Cryptowall Ransomware

Came in this morning and had issues with some database files.    Got those fixed and now as the day goes on, there are a lot of files I am finding that are corrupted.   They have similarities of date modified of 9/29/14 at 4:20 P.m.    

I have re ran scans for virus and it comes up clean.  We use AVG Anti Virus Business Edition 2012   How can I track back to see what is affected and why???

Just discovered files that are BAD!!!!

What should my first step be so it doesn't spread any further?????
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gabriel CliftonNet AdminCommented:
You have contracted a Crypto virus. Run Malwarebytes Antimalware and scan. Look for all of the Decrypt_Instructions.* files because they will give you a clue as to what has been corrupted. Delete corrupted files and restore them from backup.
bankwestCTO/CashierAuthor Commented:
Will this scan all network drives or just local
Gabriel CliftonNet AdminCommented:
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

bankwestCTO/CashierAuthor Commented:
I need to scan network drives as well.     Is there a business version?
Gabriel CliftonNet AdminCommented:
They have a home premium and business premium, although I would install it on the server and have it check all folders instead of what you have access to.
bankwestCTO/CashierAuthor Commented:
What do I need to do to REMOVE the infection?     May be a dumb question, but when it's done its thing is it DONE?   If I start moving files from backup, will they get infected also?
Gabriel CliftonNet AdminCommented:
Usually, once it has made its initial run it, it is done and gone. But, it is always best to run additional scans with other software to make sure.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kent OlsenDBACommented:
Hi bankwest,

Do you have any idea how the malware wound up on your computer?  i.e.  software download, email attachment, or web site?

Knowing will help you to reduce the chances of another attack.

bankwestCTO/CashierAuthor Commented:
We are now beginning to dig deeper in the investigation.   Most of the day was spent restoring files.

We are starting to look at individual computers to see if we can find anything at %Temp% .    That is what we have read is one place to start.
If you have any ideas to share on HOW to investigate this, I would appreciate any assistance.
I'm not even sure WHAT I am looking for except that it's an exe file???
Kent OlsenDBACommented:
Search for all executables (.exe, .com, .dll, .jar, etc.) and all folders that have changed since the date of the attack.  You might want to back up a day or two in the search.  If you find something that is suspect, you might have a lead on how the intrusion happened.

The file(s) can wind up just about anywhere, especially if the user has local admin rights or higher.  Best case is if this is a normal user so that the system files and folders aren't affected.

The most likely locations are %TEMP%, %APPDATA%, %HOMESHARE%, %LOCALAPPDATA%, %ProgramData%, and %PUBLIC%.  But the files could wind up anywhere that the user is authorized to create files.
bankwestCTO/CashierAuthor Commented:
I was reading more on this and found:

This is used to determine whether an instance of the malware has already run on the system. If the event is not found, then the malware creates a new instance of explorer.exe and injects itself into it. Within the newly infected explorer.exe process, the malware further creates a new instance of svchost.exe and again injects itself into it. This new process is where the encryption takes place.

How do you know if the running process is legit or infected???
Kent OlsenDBACommented:
The anti-virus software should detect a real/fake explorer.exe or svchost.exe program.  Basically, the anti-virus program checks for known exploits on key system programs by checking the program length, checksum, hash, etc.

System files on Windows Server and Windows/XP aren't protected very well from malicious code.  That's a big reason for people leaving XP in favor of Windows 7.  Windows 7 does a much better job of isolating user tasks from O/S programs and files, unless the user is running with administrative privileges.  If you've not already done so, migrate your users away from XP.  And avoid tasks like web browsing and checking email on your Windows servers that can run hidden code.
Preston CooperDatabase AdministratorCommented:
I created a program to detect missing or modified files in a windows file share caused by Ransomware.  This can help you to restore from backup sooner and know that a file share has been encrypted rather than not knowing at all.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.