Cryptowall attack today. How to determine source

Our domain was attacked by the CryptoWall ransomware today. It encrypted all .pdf and .doc files on the shared network drive. Fortunately, we have backups, so we can recover all that. After examining all workstations I found one with the HELP_DECRYPT* files all over. The others were clean. I'm in the process of cleaning up that workstation.

The big question is how this got into our system. Web posts say the the malware comes from opening a zip attachment with a fake .pdf inside that is really an .exe (e.g. Our domain mail server is Linux running Sendmail with spamassassin and clamav milters. I also have a bcc-milter that keeps a copy of every email coming in or going out. After examining the past month's worth of email I find no such attachments.

Where else can I look?

My question is much the same as, who experienced the same problem very recently -- probably the same broad attach. andreas wrote in that question,
Recently a lot of crypto-malware was pushed through vunerable flashplugins through web browsers, sometimes via HTTPS so any intrusion detection couldnt see the ftraffic as bad. If the installed version is quite new the client AVs also will not detect it.

You should check if all clients browsers and all used browser plugins are up to date.
If you use html aware mailclients you should check for the mail software too, if any plugins and the software itself is up to date.

Im also thinking the encrypted files on the server were encrypted by a client pc that has write access to the share that was affected.

if not just data shares were affected, it might be possible some infected client PC had has a domain admin login before the password was logged and then used to access the server, either directly, or via the c$ share.

In such a case you need to reset all passwords in the affected domain.

Am I correctly understanding from this that older Adobe flash programs could be the culprit? Other possibilities?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Looks like cryptowall indicator of compromise then. As of its v3, it is more of less getting smarter and more defensive. Cisco (and likewise other researcher) blog stated exploit kit actually carries CWv3 (or ransomware) as the payload after the exploit break the unpatched machine and apps like the recent case of HT leaks on Adobe and MS CVE published in open. Patching is slow and those kits leverage this window of exposure to penetrate into the system and inner infrastructure if they are targeted victim comes in.

Common exploit is really the web browser or via phished email (with link etc). The mapped shares are possible when they started lateral penetration but I do another is removable media too which I advised all connected removable media to the infected machine be scan and best reformat and have content retrieved from backup instead.

I have an EE article on phished email symptom and target scheme if you have the interest
MarkAuthor Commented:
Thanks for the info. Fortunately, we had daily backups plus an every-20-minute backup on the network drive so we recovered all 2.5TB except for a few files modified after the last 20-minute backup. We use Acronis True Image on the workstations, so I was able to restore the culprit workstation to the previous day's close-of-business state. This all took time and checking each person's workstation one-by-one to make sure they weren't affected took time, so the office lost 1/2 day of productivity.

After examining the targeted workstation I determined that the user had spent the morning surfing all over the Internet, mainly shopping sites, but also twitter, facebook and so on. 900+ URLs in the history in 4 hours. Obviously with all that activity they happened upon a bad site, probably via a flash file. Somebody is going to get a lecture on what not to do on company time. Flash has been removed from all office workstations.
btanExec ConsultantCommented:
thanks for sharing. In fact, the top US-CERT 30 commonly exploited vulnerability include Adobe Flash. Recent hacks on security companies also reveal "Zero-day" (no AV signature before the "leak") vulnerability inclusive of (again) Adobe Flash. Malvertising is one bad scheme embedded into those compromised site. Google Chrome has recently also announced its safe browsing to show when come across such site. Others has similar scheme. Regardless, user awareness is lacking - some good info for "Handling Destructive Malware". Besides these, there are list of tips that can be handy as part of user preaching e.g. Avoiding the Pitfalls of Online Trading and Staying Safe on Social Networking Sites.

Moving forward, we cannot stop them surfing totally unless a total lockdown via web proxy etc and application lockdown using applocker (or even cryptoprevent tool) can help as much to reduce the attack surface. User still need to be cyber wellness savvy and surf safely - always!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MarkAuthor Commented:
Thanks for comments. Good links!
btanExec ConsultantCommented:
thanks for appreciation again, hope my other EE link is useful too :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.