CryptoWall Reinfection

We were recently hit with the CryptoWall 3.0 virus and, unfortunately, were forced to pay the ransom as our server shares were compromised.  We were able to get our files decrypted.  However, we have not yet been able to locate the computer that introduced the virus into the network.  We checked all computers on the network for encrypted files, but could not find it.  

I have been advised that the virus removes itself from the infected computer once it completes the encryption process, but am still concerned.  It has been three days since the decryption process.  

Can anyone confirm that the virus delivers a "one time payload"?  If not, is there a way to identify the offending workstation?  We have searched for the decrypt messages that show up on encrypted directories and have run AV scans.  Is there an antivirus product that is especially good at identifying this virus?

Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jorge diazSECommented:
Hi jzpaziano,

the virus does not deliver a "one time payload", as a matter of fact you are fertile ground because you already paid, not to become an alarmist now but you make sure you are not relying only on endpoint protection for desktop security, add an IPS, and scan at the gateway too. The virus does a really good job obfuscating so it may go unidentified by some AVs.

hard to tell where it came from without logs.

read this articles, one of them shows some code that could be used for signatures..

good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It is likely that the virus encrypted local files on the machine it hit.  Have you checked the Documents folder on all computers to see if files are encrypted?  The one that has encrypted files is likely to be the culprit.
andreasSystem AdminCommented:
It also could be a device a employee brought into the company network, or was connected via VPN and had access to the server shares via VPN.
You really need to inspect ALL devices that could have had access to the server, if you cannot esure this, you will never be sure if you found all sources.

Even you found ONE it doesnt mean you found ALL, there might be another one. Especially if PCs are in a domain and the atttacker also got hold of domain admin credentials, then it could spread easyly across the network by accessing the C$ share and install itself on all PCs in that domain.

Sometimes the crypto attacks are 2nd stage attacks and the atackers got in via other trojans that may even had keyloggers.

You NEED to perform an in depth security audit of all systems that were able to access the server shares. This includes offline scans with at least 2 different anti virus solutions and search for encrypted local files.
If this scan turns out any other threats especially keyloggers its a must to change all passwords even user passwords that potentially were used on the machines affected.

Else you should at least change all passwords for accounts with higer privileges (domain admins, db admins, operators, backup operators, antivirus operators, etc .pp.)

And dont rely on anti virus solutions only for security. Nowadays polymorphic viruses are on the rise that cannot be detected by classic signature based scans anymore as each copy of them looks different.

Also very important is a regide backup regime so if files got infected encrypted whatever, you just restore from backups. Backups needs reularly checked for integrity, e.g. if they contain readable files that are not corrupted and restoreable.
EirmanChief Operations ManagerCommented:
If you have suffered an infection in the past, you probably know about the Cryptolocker Prevention Kit
Here's a link, just in case ....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.