CryptoLocker Removal

I have a network that has just been hit with Crypto locker or a variant of Crypto. It seens to have infected a single workstation but there are encrypted files on some of the Server shares as well. As a precaution we have shut down the server and the infected work station and most of the rest of the network as well.

Questions :

1 - What is the best software that can remove the CryptoLocker software please?
2 - Do the encrypted files pose any threat to the system  - can the infection spread from encrypted files on other machines that host shares that appear on the infected machine?
3 - Can the removal software be run on the infected machine or is it best to put the disc in a good machine and run the removal from there?
4 - Is there really any way to restore encrypted files? I fear I know the answer to this one already...

Thank you
broadsoftAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rindiCommented:
No need to shut the server down, just the workstation. The encrypted files don't pose any threat. Just delete those and restore them from your backups. There is no way to decrypt them without the key, and of course it is needless to say that you mustn't pay up the ransom to maybe get that key.

Get in touch with your law enforcement authorities first, maybe they want to look at the infected PC. That might help them to get tags on the crooks, or help for future instructions to avoid getting the virus.

Once the authorities tell you it is OK, just re-image the PC. That is the fastest and safest way to get rid of the bugs.

As precautions for the future, make sure the users never log on to any PC using an account with admin rights. Only ever use standard accounts. educate the users on how to use the internet and email. Only visit sites you trust, open attachments from people you trust and from whom you are expecting attachments. Make sure the PC's are fully patched and the AV tool updated. Basically all the common sense stuff.

Also make sure your backups are OK, and that you rotate your backup media and have several versions.
broadsoftAuthor Commented:
Thanks for that advice - can you advise please how do I know for sure which computer is the infected one? The desktop I refer to is the only one with encrypted files on it but I really need to be sure that the crypto exe has not propagated to the server and other work stations. Is there a good malware detection / removal tool that can be trusted to detect and remove this?
rindiCommented:
Ransomware currently doesn't spread to other PC's. It just encrypts the local files and whatever it finds on the network to which the user account has access to. So those PC's that have encrypted files is infected, unless of course it also shares it's folders and others can connect to it. But that should be the case, as you have a central server and only that is supposed to share folders.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

btanExec ConsultantCommented:
in case you are interested for Ransomware preventive measures, I do suggest a more holistic measures such as application whitelisting, so do check out some EE articles
http://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
http://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html
http://www.experts-exchange.com/articles/21199/Ransomware-Beware.html
Dave HoweSoftware and Hardware EngineerCommented:
broadsoftAuthor Commented:
Thank you Dave for that - indeed I am very interested! Very much appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.