Solved

Virus Attacked Cryptolocker

Posted on 2016-08-04
11
34 Views
Last Modified: 2016-08-29
Our company attacked virus called Cryptolocker,
Can any one let us know how to solve this step by step.
0
Comment
Question by:ukerandi
  • 2
  • 2
  • 2
  • +3
11 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 125 total points (awarded by participants)
ID: 41742373
Step 1. Educate users not to open email and attachments from unknown sources.
Step 2. Isolate all machines from your server, scan for viruses and make certain the machines are virus-free.
Step 3. Recover your server documents from backup.

You cannot ever hope to recover an encrypted file. You must restore from backup.
0
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 125 total points (awarded by participants)
ID: 41742395
One of our users infect her self just by visiting a webpage (zeroday exploit). She had no admin rights, fully updated windows 8.1 and updated AV program

If You are running windows 7, 8 and 10, windows make on drive C by default previous versions.  

http://www.howtogeek.com/209080/how-to-restore-previous-versions-of-a-file-on-any-operating-system/

If you have no previous versions and no backup, you can Pay for decrypt program and hope that works.
0
 
LVL 10

Author Comment

by:ukerandi
ID: 41742396
How to find effected machines,What is the Anti Virus software for this
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41742399
There is no particular AV for Cryptolocker. All paid good products protect.

To find an infected machine, isolate it and look through local documents. They are likely encrypted.
0
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 125 total points (awarded by participants)
ID: 41742411
You have to identify what kind of cryptolocker are you dealing with.

https://id-ransomware.malwarehunterteam.com/

Then google for removing methodes.

Some version of cryptolocker encrypt network shares to.

what extensions have encrypted files?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Accepted Solution

by:
ScottCha earned 125 total points (awarded by participants)
ID: 41742419
Many times you will find a .txt or image document in each encrypted folder with instructions on how to "recover" your data.

As stated, restoring from backup is the best way.

If not, an the data is mission critical, and I mean LIVES CAN BE AT STAKE.  Such as a hospital, etc.  then you can try to pay the ransom.  This is not suggested as, again, you cannot be sure you will be able to recover the files and paying the people who did this only encourages them to continue.

But that is a decision YOU will have to make.

A local hospital was hit with ransomware, they paid the 17K and were able to get their data back, but there is no guarantee....you are dealing with criminals after all.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points (awarded by participants)
ID: 41742579
Suggest you check out bleedingcomputer article which bring thru the steps
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

To do when infected by Cryptolocker
-Confirm it is Cryptolocker (check out the https://id-ransomware.malwarehunterteam.com/)
-Disconnect infected machine from your wireless or wired network. (prevent it from further encrypting any files)
-Recommend that you do not pay the ransom. If you decided no need to pay the ransom, you can simply delete the Registry values and files and the program will not load anymore. (details under "Known file paths and registry keys used by CryptoLocker" section)
-Restore your data via other methods (see below listed and found in the article).

In case, you will want to find all encrypted files, they are actually listed by the ransomware and stored in the registry, you can use the ListCrilock program to export a human readable list of these encrypted files from the registry into a text file. See "How to find files that have been encrypted by CryptoLocker" section for more methods.

The article also suggested on a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

Also to determine encrypted files over the network, it is suggested you can also examine your network switches and look for the ports that have "heavy" or very "busy" lights that are continuously blinking as it indicate very heavy traffic. Likely the Ransomware is encrypting those files that are accessible in the infected machine network mapped folder. From there you can trace down the source IP to those computers may be infected.

For restoration approaches - not 100% as CL can remove them too. See section
-How to restore files encrypted by CryptoLocker using Shadow Volume Copies
-How to restore files that have been encrypted on DropBox folders

Moving ahead, I suggest a clean build though you may have done scanning and with alternate AV. See section below. Consider use of WinAntiRansom or Malwarebytes Anti-Ransomware
-How to prevent your computer from becoming infected by CryptoLocker
-How to allow specific applications to run when using Software Restriction Policies
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41742985
The only acceptable way to recover from a Cryptolocker attack is restore from a backup. Most Cryptolocker variants will purge Shadow Copies before running, so don't rely on VSS to save you from these attacks. Protect *all* user accessible shared folders with a full backup suite that stores backups securely.

Don't even think about paying ransom, as doing so both encourages continued development of this kind of attack and puts you at risk of spending money and not getting anything from the attackers. They're already criminals, so they will certainly not care about actually delivering on their promises if you pay them.

It's actually pretty easy to determine which user was attacked by a Cryptolocker if your shared folders get hit. Right click the encrypted file, go to properties, select security tab, select Advanced. Whichever user is shown as the file's "Owner" is the one who got hit. Once that is identified, it's pretty easy to figure out which computers they've used (Ask them) and take them off the network.
0
 
LVL 10

Author Comment

by:ukerandi
ID: 41751310
Thank you very much for all advice.

I found one of our server had a the same virus,But it's NOT public shared folder.It's Shared only
Domain Controller and Administrator. So how is this happen?
0
 
LVL 61

Expert Comment

by:btan
ID: 41751333
Rsnsomware can encrypt file in unmapped drive so long the logon account has the privilege to access and map the network shares. Some even are spread and carried by USB which is infected and may be plugged into that file server systems.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now