Link to home
Start Free TrialLog in
Avatar of Generator
GeneratorFlag for Canada

asked on

CryptoLocker Problem

One of our users has had her workstation compromised with the CryptoLocker screen. The workstation had two mapped drives - one for personal files and one for shared files. Both of these mapped drives point to our storage server - Windows 2008 Server R2. Many of the .xls, .xlsx, .doc, .jpeg, and .pdf documents are now encrypted with no access. Could someone PLEASE provide some guidance as to how we should handle this devastating issue. We have two Sonicwall CDPs units for backup that are also partially infected. The infected workstation is presently off line but counting down to 02 May for payment and possibly receive the required key. The administrative staff would also like a list of encrypted files to better access this issue - how can we get this list for them? Thanks.
Avatar of Dan Craciun
Dan Craciun
Flag of Romania image
If you don't have backups and the data is valuable, pay up or redo the data. Those are the only 2 options.

This is really a good opportunity to evaluate your backup policies and retention time. A week-old backup would be golden in this situation.

HTH,
Dan
ASKER CERTIFIED SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of *** Hopeleonie ***
*** Hopeleonie ***
Flag of Switzerland image
And you don't have a Backup of these two mapped drives?
If not paying is one way, but not 100% sure that you will get the key.
Never pay with credit cards!
Avatar of Generator
Generator
Flag of Canada image

ASKER

The workstation is infected - does this mean that the server is also infected with this or is the encryption of the files the only problem? Does anyone have a method to make a list of the encrypted files on the storage server?
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
Yes - If the workstation was mapped to the server, then assume ALL files with the file extensions listed in my blog are encrypted on the server.

Alan
SOLUTION
Avatar of Russ Suter
Russ Suter
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Generator
Generator
Flag of Canada image

ASKER

Thanks for the information - much appreciated. The payment methods are bit coin or a pay packet. Could someone shed light some on these two options. I live in Canada and we don't have "Pay Packets" available and not sure where I get a "bit coin".
SOLUTION
Avatar of Member_2_276102
Member_2_276102
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of David Atkin
David Atkin
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Generator
Generator
Flag of Canada image

ASKER

We decided not to pay the ransom and instead will recover the files from backup. The infected PC has been removed from the domain and will be formatted and the OS re-installed. Is it necessary to also format the server and reinstall it's OS or is it okay to just recover the files from backup - delete and copy/paste?
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
The server will be fine - it's just files that got messed up.

The PC doesn't need a reformat, but it won't hurt.  The PC's I've cleaned are all running happily after the steps I took that I documented and a few more virus scans show all is clean.

Alan
Avatar of Generator
Generator
Flag of Canada image

ASKER

Thanks to everyone for your excellent feedback.