Link to home
Start Free TrialLog in
Avatar of NytroZ
NytroZFlag for United States of America

asked on

Cryptowall infection!

We recently had a server on the network become infected with the Cryptowall virus.  Luckily we have a pretty solid backup plan in place and were able to painlessly restore the server to a previous state without any issues.  But how can we identify where the virus came from in the first place?  We use a Sonic Wall firewall with the security suite that includes intrusion prevention, gateway anti virus, and anti spam.  On top of that, all client workstations have AVG installed.  I guess its still possible that an infected email got past the firewall but if it did then how do I go about finding that email?
Avatar of skij
skij
Flag of Canada image

Have you heard of ClamAV?
If you haven't tried it then you should.  
It is free and free is good!

ClamAV is free open-source security software that can scan files including email and email attachment for these types of infections.
http://www.clamav.net/download.html
https://en.wikipedia.org/wiki/Clam_AntiVirus
ASKER CERTIFIED SOLUTION
Avatar of Preston Cooper
Preston Cooper
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rindi
It is highly unlikely the server got infected. People don't work on servers, but rather on their PC's (unless of course the server was a remote desktop server).

So it is far more likely one or more of the connected PC's got infected, and as also files on the LAN get encrypted, the data on the server was encrypted too.

The most common way of getting infected by ransomeware is through email attachments. Only allow your users to open attachments from trusted senders, and from whom they are expecting an attachment. Also only give the user rights to access folders they absolutely need. That way an infection can be better contained.
Avatar of Member_2_406981
Member_2_406981

Recently a lot of crypto-malware was pushed through vunerable flashplugins through web browsers, sometimes via HTTPS so any intrusion detection couldnt see the ftraffic as bad. If the installed version is quite new the client AVs also will not detect it.

You should check if all clients browsers and all used browser plugins are up to date.
If you use html aware mailclients you should check for the mail software too, if any plugins and the software itself is up to date.

Im also thinking the encrypted files on the server were encrypted by a client pc that has write access to the share that was affected.

if not just data shares were affected, it might be possible some infected client PC had has a domain admin login before the password was logged and then used to access the server, either directly, or via the c$ share.

In such a case you need to reset all passwords in the affected domain.
Sonicwall GAV has the signature, at least for the CWv2. Likewise there is measures for its IPS and Botnet filter/CFS. If it went through the sonicwall and assuming it is not as of variant type, chances there may be logging esp if client machine gotten it from compromised site (exploit kit had ransomware as part of its toolkit), or phished email (with attachment) etc...but note there can be TOR traffic which may gives us some leads but not able to attribute the source per se. https://support.software.dell.com/kb/sw12434
In general, I will say check the removable media, file share server, email and web traffic proxy (or whichever is supposed to be the sole perimeter entry/exit for all traffic - dongle type skip that them unless they VPN).

Of course there are already many variant including CWv3 ... regardless, Sonicwall has some "compromised site" (via Drive-by Download advertising campaign) and those may be IoC to check the web proxy or HTTP aware FW log
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=735
Finding the Help_Decrypt files will show that an infection (worse: encryption) has occurred. In the case of a resume.zip file opened and then infected; sure who-dunnit is nice if you need someone to blame, but thinking the question was where did it come from, this topic has really hit a little too close to home.  The rate of infection of CWv3 is incredible and numbers show clients (and their mapped/shared drives) where most likely victimized via the net (flash/darknet.ip2?) as opposed to the good old fashioned your check is in the zip file. Without PCAP (wireshark file) info (FIFO wiped the pertinent  data) I have been struggling to find even hint of a whodunnit. Traffic going out, but not the critter carrying the CWv3 payload.