Cryptowall infection!

We recently had a server on the network become infected with the Cryptowall virus.  Luckily we have a pretty solid backup plan in place and were able to painlessly restore the server to a previous state without any issues.  But how can we identify where the virus came from in the first place?  We use a Sonic Wall firewall with the security suite that includes intrusion prevention, gateway anti virus, and anti spam.  On top of that, all client workstations have AVG installed.  I guess its still possible that an infected email got past the firewall but if it did then how do I go about finding that email?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Have you heard of ClamAV?
If you haven't tried it then you should.  
It is free and free is good!

ClamAV is free open-source security software that can scan files including email and email attachment for these types of infections.
Preston CooperDatabase AdministratorCommented:
Find the text file created by the virus (usually HELP_DECRYPT.txt) and click on properties.  Make note of the owner of the file and the time the file was modified.    This gives you which user caught the virus and when.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It is highly unlikely the server got infected. People don't work on servers, but rather on their PC's (unless of course the server was a remote desktop server).

So it is far more likely one or more of the connected PC's got infected, and as also files on the LAN get encrypted, the data on the server was encrypted too.

The most common way of getting infected by ransomeware is through email attachments. Only allow your users to open attachments from trusted senders, and from whom they are expecting an attachment. Also only give the user rights to access folders they absolutely need. That way an infection can be better contained.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

andreasSystem AdminCommented:
Recently a lot of crypto-malware was pushed through vunerable flashplugins through web browsers, sometimes via HTTPS so any intrusion detection couldnt see the ftraffic as bad. If the installed version is quite new the client AVs also will not detect it.

You should check if all clients browsers and all used browser plugins are up to date.
If you use html aware mailclients you should check for the mail software too, if any plugins and the software itself is up to date.

Im also thinking the encrypted files on the server were encrypted by a client pc that has write access to the share that was affected.

if not just data shares were affected, it might be possible some infected client PC had has a domain admin login before the password was logged and then used to access the server, either directly, or via the c$ share.

In such a case you need to reset all passwords in the affected domain.
btanExec ConsultantCommented:
Sonicwall GAV has the signature, at least for the CWv2. Likewise there is measures for its IPS and Botnet filter/CFS. If it went through the sonicwall and assuming it is not as of variant type, chances there may be logging esp if client machine gotten it from compromised site (exploit kit had ransomware as part of its toolkit), or phished email (with attachment) etc...but note there can be TOR traffic which may gives us some leads but not able to attribute the source per se.
In general, I will say check the removable media, file share server, email and web traffic proxy (or whichever is supposed to be the sole perimeter entry/exit for all traffic - dongle type skip that them unless they VPN).

Of course there are already many variant including CWv3 ... regardless, Sonicwall has some "compromised site" (via Drive-by Download advertising campaign) and those may be IoC to check the web proxy or HTTP aware FW log
Richard WyattCommented:
Finding the Help_Decrypt files will show that an infection (worse: encryption) has occurred. In the case of a file opened and then infected; sure who-dunnit is nice if you need someone to blame, but thinking the question was where did it come from, this topic has really hit a little too close to home.  The rate of infection of CWv3 is incredible and numbers show clients (and their mapped/shared drives) where most likely victimized via the net (flash/darknet.ip2?) as opposed to the good old fashioned your check is in the zip file. Without PCAP (wireshark file) info (FIFO wiped the pertinent  data) I have been struggling to find even hint of a whodunnit. Traffic going out, but not the critter carrying the CWv3 payload.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.