Crypto Locker Virus - how to find patient ZERO that started this?


I have a network that got CRYPTO LOCKER on all folders, and we're trying to find out WHODUNNIT.  

Most of the time, we go to the changed files or the "CRYPTO HELP.HTML" file that describes who to pay to get it done and look at the file owner.  However, this time, the file owner shows "DOMAIN-NAME\ADMINISTRATORS" (the built-in administrators group) as the owner, and NOT a specific user.

Why would the owner be this GROUP and not a specific user?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

That does seem odd.  You can identify the computer that initiated the problem by looking at local documents and seeing if they are encrypted or searching for the Crypto Help.html file on local drives.

Because of these sorts of viruses, I've been encouraging clients to be more restrictive in their shares.  That is, don't let all users have access to all shared files if you can avoid it.  In addition to limiting the damage, it can help narrow down the origin.
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
These viruses come in by spam, start there, ive had this come through our spam wall in an "auspost" australia post format, a pretty well written mail with a link inside no attachment.

if your spam company cant keep this out route it through mimecast! i bet they can. Spam and proxy prevention have gone to a 10/10 importance imo with these viruses.

Your AV is useless, it wont detect these files the EXE itself is often encrypted just so you know why perfectly good AV is getting blitzed by these things.
jkeegan123Author Commented:
Right, we do the same, but this one seems to have been initiated in a way that included full admin rights (because the ADMINISTRATORS group shows as owner).  

On all files that you mentioned, it shows owner as "DOMAIN-NAME\Administrators" as owner.  Not a specific user.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
who is part of the built in administrators group?
andreasSystem AdminCommented:
Shut down all Systems, even the servers, then do a forensic investigation on ALL affected HDDs, server and clients.
Find the disc that had things started first, this might give clues of where it started.

It might also be the attackers came in via a different trojan/keylogger. Stole admin credentials on infected system and put the cryptolocker directly into some systems with admin credentials, maybe even on the servers.

You should perform an offline AV-scan on all HDDs on the affected domain.
jkeegan123Author Commented:
We found patient zero, it was 2 users that came in earlier than the rest, we checked against LOGIN TIME and FILE CREATION TIME of the "how to decrypt.htm" files.  Strangely, neither of these users were in any admin group of any kind.  

HOWEVER .... full permissions were granted at the SHARE and NTFS level, which would have let the user (or the attacking program) change file attributes.  This is a big reason to give read / change rights but NOT full control, IMHO.
andreasSystem AdminCommented:
About the NTFS level, im not sure. As far as I'm thinking of, a user without admin rights CANNOT assign admin ownership to files, even he has full control rights.

full control means only modify rights plus the user could change access permissions on the files and CLAIM ownership for HIMSELF, not admin.

If the files of the cryptor are admin owned, it means that the virus is running with domain admin credentials. It means your whole AD needs to be set up again from scratch.
btanExec ConsultantCommented:
The thing about the ransomware is that it will attempt to gain local admin privilege, provided that the victim has admin rights and with that able to dump out and encrypt as required on the infected machine. The account that changes those files is not significant to leading the investigation whom is the origin to start the infection. The means to gain admin can be stealing the admin credentials (spear phishing, social media etc) or through already machine login with user whom has admin rights or infected external storage etc. That is the prep work by the attacker, it may not necessary be leading to insider job etc but commonly this is an understandable worry.

There is other channel of infiltration via the poisoned email, spam, document with embedded exploits to download and dump out the ransomware. That are the leads we should be focusing on as well as the callback to specific IPs to the C&C servers. It is searching needle in the haystack but we need to make sure we are at the right haystack first - that is the suggestion that we can consider. The forensic of the workstation has to be done to piece out the trails of activities, looking at the ransomware files are not going to do us good to find the "source"...

Just a few cents..
jkeegan123Author Commented:
It turns out that the file permissions must have been adjusted by the ransomware as I had suggested.  We have since removed the CHANGE OWNER permission in shares that users need full control they have full permissions without this ability, and hopefully this will prevent the owner from being changed in the future so that we can quickly identify patient ZERO in future infections.  So far, in subsequent infections, we were able to look at the file owner to identify where this came in without error.
btanExec ConsultantCommented:
Thanks for sharing, to add even before they can tamper the file metadata, the ransomware will (and should have) already gotten as its own user privileges to execute permission change. However, for other non-user files, it minimally need the system privileges as I shared prev. Regardless, the target machine is already compromised prior via exploit kit that download the ransomware - this is the common attack delivery lifecycle.

Indeed the locking of the permission will be good and for audit trails established for investigation. Minimally the identity currently logon can be assume but do not that if there are impersonation, the trails can be still misleading, but to do that system right still required.

Overall, I am thinking that the crux is on auditing enabled at first place as even such changes will be logged and this will tell us more already or even through forensic of the malware to understand its activities in sandbox environment.
To enable auditing on a folder, open the folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. Be careful which permissions you enable for auditing because you can easily fill up your log with access events. In your case, you want to monitor only for successful uses of the permission that lets a user change an object's ACL—the Change permissions permission. Figure 1 shows that I've enabled auditing of successful Change permissions events on the DeptFiles folder. I've also specified Everyone as the name of the audit entry because I want to audit everyone.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.