Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cryptowall Ransomware

Posted on 2014-09-30
13
Medium Priority
?
492 Views
Last Modified: 2016-02-25
Came in this morning and had issues with some database files.    Got those fixed and now as the day goes on, there are a lot of files I am finding that are corrupted.   They have similarities of date modified of 9/29/14 at 4:20 P.m.    

I have re ran scans for virus and it comes up clean.  We use AVG Anti Virus Business Edition 2012   How can I track back to see what is affected and why???

Just discovered files that are BAD!!!!
DECRYPT_INSTRUCTIONS.HTML
DECRYPT_INSTRUCTIONS.TXT
DECRYPT_INSTRUCTIONS

What should my first step be so it doesn't spread any further?????
0
Comment
Question by:bankwest
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352634
You have contracted a Crypto virus. Run Malwarebytes Antimalware http://www.malwarebytes.org/ and scan. Look for all of the Decrypt_Instructions.* files because they will give you a clue as to what has been corrupted. Delete corrupted files and restore them from backup.
0
 

Author Comment

by:bankwest
ID: 40352660
Will this scan all network drives or just local
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352665
Local
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:bankwest
ID: 40352678
I need to scan network drives as well.     Is there a business version?
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352689
They have a home premium and business premium, although I would install it on the server and have it check all folders instead of what you have access to.
0
 

Author Comment

by:bankwest
ID: 40352777
What do I need to do to REMOVE the infection?     May be a dumb question, but when it's done its thing is it DONE?   If I start moving files from backup, will they get infected also?
0
 
LVL 13

Accepted Solution

by:
Gabriel Clifton earned 2000 total points
ID: 40352850
Usually, once it has made its initial run it, it is done and gone. But, it is always best to run additional scans with other software to make sure.
0
 
LVL 46

Expert Comment

by:Kent Olsen
ID: 40354536
Hi bankwest,

Do you have any idea how the malware wound up on your computer?  i.e.  software download, email attachment, or web site?

Knowing will help you to reduce the chances of another attack.


Kent
0
 

Author Comment

by:bankwest
ID: 40354605
We are now beginning to dig deeper in the investigation.   Most of the day was spent restoring files.

We are starting to look at individual computers to see if we can find anything at %Temp% .    That is what we have read is one place to start.
If you have any ideas to share on HOW to investigate this, I would appreciate any assistance.
I'm not even sure WHAT I am looking for except that it's an exe file???
0
 
LVL 46

Expert Comment

by:Kent Olsen
ID: 40354639
Search for all executables (.exe, .com, .dll, .jar, etc.) and all folders that have changed since the date of the attack.  You might want to back up a day or two in the search.  If you find something that is suspect, you might have a lead on how the intrusion happened.

The file(s) can wind up just about anywhere, especially if the user has local admin rights or higher.  Best case is if this is a normal user so that the system files and folders aren't affected.

The most likely locations are %TEMP%, %APPDATA%, %HOMESHARE%, %LOCALAPPDATA%, %ProgramData%, and %PUBLIC%.  But the files could wind up anywhere that the user is authorized to create files.
0
 

Author Comment

by:bankwest
ID: 40354863
I was reading more on this and found:

This is used to determine whether an instance of the malware has already run on the system. If the event is not found, then the malware creates a new instance of explorer.exe and injects itself into it. Within the newly infected explorer.exe process, the malware further creates a new instance of svchost.exe and again injects itself into it. This new process is where the encryption takes place.


How do you know if the running process is legit or infected???
0
 
LVL 46

Expert Comment

by:Kent Olsen
ID: 40355139
The anti-virus software should detect a real/fake explorer.exe or svchost.exe program.  Basically, the anti-virus program checks for known exploits on key system programs by checking the program length, checksum, hash, etc.

System files on Windows Server and Windows/XP aren't protected very well from malicious code.  That's a big reason for people leaving XP in favor of Windows 7.  Windows 7 does a much better job of isolating user tasks from O/S programs and files, unless the user is running with administrative privileges.  If you've not already done so, migrate your users away from XP.  And avoid tasks like web browsing and checking email on your Windows servers that can run hidden code.
0
 
LVL 3

Expert Comment

by:Preston Cooper
ID: 41480941
I created a program to detect missing or modified files in a windows file share caused by Ransomware.  This can help you to restore from backup sooner and know that a file share has been encrypted rather than not knowing at all.
http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question