Solved

Cryptowall Ransomware

Posted on 2014-09-30
13
482 Views
Last Modified: 2016-02-25
Came in this morning and had issues with some database files.    Got those fixed and now as the day goes on, there are a lot of files I am finding that are corrupted.   They have similarities of date modified of 9/29/14 at 4:20 P.m.    

I have re ran scans for virus and it comes up clean.  We use AVG Anti Virus Business Edition 2012   How can I track back to see what is affected and why???

Just discovered files that are BAD!!!!
DECRYPT_INSTRUCTIONS.HTML
DECRYPT_INSTRUCTIONS.TXT
DECRYPT_INSTRUCTIONS

What should my first step be so it doesn't spread any further?????
0
Comment
Question by:bankwest
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352634
You have contracted a Crypto virus. Run Malwarebytes Antimalware http://www.malwarebytes.org/ and scan. Look for all of the Decrypt_Instructions.* files because they will give you a clue as to what has been corrupted. Delete corrupted files and restore them from backup.
0
 

Author Comment

by:bankwest
ID: 40352660
Will this scan all network drives or just local
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352665
Local
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:bankwest
ID: 40352678
I need to scan network drives as well.     Is there a business version?
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352689
They have a home premium and business premium, although I would install it on the server and have it check all folders instead of what you have access to.
0
 

Author Comment

by:bankwest
ID: 40352777
What do I need to do to REMOVE the infection?     May be a dumb question, but when it's done its thing is it DONE?   If I start moving files from backup, will they get infected also?
0
 
LVL 13

Accepted Solution

by:
Gabriel Clifton earned 500 total points
ID: 40352850
Usually, once it has made its initial run it, it is done and gone. But, it is always best to run additional scans with other software to make sure.
0
 
LVL 45

Expert Comment

by:Kdo
ID: 40354536
Hi bankwest,

Do you have any idea how the malware wound up on your computer?  i.e.  software download, email attachment, or web site?

Knowing will help you to reduce the chances of another attack.


Kent
0
 

Author Comment

by:bankwest
ID: 40354605
We are now beginning to dig deeper in the investigation.   Most of the day was spent restoring files.

We are starting to look at individual computers to see if we can find anything at %Temp% .    That is what we have read is one place to start.
If you have any ideas to share on HOW to investigate this, I would appreciate any assistance.
I'm not even sure WHAT I am looking for except that it's an exe file???
0
 
LVL 45

Expert Comment

by:Kdo
ID: 40354639
Search for all executables (.exe, .com, .dll, .jar, etc.) and all folders that have changed since the date of the attack.  You might want to back up a day or two in the search.  If you find something that is suspect, you might have a lead on how the intrusion happened.

The file(s) can wind up just about anywhere, especially if the user has local admin rights or higher.  Best case is if this is a normal user so that the system files and folders aren't affected.

The most likely locations are %TEMP%, %APPDATA%, %HOMESHARE%, %LOCALAPPDATA%, %ProgramData%, and %PUBLIC%.  But the files could wind up anywhere that the user is authorized to create files.
0
 

Author Comment

by:bankwest
ID: 40354863
I was reading more on this and found:

This is used to determine whether an instance of the malware has already run on the system. If the event is not found, then the malware creates a new instance of explorer.exe and injects itself into it. Within the newly infected explorer.exe process, the malware further creates a new instance of svchost.exe and again injects itself into it. This new process is where the encryption takes place.


How do you know if the running process is legit or infected???
0
 
LVL 45

Expert Comment

by:Kdo
ID: 40355139
The anti-virus software should detect a real/fake explorer.exe or svchost.exe program.  Basically, the anti-virus program checks for known exploits on key system programs by checking the program length, checksum, hash, etc.

System files on Windows Server and Windows/XP aren't protected very well from malicious code.  That's a big reason for people leaving XP in favor of Windows 7.  Windows 7 does a much better job of isolating user tasks from O/S programs and files, unless the user is running with administrative privileges.  If you've not already done so, migrate your users away from XP.  And avoid tasks like web browsing and checking email on your Windows servers that can run hidden code.
0
 
LVL 3

Expert Comment

by:prestoncooper
ID: 41480941
I created a program to detect missing or modified files in a windows file share caused by Ransomware.  This can help you to restore from backup sooner and know that a file share has been encrypted rather than not knowing at all.
http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question