Ransom Virus

Hi All,

We have a Ransom virus, which encrypt network shares and then deletes it self.

We have mcaffee epolicy orchestrator and antivirus deployed on every machines unfortunately this does not detect it and it has the latest dat file.

Please can someone help me! what can i do?

thank you in advance,
Kelly GarciaSenior Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William FulksSystems Analyst & WebmasterCommented:
Take each infected PC offline and then run another antirvirus scan. Maybe try a different program or use something like Malwarebytes. Also check your servers.

Do you have any more info like what the virus name is, what AV you use, etc?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Unfortunately Ransom ware usually comes through someone's personal email.
It will then reside in the temp directory and attack all shares the user has access to.
You might be able to determine who it is by looking to see who has a personal directory/Home folder encrypted.
Pull off that computer and start restoring directories
Ugo MenaCommented:
Totally depends on the type of Ransomware you are infected with, but this site is worth a try:

Milpitas, Calf. based FireEye and Fox-IT in the Netherlands — launched decryptcryptolocker.com, a site that victims can use to recover their files. Victims need to provide an email address and upload just one of the encrypted files from their computer, and the service will email a link that victims can use to download a recovery program to decrypt all of their scrambled files.

Best of luck.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

@ultalites, Unfortunately decryptcryptolocker.com was decommissioned awhile back as Crypto Locker has evolved into many different variants. They give these as other resources:
Ugo MenaCommented:
Uhhggg! I just saw that too.

It appears Dr Web is the tool of choice...checking a little further now.
Ugo MenaCommented:
It appears that DrWeb is only decrypting files for current customers..
In any case, here is the link to submit your files for analysis:

First of all try to train your users better so they don't get infected in the first place, like only open mails they know come from trusted sender, and not to open attachments unless they expect them. Or to only visit websites that are trustworthy. Make sure no one uses accounts that have admin rights, unless to do a particular task, and then logout again once finished. This might not completely keep out everything, but it should help reduce the risks a lot.

Once the users know how to properly use their PC's, just delete the encrypted files and restore them from your backups.
Zino ZinoCommented:
Get a Windows & Live CD and Boot from that and Install Malware bytes, Hitman pro  and do a manual scan
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.