CryptoWall 3.0 - best practices? We got hit 2x in 2 days
I've heard of CryptoWall for a while now, but never dealt with it till yesterday.
A user said they opened a resume they got in email. 'I know I shouldn't, but I did anyway... sorry'.
So his machine was loaded with loads of help_decrypt files. As were the folders he had mapped on the server.
I knew of cryptoprevent which blocked things from running in what's that folder - c:\users\username\appdata?
I thought that wasn't a really good fix - that the next version of that stuff would run from another location.
On this laptop, there was a random named file in a random named folder.
I thought I cleaned the machine - hitmanpro, superantispyware and malwarebytes all said it was clean. I checked scheduled tasks and autoruns.
Gave the user the PC back at noon. Looking on the server / his machine tonight... there's loads of help_decrypt files on his machine and server with this afternoon time stamps : (
So at this point, I'll wipe his machine rather than try to clean it?
I realized we didn't have opendns set as the sbs server's forwarders. Think that woudl help?
I'm amazed how quick the files get encrypted. Is the infected machine loading the files from the server across the LAN to encrypt them? That'd be a lot of traffic.
It's taking me hours to restore the files from a USB 2 backup drive. Gotta get a USB 3 card for the server!
Oh, the PC has Vipre antivirus... didn't say anything about being infected, let alone keeping the malware from running.
Virustotal as of this AM, only about 1/2 of the engines say it's malware : ( seems there's got to be a better way.
Is there something I shoudl be doing / some way to monitor for loads of files being accessed by 1 PC in a short period of time and clamp down on it?
Seems too easy for this ransomware to do its work.
A user said they opened a resume they got in email. 'I know I shouldn't, but I did anyway... sorry'.
So his machine was loaded with loads of help_decrypt files. As were the folders he had mapped on the server.
I knew of cryptoprevent which blocked things from running in what's that folder - c:\users\username\appdata?
I thought that wasn't a really good fix - that the next version of that stuff would run from another location.
On this laptop, there was a random named file in a random named folder.
I thought I cleaned the machine - hitmanpro, superantispyware and malwarebytes all said it was clean. I checked scheduled tasks and autoruns.
Gave the user the PC back at noon. Looking on the server / his machine tonight... there's loads of help_decrypt files on his machine and server with this afternoon time stamps : (
So at this point, I'll wipe his machine rather than try to clean it?
I realized we didn't have opendns set as the sbs server's forwarders. Think that woudl help?
I'm amazed how quick the files get encrypted. Is the infected machine loading the files from the server across the LAN to encrypt them? That'd be a lot of traffic.
It's taking me hours to restore the files from a USB 2 backup drive. Gotta get a USB 3 card for the server!
Oh, the PC has Vipre antivirus... didn't say anything about being infected, let alone keeping the malware from running.
Virustotal as of this AM, only about 1/2 of the engines say it's malware : ( seems there's got to be a better way.
Is there something I shoudl be doing / some way to monitor for loads of files being accessed by 1 PC in a short period of time and clamp down on it?
Seems too easy for this ransomware to do its work.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER