Files in One SubFolder of 100's won't open and say corrupt

Sounds like you might have gotten crypto locker.

Are there any rogue files present that say anything about locky or HELP_DECRYPT (or similar)?

Sounds like you might have gotten crypto locker.

 Are there any rogue files present that say anything about locky or HELP_DECRYPT (or similar)?

No, no random file names.  All the files in this folder are all 2015 and older for date they were saved, and there is no files with a current date added.    

I've had individual computers hit with crypto locker before but never the server, and normally when you tried to open one of the files on the computer it popped up a webpage with a phone number they wanted you to call.    These files just seem to be corrupt but there are no odd files in the folder and they are all older files that are never edited, just opened to use for reference then closed.

Have these files been used since you were hit with cryptolocker?  How were files recovered?  And were the users who were affected able to access these files through a mapped drive? (if the files were not restored and continued to be backed up, your backups will also be corrupt.)

All the files are kept on the server and users access them through a mapped drive or a short cut on their desk top.   So when they few computers I've had were hit with crypto locker, none of the server files were corrupted only local files on the users computer were affected.  It's been at least a year since the last crypto locker infected computer and these files in this particular sub folder have been accessed many times and worked fine since then.

What type of backup did you restore from?  Are there any available shadow copies on the server side?

The back up software we use is cause Evault and back ups to an off site facility.  I restored it from 14 days ago, and I know as of Monday these files were accessed, so 14 days ago the files would have been fine if they worked on Monday.

I am running every scan I think of right now.  Trend, malware bytes, Norton power eraser and they find absolutely nothing.

If it were an encrypting virus, they tend to disappear so the key can't be reversed from it.  Have you compared the checksum of the files in the backup v. the files on the server?  If they match, your backups are also corrupted.  Is 14 days the farthest back you can go?  Did you see if you had shadow copy versions from Monday when they were working?

The fact that they are all in one folder, and all different types of files really indicates something purposefully acted on that folder.

The back up folder matches exactly from what I can see.  However the files worked Monday just fine, and the back up I restored was 14 days ago so we know that back up happened before encryption if that's what the issue is happened.  

I don't know how to look for a shadow copy.

On the file server, right click the folder and go to the Previous Versions tab.  Available shadow copies will be listed there (I assume shadow copies are enabled on your file shares on the server, if they aren't you won't see any available copies.)
ee_prevver.png

There are a ton of shadow copies dating back to early June, should I restore to a random one?

Yeah, grab one but to test I'd click 'Copy...' and put it somewhere else.  If the file looks good, you could restore the folder from that date.

Choose one from 6/24, because I have an email from an employee on that date saying they found the file they needed in that folder, so I know it was working then.

Copied to desktop and same issue .

And the user confirmed that they were able to open the file and work on it?

This cmd tool https://www.microsoft.com/en-us/download/details.aspx?id=11533 allows you to generate a checksum on files.  Can you compare the checksums to see if they are the same?  (the original, the offsite backup, and the shadow copy)

yes the employee was able to open and work on the file

I will run the tool now.

Did you have a copy of the file prior to 6/24 in shadow copies or in your backup?

How was the error in the file discovered?  Was it by the same person who emailed on 6/24?

that tool doesn't work with windows 10 or server 2012 which are the only computers I can get on from where I am right now.

The error was discovered yesterday when the same employee tried to open a different copy on the shared drive under that same sub folder.    She then emailed me to see what was wrong with that file, in which I was stumped and I ended up trying the other files in that folder and found the same issue.  I think went through every other sub folder and verified that all other sub folders are functioning correctly.

Did you have a copy of the file prior to 6/24 in shadow copies or in your backup?

The tool will work on 2012 (it's a cmd utility so you need to use it in an admin command prompt.)  Browse to the extracted location and run fciv.exe -add <pathtofile>

Has the user had any problems with documents on their individual computer?
checksum.png

No the user is having no problems with files on their computer or any other files at all, I also ran a scan on their computer, even though many users access this particular sub folder.

The shadow copies go back to 6/19 I copied that, being the oldest one and still same issue, I copied Monday's shadow copy because I know it worked on Monday fine and same issue.

There are no differences between the original, shadow copy from 6/19 or nightly off site back up from 6/19

If the checksum is the same for all three then the file was corrupt when it was being backed up all the way back prior.  The same applies to your offsite, the backup you have there is also the corrupted version.  Being offsite, nothing can go change that file.

The checksum indicates that it is an exact copy- for example if you have a normal file and it becomes corrupted, the checksum WILL be different.  The same is true, if it were encrypted the checksum would be different.

Since folders in Windows are more metaphorical than physical, this folder was probably encrypted or had some utility run against it by a user that broke the files.

But if your backups, local and remote, have the same checksum they're all the same corrupt file that's been backed up for so long.

I understand everything you are saying and it all makes sense and I agree with you, however these files were accessed on Monday, by multiple people one being myself in which I know I accessed the file from the server directly

not sure if this adds anything but I just noticed that all picture files in the folder work fine, it's only pdf's and office files that aren't functioning correctly

Sometimes you can get those issues from trusted locations, but the end is the same.  If you go to evault, download the offsite copy to another PC and it has the same problem- it's not an issue with location on the server, sector on the file store, permission on the server, etc.- it's the file.

Being that it only seems to have hit office and pdf files sounds like a variant of crypto we've encountered before where it only encrypts those files in folders as users access them.

I  just found our original back to evault from august of 2014.   I restored that same folder from them, again these files haven't changed they are there strictly for reference, they are never resaved or updated so it's the same exact files.  I restored them from that and the same exact issue.

For two years these files have been used.  This has to be something other than crypto locker or some other virus.    This has to be a permission issue that has changed or something.

And the same thing if you restore the file to a folder on your local PC, not the server- correct?