Solved

Cryptowall Ransomware

Posted on 2014-09-30
13
479 Views
Last Modified: 2016-02-25
Came in this morning and had issues with some database files.    Got those fixed and now as the day goes on, there are a lot of files I am finding that are corrupted.   They have similarities of date modified of 9/29/14 at 4:20 P.m.    

I have re ran scans for virus and it comes up clean.  We use AVG Anti Virus Business Edition 2012   How can I track back to see what is affected and why???

Just discovered files that are BAD!!!!
DECRYPT_INSTRUCTIONS.HTML
DECRYPT_INSTRUCTIONS.TXT
DECRYPT_INSTRUCTIONS

What should my first step be so it doesn't spread any further?????
0
Comment
Question by:bankwest
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352634
You have contracted a Crypto virus. Run Malwarebytes Antimalware http://www.malwarebytes.org/ and scan. Look for all of the Decrypt_Instructions.* files because they will give you a clue as to what has been corrupted. Delete corrupted files and restore them from backup.
0
 

Author Comment

by:bankwest
ID: 40352660
Will this scan all network drives or just local
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352665
Local
0
 

Author Comment

by:bankwest
ID: 40352678
I need to scan network drives as well.     Is there a business version?
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352689
They have a home premium and business premium, although I would install it on the server and have it check all folders instead of what you have access to.
0
 

Author Comment

by:bankwest
ID: 40352777
What do I need to do to REMOVE the infection?     May be a dumb question, but when it's done its thing is it DONE?   If I start moving files from backup, will they get infected also?
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 13

Accepted Solution

by:
Gabriel Clifton earned 500 total points
ID: 40352850
Usually, once it has made its initial run it, it is done and gone. But, it is always best to run additional scans with other software to make sure.
0
 
LVL 45

Expert Comment

by:Kdo
ID: 40354536
Hi bankwest,

Do you have any idea how the malware wound up on your computer?  i.e.  software download, email attachment, or web site?

Knowing will help you to reduce the chances of another attack.


Kent
0
 

Author Comment

by:bankwest
ID: 40354605
We are now beginning to dig deeper in the investigation.   Most of the day was spent restoring files.

We are starting to look at individual computers to see if we can find anything at %Temp% .    That is what we have read is one place to start.
If you have any ideas to share on HOW to investigate this, I would appreciate any assistance.
I'm not even sure WHAT I am looking for except that it's an exe file???
0
 
LVL 45

Expert Comment

by:Kdo
ID: 40354639
Search for all executables (.exe, .com, .dll, .jar, etc.) and all folders that have changed since the date of the attack.  You might want to back up a day or two in the search.  If you find something that is suspect, you might have a lead on how the intrusion happened.

The file(s) can wind up just about anywhere, especially if the user has local admin rights or higher.  Best case is if this is a normal user so that the system files and folders aren't affected.

The most likely locations are %TEMP%, %APPDATA%, %HOMESHARE%, %LOCALAPPDATA%, %ProgramData%, and %PUBLIC%.  But the files could wind up anywhere that the user is authorized to create files.
0
 

Author Comment

by:bankwest
ID: 40354863
I was reading more on this and found:

This is used to determine whether an instance of the malware has already run on the system. If the event is not found, then the malware creates a new instance of explorer.exe and injects itself into it. Within the newly infected explorer.exe process, the malware further creates a new instance of svchost.exe and again injects itself into it. This new process is where the encryption takes place.


How do you know if the running process is legit or infected???
0
 
LVL 45

Expert Comment

by:Kdo
ID: 40355139
The anti-virus software should detect a real/fake explorer.exe or svchost.exe program.  Basically, the anti-virus program checks for known exploits on key system programs by checking the program length, checksum, hash, etc.

System files on Windows Server and Windows/XP aren't protected very well from malicious code.  That's a big reason for people leaving XP in favor of Windows 7.  Windows 7 does a much better job of isolating user tasks from O/S programs and files, unless the user is running with administrative privileges.  If you've not already done so, migrate your users away from XP.  And avoid tasks like web browsing and checking email on your Windows servers that can run hidden code.
0
 
LVL 3

Expert Comment

by:prestoncooper
ID: 41480941
I created a program to detect missing or modified files in a windows file share caused by Ransomware.  This can help you to restore from backup sooner and know that a file share has been encrypted rather than not knowing at all.
http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now