Cryptowall infection!

NytroZ used Ask the Experts™
We recently had a server on the network become infected with the Cryptowall virus.  Luckily we have a pretty solid backup plan in place and were able to painlessly restore the server to a previous state without any issues.  But how can we identify where the virus came from in the first place?  We use a Sonic Wall firewall with the security suite that includes intrusion prevention, gateway anti virus, and anti spam.  On top of that, all client workstations have AVG installed.  I guess its still possible that an infected email got past the firewall but if it did then how do I go about finding that email?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Have you heard of ClamAV?
If you haven't tried it then you should.  
It is free and free is good!

ClamAV is free open-source security software that can scan files including email and email attachment for these types of infections.
Database Administrator
Find the text file created by the virus (usually HELP_DECRYPT.txt) and click on properties.  Make note of the owner of the file and the time the file was modified.    This gives you which user caught the virus and when.
Most Valuable Expert 2015

It is highly unlikely the server got infected. People don't work on servers, but rather on their PC's (unless of course the server was a remote desktop server).

So it is far more likely one or more of the connected PC's got infected, and as also files on the LAN get encrypted, the data on the server was encrypted too.

The most common way of getting infected by ransomeware is through email attachments. Only allow your users to open attachments from trusted senders, and from whom they are expecting an attachment. Also only give the user rights to access folders they absolutely need. That way an infection can be better contained.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2014

Recently a lot of crypto-malware was pushed through vunerable flashplugins through web browsers, sometimes via HTTPS so any intrusion detection couldnt see the ftraffic as bad. If the installed version is quite new the client AVs also will not detect it.

You should check if all clients browsers and all used browser plugins are up to date.
If you use html aware mailclients you should check for the mail software too, if any plugins and the software itself is up to date.

Im also thinking the encrypted files on the server were encrypted by a client pc that has write access to the share that was affected.

if not just data shares were affected, it might be possible some infected client PC had has a domain admin login before the password was logged and then used to access the server, either directly, or via the c$ share.

In such a case you need to reset all passwords in the affected domain.
btanExec Consultant
Distinguished Expert 2018

Sonicwall GAV has the signature, at least for the CWv2. Likewise there is measures for its IPS and Botnet filter/CFS. If it went through the sonicwall and assuming it is not as of variant type, chances there may be logging esp if client machine gotten it from compromised site (exploit kit had ransomware as part of its toolkit), or phished email (with attachment) etc...but note there can be TOR traffic which may gives us some leads but not able to attribute the source per se.
In general, I will say check the removable media, file share server, email and web traffic proxy (or whichever is supposed to be the sole perimeter entry/exit for all traffic - dongle type skip that them unless they VPN).

Of course there are already many variant including CWv3 ... regardless, Sonicwall has some "compromised site" (via Drive-by Download advertising campaign) and those may be IoC to check the web proxy or HTTP aware FW log
Finding the Help_Decrypt files will show that an infection (worse: encryption) has occurred. In the case of a file opened and then infected; sure who-dunnit is nice if you need someone to blame, but thinking the question was where did it come from, this topic has really hit a little too close to home.  The rate of infection of CWv3 is incredible and numbers show clients (and their mapped/shared drives) where most likely victimized via the net (flash/darknet.ip2?) as opposed to the good old fashioned your check is in the zip file. Without PCAP (wireshark file) info (FIFO wiped the pertinent  data) I have been struggling to find even hint of a whodunnit. Traffic going out, but not the critter carrying the CWv3 payload.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial