A workstation in my workgroup has been hit with Cryptowall.

A workstation in my workgroup has been hit with Cryptowall, Files are encrypted and demanding ransom. I know that it is a lost cause. Format and reinstall scheduled, but  the workstation has several mapped drives as do all of the workstations. How can I tell if the Crypto has spread to any other workstations or server and might be encrypting in the background or does it work that way?
arkmatAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DeepinInfrastructure Engineer Commented:
look for help_decrypt.html ,help_decrypt.txt and help_decrypt.png on the drives
Joe Winograd, Fellow&MVEDeveloperCommented:
I suggest reading Tom's excellent EE article on the subject:
Ransomware: Prevention is the only solution

In your case, note especially section B. NETWORK SHARES. Good luck! Regards, Joe
rindiCommented:
The virus doesn't spread to other PC's, but files on your server could have been encrypted. Just look for unusual extensions, and if there are any such files, delete them and restore the originals from your backups.

Additionally take measures so that future infections get less likely. Educate your users on safe email and web use. Make sure no one ever logs on to PC's with an account that has administrative rights.
bas2754Commented:
Cryptowall keeps a list of files it affects in the registry.  There is a utility called ListCwall found at the following URL: http://www.bleepingcomputer.com/download/listcwall/

The link is towards the bottom of the page to download.  Basically boot the system with network disconnected.  Log in with the User(s) id that was affected and fun the utility.  This will hive you an exact list of what files and folderz were affecfed and you can then determine if any files on the mapped deivers were hit.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bas2754Commented:
Correction on my last comment.  The link is actually to the download page for the utility.  The artice about it that has the link is here: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.