Our domain was attacked by the CryptoWall ransomware today. It encrypted all .pdf and .doc files on the shared network drive. Fortunately, we have backups, so we can recover all that. After examining all workstations I found one with the HELP_DECRYPT* files all over. The others were clean. I'm in the process of cleaning up that workstation.
The big question is how this got into our system. Web posts say the the malware comes from opening a zip attachment with a fake .pdf inside that is really an .exe (e.g. http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#CryptoWall
). Our domain mail server is Linux running Sendmail with spamassassin and clamav milters. I also have a bcc-milter that keeps a copy of every email coming in or going out. After examining the past month's worth of email I find no such attachments.
Where else can I look?
My question is much the same as http://www.experts-exchange.com/questions/28696126/Cryptowall-infection.html
, who experienced the same problem very recently -- probably the same broad attach. andreas wrote in that question,
Recently a lot of crypto-malware was pushed through vunerable flashplugins through web browsers, sometimes via HTTPS so any intrusion detection couldnt see the ftraffic as bad. If the installed version is quite new the client AVs also will not detect it.
You should check if all clients browsers and all used browser plugins are up to date.
If you use html aware mailclients you should check for the mail software too, if any plugins and the software itself is up to date.
Im also thinking the encrypted files on the server were encrypted by a client pc that has write access to the share that was affected.
if not just data shares were affected, it might be possible some infected client PC had has a domain admin login before the password was logged and then used to access the server, either directly, or via the c$ share.
In such a case you need to reset all passwords in the affected domain.
Am I correctly understanding from this that older Adobe flash programs could be the culprit? Other possibilities?