We help IT Professionals succeed at work.

Ransonware

David Elebute
David Elebute asked
on
we found a system where all word documents have been encrypted and there is file claiming where to go to get the decryption key
our trend, malware bytes, spybot apps running on the box spot it even after the files are found
anyone found a cleaner without paying ransom or completely reformatting?
I believe they got into the system via email and/or end user with admin rights going to all the wrong places on the internet
all help is greatly appreciated!
d.elebute
Comment
Watch Question

10023Web site maintenance and design

Commented:
Have you check for shadow copies of the file...right click on directory and look for previous versions.
Did you have a backup?
Do you have system restore points...click on start menu....type in system restore...go there and check for restore points.
David ElebuteSystems Consultant

Author

Commented:
10023 I do not know you so I will not take offense to your reply
of course we do backups; that is what I am working on now!
I am looking for a way to beat this if possible; none of our tools are able to defeat it before it happens!
I have  found the actual date and time and the poor browsing habits of our 'administrative" users
that mark the date and time of infection
like I stated when I began; I do not want to come across the wrong way, so I will not take offense to the obvious
all help is greatly appreciated
d.elebute
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
If its the original cryptolocker, I believe the keys are available.  If it's a new variant, then no, you cannot (yet) get around it.  At some point when the malware authors may be caught and the keys may be obtained.  Use a good antivirus that can identify what you have been infected with and call them to see if they can recover the files.  (Odds are VERY good your backups will be MUCH faster than any kind of decrypting).
David ElebuteSystems Consultant

Author

Commented:
yes thank you Lee W. MVP
if its the original malware bytes, trend worry-free (even sent them copies of the files left behind, decrypt_html, txt etc files) unable to detect or clean; installed kapersky and same thing
backups are much faster thanks
need to pinpoint how it is getting into the network
I believe I know that it is one of admin users that browses all the wrong places
d.elebute
I believe BitDefender claims to block this type of malware.
David ElebuteSystems Consultant

Author

Commented:
yeah that is a choice but I am also looking to clean it up after the fact
Will see BitDefender; all the others have similar claims if not outright falsehoods
thanks akb
d.elebute
10023Web site maintenance and design

Commented:
I did not mean to offend you.  You mentioned:
"I have  found the actual date and time and the poor browsing habits of our 'administrative" users"
Excuse me, I thought that question was answered.........I was just ecking out and playing around what you were left with...