Cryptowall Unusual Dissapearance

Strange case
We received a phone call about a client getting infected with some variant of Cryptowall 3.0
We have seen them before and have good backup. We are able to tell by HTML file it creates who downloaded the virus and what time.
We can tell by web monitoring product in GFI what website did that. We know what PC user was using. Local AV did not see anything. However virus got to some files on server and then disappeared within an hour (infection activity stopped)
Biggest headache is we can't find the actual virus on the desktop. Malewarebytes found c400.tmp file in c:\users%usernmae%\appdata\local\temp\low\ (virus came via IE)
But that's it. No EXE, nothing. User says that he did not see any ransom Pop Up. Infections have stopped. We checked for random exe on that PC
We checked every other PC in that office, this user did not logon to any of them. So this is the PC.
Question is what killed the virus? I have seen Crypto before and it always used random .exe
Is the virus killed? Can it be dormant? Can the virus be executed via website without exe being installed on the PC?
LVL 1
mavrukinAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NinjaStyle82Systems AdministratorCommented:
I would definitely reimage the computer regardless for good measure. You checked the log on AV and found nothing about it being cleaned or quarantined? What about on a file server that might be hosting the user's data/home drive/ profile?
mavrukinAuthor Commented:
checked log file on AV, nothing. This is Viper with GFI, not sure how good their log file is and not even sure if viper catches anything. We need to verify that virus came from this PC.
NinjaStyle82Systems AdministratorCommented:
Any roaming profile or folder redirection on this user?
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

btanExec ConsultantCommented:
The .tmp is likely a dropper and will call to get the actual payload if required. The key is that .tmp is just a carrier and you can try to even upload it to VirusTotal to scan it for malicious activities, if surfaced any from the VT services. The compromised site is just another waterholed site to exploit your browser so do rebuild your machine since it cannot be trusted. Any files encrypted will not be recoverable, has to get from backup. But do note malware can simply run in memory after first loading to stay "fileless" and tamper registry to stay persistent...where poss...or dumped to file mapped share from the machine - so do check those as well

Would it be in quarantine folder (hidden) as well due to suspicious finding from the AV. Regardless, the malware as of now has self defences too such that it checks the environment before it starts to conduct the full loading activities. Like in recent findings stated anti-VM check to prevent running in virtual environment, or even detect specific AV presence too... and specific to CW3, it is shared also possibly can
cycle between all running processes trying to find out if its own process name is “perl.exe” or “python.exe”. If the check indicates that the parent process name is “perl.exe” or “python.exe”, then the program runs the following endless loop and never runs the Cryptowall 3.0 code
http://blogs.cisco.com/security/talos/cryptowall-3-0

Likewise, you can try listwall (even though it is variant) which will search for the registry key that contains the encrypted files and then export them to the ListCwall.txt file on your desktop.
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#discover
rindiCommented:
Modern versions of ransomware automatically remove themselves from the PC that was infected after all files are encrypted and the ransom note has appeared.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
In fact, the latest CW variant or similar "copycat" is known as TeslaCrypt 2.0 - it also used the same CW v3 txt and HTML
Kaspersky Lab has detected curious behavior in a new threat from the TeslaCrypt ransomware encryptor family. In version 2.0 of the Trojan notorious for infecting computer gamers, it displays an HTML page in the web browser which is an exact copy of CryptoWall 3.0, another ransomware program.

Programs from TeslaCrypt malware family were observed to propagate via the Angler, Sweet Orange and Nuclear exploit kits. Under this malware propagation mechanism, the victim visits an infected web site and the exploit’s malicious code uses browser vulnerabilities, most typically in plugins, to install the dedicated malware on the target computer.

Early samples of TeslaCrypt were detected in February 2015 and the new ransomware Trojan gained immediate notoriety as a menace to computer gamers. Amongst other types of target files, it tries to infect typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt does not encrypt files that are larger than 268 MB
Regardless, as sum up,
- In most cases, once the files are encrypted, and CW launches its document (those DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML for example), it will remove the infection files from your computer as they are no longer necessary.
- Importantly, this also delete the private key used to encrypt your original version of plain (unencrypted) files.
- Not forgetting to make it harder for recovery, CW also remove, after encryption your plain files to make it sometimes impossible to use data recovery tools to restore the original plain files from shadow copies. It simply attempts to delete all of the Shadow Volume Copies that are on the infected computer. This applies likely also for newer variants of CW when you first start any executable on your computer after becoming infected. But, the infection is not 100% always sure to be able to remove the shadow copies, so you should continue to try restoring your files using this method.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.