternative location Then take it offline
this should give you a safety backup if all else fails

I dealt with a case of this on two occasions
The entry point was a user opening an innocent looking .zip file  in an email attachment
So the infection will probably be on a workstation not the server itself

Good luck
keep us posted
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
Logical_Step

After disconnecting all PC from the Network
managed to recover all files from a few days earlier with previous versions off the server
I couldn't find any with Cryptolocker files on any PC's
in apps local or registry run
I did a system restore on all in case due to time issues (unplugged didn't loose trust)
All running fine for last couple of days

PS Couldn't find any email attachments either in the time period
cpmcomputers

I would now scan all the pc ' s and servers with malwarebytes as a check and prevent reinfection (you can get the free version from the bleeping computers site)

Is it possible a pc or perhaps a laptop user (not presently on the network) has been missed?
ASKER CERTIFIED SOLUTION
cpmcomputers

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
cpmcomputers

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Logical_Step

That link didn't work but this does

http://www.bleepingcomputer.com/virus-removal/cryptorbit-ransomware-information
& yes this look like it , all PC's were scanned with Malware Bytes  All Clean

Will keep checking
Thanks for your help