We were recently hit with the CryptoWall 3.0 virus and, unfortunately, were forced to pay the ransom as our server shares were compromised. We were able to get our files decrypted. However, we have not yet been able to locate the computer that introduced the virus into the network. We checked all computers on the network for encrypted files, but could not find it.
I have been advised that the virus removes itself from the infected computer once it completes the encryption process, but am still concerned. It has been three days since the decryption process.
Can anyone confirm that the virus delivers a "one time payload"? If not, is there a way to identify the offending workstation? We have searched for the decrypt messages that show up on encrypted directories and have run AV scans. Is there an antivirus product that is especially good at identifying this virus?
Thanks in advance.