Solved

Cryptowall Ransomware

Posted on 2014-09-30
13
484 Views
Last Modified: 2016-02-25
Came in this morning and had issues with some database files.    Got those fixed and now as the day goes on, there are a lot of files I am finding that are corrupted.   They have similarities of date modified of 9/29/14 at 4:20 P.m.    

I have re ran scans for virus and it comes up clean.  We use AVG Anti Virus Business Edition 2012   How can I track back to see what is affected and why???

Just discovered files that are BAD!!!!
DECRYPT_INSTRUCTIONS.HTML
DECRYPT_INSTRUCTIONS.TXT
DECRYPT_INSTRUCTIONS

What should my first step be so it doesn't spread any further?????
0
Comment
Question by:bankwest
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352634
You have contracted a Crypto virus. Run Malwarebytes Antimalware http://www.malwarebytes.org/ and scan. Look for all of the Decrypt_Instructions.* files because they will give you a clue as to what has been corrupted. Delete corrupted files and restore them from backup.
0
 

Author Comment

by:bankwest
ID: 40352660
Will this scan all network drives or just local
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352665
Local
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:bankwest
ID: 40352678
I need to scan network drives as well.     Is there a business version?
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40352689
They have a home premium and business premium, although I would install it on the server and have it check all folders instead of what you have access to.
0
 

Author Comment

by:bankwest
ID: 40352777
What do I need to do to REMOVE the infection?     May be a dumb question, but when it's done its thing is it DONE?   If I start moving files from backup, will they get infected also?
0
 
LVL 13

Accepted Solution

by:
Gabriel Clifton earned 500 total points
ID: 40352850
Usually, once it has made its initial run it, it is done and gone. But, it is always best to run additional scans with other software to make sure.
0
 
LVL 45

Expert Comment

by:Kent Olsen
ID: 40354536
Hi bankwest,

Do you have any idea how the malware wound up on your computer?  i.e.  software download, email attachment, or web site?

Knowing will help you to reduce the chances of another attack.


Kent
0
 

Author Comment

by:bankwest
ID: 40354605
We are now beginning to dig deeper in the investigation.   Most of the day was spent restoring files.

We are starting to look at individual computers to see if we can find anything at %Temp% .    That is what we have read is one place to start.
If you have any ideas to share on HOW to investigate this, I would appreciate any assistance.
I'm not even sure WHAT I am looking for except that it's an exe file???
0
 
LVL 45

Expert Comment

by:Kent Olsen
ID: 40354639
Search for all executables (.exe, .com, .dll, .jar, etc.) and all folders that have changed since the date of the attack.  You might want to back up a day or two in the search.  If you find something that is suspect, you might have a lead on how the intrusion happened.

The file(s) can wind up just about anywhere, especially if the user has local admin rights or higher.  Best case is if this is a normal user so that the system files and folders aren't affected.

The most likely locations are %TEMP%, %APPDATA%, %HOMESHARE%, %LOCALAPPDATA%, %ProgramData%, and %PUBLIC%.  But the files could wind up anywhere that the user is authorized to create files.
0
 

Author Comment

by:bankwest
ID: 40354863
I was reading more on this and found:

This is used to determine whether an instance of the malware has already run on the system. If the event is not found, then the malware creates a new instance of explorer.exe and injects itself into it. Within the newly infected explorer.exe process, the malware further creates a new instance of svchost.exe and again injects itself into it. This new process is where the encryption takes place.


How do you know if the running process is legit or infected???
0
 
LVL 45

Expert Comment

by:Kent Olsen
ID: 40355139
The anti-virus software should detect a real/fake explorer.exe or svchost.exe program.  Basically, the anti-virus program checks for known exploits on key system programs by checking the program length, checksum, hash, etc.

System files on Windows Server and Windows/XP aren't protected very well from malicious code.  That's a big reason for people leaving XP in favor of Windows 7.  Windows 7 does a much better job of isolating user tasks from O/S programs and files, unless the user is running with administrative privileges.  If you've not already done so, migrate your users away from XP.  And avoid tasks like web browsing and checking email on your Windows servers that can run hidden code.
0
 
LVL 3

Expert Comment

by:prestoncooper
ID: 41480941
I created a program to detect missing or modified files in a windows file share caused by Ransomware.  This can help you to restore from backup sooner and know that a file share has been encrypted rather than not knowing at all.
http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question