Avatar of Generator
Generator
Flag for Canada asked on

CryptoLocker Problem

One of our users has had her workstation compromised with the CryptoLocker screen. The workstation had two mapped drives - one for personal files and one for shared files. Both of these mapped drives point to our storage server - Windows 2008 Server R2. Many of the .xls, .xlsx, .doc, .jpeg, and .pdf documents are now encrypted with no access. Could someone PLEASE provide some guidance as to how we should handle this devastating issue. We have two Sonicwall CDPs units for backup that are also partially infected. The infected workstation is presently off line but counting down to 02 May for payment and possibly receive the required key. The administrative staff would also like a list of encrypted files to better access this issue - how can we get this list for them? Thanks.
Microsoft Legacy OSOS SecuritySBS

Avatar of undefined
Last Comment
Generator

8/22/2022 - Mon
Dan Craciun

If you don't have backups and the data is valuable, pay up or redo the data. Those are the only 2 options.

This is really a good opportunity to evaluate your backup policies and retention time. A week-old backup would be golden in this situation.

HTH,
Dan
ASKER CERTIFIED SOLUTION
Alan Hardisty

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
*** Hopeleonie ***

And you don't have a Backup of these two mapped drives?
If not paying is one way, but not 100% sure that you will get the key.
Never pay with credit cards!
Generator

ASKER
The workstation is infected - does this mean that the server is also infected with this or is the encryption of the files the only problem? Does anyone have a method to make a list of the encrypted files on the storage server?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Alan Hardisty

Yes - If the workstation was mapped to the server, then assume ALL files with the file extensions listed in my blog are encrypted on the server.

Alan
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Generator

ASKER
Thanks for the information - much appreciated. The payment methods are bit coin or a pay packet. Could someone shed light some on these two options. I live in Canada and we don't have "Pay Packets" available and not sure where I get a "bit coin".
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Generator

ASKER
We decided not to pay the ransom and instead will recover the files from backup. The infected PC has been removed from the domain and will be formatted and the OS re-installed. Is it necessary to also format the server and reinstall it's OS or is it okay to just recover the files from backup - delete and copy/paste?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alan Hardisty

The server will be fine - it's just files that got messed up.

The PC doesn't need a reformat, but it won't hurt.  The PC's I've cleaned are all running happily after the steps I took that I documented and a few more virus scans show all is clean.

Alan
Generator

ASKER
Thanks to everyone for your excellent feedback.