Encrypted files, but no way to pay ransom?

I've run into one of those hackers before, encrypted the files and extension .lol, but left a message to email an account for instructions to unencrypt.

Shadow copies were running, but the virus deleted them as do most ransomware viruses.

I'm assuming the scumbag, let's be frank here, searched the system for email or used the same email that infected the machine (if it was an email attachment) .  The ransom email may have been quarantined on the victim's mail server or even blocked/deleted.  You may check with the admin or spam service you use.  Or if it's a biggun like google, you may want to check the spam folder and deleted folder.

I'm just lost as to how someone would get into his system, there are no NAT'd ports on the firewall and wireless can't talk across to the wired computers.

God knows.  If you want to truly protect a user, block all forms of executable files from email attachments, http proxy and https proxy.  Anything else is infectable...

Actually all the document in My document is likely to be encrypted and the file extension and filename may helped to drill down what is the bred of ransomware (DNA) family you are facing. There are many variant and more coming up but most it would have symptom and evolved from past precedence family breed. Identify such "indicator of compromise" can isolate what is that malware and such unique behavior for not showing the "ransom demand".  

Can consider try Hitmanpro and Roguekiller on top of the AV with updated signature. Ransomware may not run fully and stay stealthy if certain event is detected to safeguard itself ... e.g. the AV is running or detect it is in a VM environment, or even attempt to disable the AV but failed etc

The vector for the virus was almost certainly an email or a link on a malicious or compromised website. To that extent, firewalls aren't relevant.

I do want to make mention in response to this comment, that I've NEVER had a malware infection inside my network, ever (16 years).  I was hired onto the company because of a giant NIMDA infection.  Watchguard firewalls with the https/http proxy and the smtp proxy that blocks the following:

  .EXE  (machine language)
  .COM  (machine language)
  .VB   (Visual Basic script)
  .VBS  (Visual Basic script)
  .VBE  (Visual Basic script-encoded)
  .CMD  (batch file - Windows)
  .BAT  (batch file - DOS/Windows)
  .WS   (Windows script)
  .WSF  (Windows script)
  .SCR  (screen saver)
  .SHS  (OLE object package)
  .PIF  (shortcut to DOS file plus code)
  .HTA  (hypertext application)
  .JS   (JavaScript script)
  .JSE  (JScript script)
  .LNK  (shortcut to an executable)

This doesn't alleviate any non-protected or zero-day exploited services that you make publicly available (ie ssl, sip tunnels, TS gateway,etc), but that can't be blamed on you unless you weren't following a documented update regiment.

EDIT, left zip out of list.

@choward16980:

I was thinking purely in terms of emails containing links rather than attachments, and didn't make this distinction apparent.

You are, of course, entirely correct in what you say.

Correct, this is a client that came to me after the infection. I was able to determine that he had Crashplan on his computer by using data recovery software. He pulled up his email and found where he purchased and installed it. Needless to say, we were able to get his files from the two days prior. It seems as though he still is not concerned about proceeding further by paying for additional service from us since he knew what email caused it. We will probably hear from him again in a few weeks.

Thanks everyone, still stumped as to what the virus was. Nothing in AV/Spyware showing in history and he deleted the email completely.

Look at the encrypted file extension and that may hint the ransomware type as shared earlier. Probably the client has already removed the infection if the AV is already updated to latest. The client may have more info.

Regardless the virus would have make callback and if their internet proxy has log those callback during that period of infection e.g. On click on phished link will be useful to tracing. May need to check in his mapped drive as the ransomware can also encrypt those file in the mapped drive.

I've requested that this question be closed as follows:

Accepted answer: 0 points for QuasComputers's comment #a41436496

for the following reason:

Ended up finding a solution on my own. Sorry guys for not handing out points, but nothing really resolved the original problem. We still don't know what infected the files and left no trace to fix the issue.

What is the solution that worked?

Finding that he had an online backup at Crashplan. The virus deleted the program on the actual computer. I was able to find the directory was deleted with data recovery tools.

While Impointed to use data recovery tools, and backups were referenced by others.  


Glad that data loss was minimized. Be careful though the restore might include the hidden .....

I didn't leave points because no one was able to answer the question. I was hoping to shed some light on a virus I had never seen before. But if it's that big of a deal, I'll split the points between everyone.

Note, I've not objected to the close decision you are making which will close as requested.

I hear ya, but since y'all did try and help me out I should have given credit anyway.