CryptoWall 3.0 - best practices? We got hit 2x in 2 days

I've heard of CryptoWall for a while now, but never dealt with it till yesterday.

A user said they opened a resume they got in email.  'I know I shouldn't, but I did anyway... sorry'.

So his machine was loaded with loads of help_decrypt files.  As were the folders he had mapped on the server.

I knew of cryptoprevent which blocked things from running in what's that folder - c:\users\username\appdata?

I thought that wasn't a really good fix - that the next version of that stuff would run from another location.

On this laptop, there was a random named file in a random named folder.

I thought I cleaned the machine - hitmanpro, superantispyware and malwarebytes all said it was clean.  I checked scheduled tasks and autoruns.

Gave the user the PC back at noon.  Looking on the server / his machine tonight...  there's loads of help_decrypt files on his machine and server with this afternoon time stamps : (

So at this point, I'll wipe his machine rather than try to clean it?

I realized we didn't have opendns set as the sbs server's forwarders.  Think that woudl help?
I'm amazed how quick the files get encrypted.  Is the infected machine loading the files from the server across the LAN to encrypt them?  That'd be a lot of traffic.

It's taking me hours to restore the files from a USB 2 backup drive.  Gotta get a USB 3 card for the server!

Oh, the PC has Vipre antivirus... didn't say anything about being infected, let alone keeping the malware from running.

Virustotal as of this AM, only about 1/2 of the engines say it's malware : (   seems there's got to be a better way.

Is there something I shoudl be doing / some way to monitor for loads of files being accessed by 1 PC in a short period of time and clamp down on it?

Seems too easy for this ransomware to do its work.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Russ SuterSenior Software DeveloperCommented:
Set up your mail server to block any emails with executable attachments. That takes care of most of it right there.

You can prevent the server's files from getting encrypted by not using mapped network drives. Use a shortcut instead. Ransomware can traverse mapped network drives but not shortcuts.

Other than that, user education is the best bet. Sorry your user was such an idiot.
BeGentleWithMe-INeedHelpAuthor Commented:
Would you bother trying to clean this computer the fact that the ransomware came back I'm not sure if I missed something or he ran the attachment again or there was a scheduled task I missed. of course nuking it is the best bet It's just so much more labor-intensive
Thomas Zucker-ScharffSolution GuideCommented:
The newer versions of the crypto trojans  don't need to have the network shares mapped.  They will encrypt any share whether mapped or not.

See this article:

http://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
NVITEnd-user supportCommented:
As Thomas' article mentions, consider setting up your GPOs. Or installing CryptoPrevent. They have a free version. Still, the paid one is very reasonable
McKnifeCommented:
In short: cleaning with Antivirus is not decrypting any files, so it does not solve the problem.
CryptoPrevent uses built-in mechanisms, you shouldnt have to pay for unless you don't understand how to use them. Best would be to use a whitelist with all applications listed that users should be allowed to run, so that new crypto trojans will not run, no matter what path they use.
So get familiar with the concept of application whitelisting - it means a lot of administrative work, but is the best counter measure against whatever malware there is.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.