cryptowall infection

Hey guys,

One of our PC's got infected with the cryptowall virus. It also affected a file share on our NAS. Does this virus spread through the network?

How can it be contained?
LVL 4
Cobra25Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wesley JohnsonIT AssistantCommented:
I'm at a public library and this happened to us on the staff-side recently. It jumped from the PC to NAS, but, as best as we can tell, it went no further than that.

Here's a Symantec guide for removal: http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99&tabid=3. Unfortunately, if there suggestions don't work, it looks like re-installing Windows is the only way to remove it from the machine. The latest version of Symantec's A/V does offer crytpolocker protection. From what I understand, the professional version of Malwarebytes Anti-Malware does, too.

I've yet to find a way to unlock the files damaged by this infection nor has my boss. That appears to be hopeless. This issue struck us at a time when our backups weren't working properly, so the one that was restored was about a month old. Luckily I found another that was just a couple of weeks old.

Good luck!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
James HIT DirectorCommented:
Cryptowall scans all drives on an infected machine, including mapped drives. Once it has completed its scan, it will send the payload to the encryption server and lock those files. There is nothing you can do at this point, even if you pay they may not get the decryption key before the timer runs out. You will have to restore from backup.
0
Wesley JohnsonIT AssistantCommented:
Also, according to a site I found: "CryptoLocker is not a virus (self-replicating malware), so it doesn't spread across your network by itself."
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

Thomas Zucker-ScharffSolution GuideCommented:
Cryptolocker/Cryptowall is not really a virus - Wesley is correct.  The problem is it does so much damage, especially on network shares.  The only reasonable defense is good backups (ones that have been tested).  There is another option, we have recovered files from cryptolocker by using a cloud file backup that does versioning, like crashplan.
0
Cobra25Author Commented:
So ive heard it does spread and it doesnt spread, which one is it?

Thanks for the responses so far!
0
James HIT DirectorCommented:
It doesn't affect other PC's, it only searches for documents on the local HDD and mapped drives.
0
Wesley JohnsonIT AssistantCommented:
My boss tells me that Cryptolocker infects drives on a machine, so, if NAS is mapped, then it will find its way to it. You actually have to download an attachment to bring Crypto to your machine.
0
Thomas Zucker-ScharffSolution GuideCommented:
Yes it will affect any mapped drives.  This is why anyone who maps a drive to their computer should have limited rights.  Even so, files for that person will be encrypted at the very least.  A good backup policy that includes frequent testing of restores is the only defense.  Periodic imaging and reimaging of computers can't hurt.
0
Cobra25Author Commented:
Thomas, when you say limited rights, do you mean obviously not a local admin on their PC?
0
Thomas Zucker-ScharffSolution GuideCommented:
That would be best.  I also mean that if they need write permissions on the share, well they need it - but only to their own directory.  Many will need write perms to shared directories, almost the definition of a share, just be careful when granting these perms.
0
McKnifeCommented:
Cryoptolocker teaches us three lessons:

-have current backups at any time
-don't rely on anti virus software but try to implement some application whitelisting instead
-only grant write access to shares when really needed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.