Solved

Virus Attacked Cryptolocker

Posted on 2016-08-04
11
36 Views
Last Modified: 2016-08-29
Our company attacked virus called Cryptolocker,
Can any one let us know how to solve this step by step.
0
Comment
Question by:ukerandi
  • 2
  • 2
  • 2
  • +3
11 Comments
 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 125 total points (awarded by participants)
ID: 41742373
Step 1. Educate users not to open email and attachments from unknown sources.
Step 2. Isolate all machines from your server, scan for viruses and make certain the machines are virus-free.
Step 3. Recover your server documents from backup.

You cannot ever hope to recover an encrypted file. You must restore from backup.
0
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 125 total points (awarded by participants)
ID: 41742395
One of our users infect her self just by visiting a webpage (zeroday exploit). She had no admin rights, fully updated windows 8.1 and updated AV program

If You are running windows 7, 8 and 10, windows make on drive C by default previous versions.  

http://www.howtogeek.com/209080/how-to-restore-previous-versions-of-a-file-on-any-operating-system/

If you have no previous versions and no backup, you can Pay for decrypt program and hope that works.
0
 
LVL 10

Author Comment

by:ukerandi
ID: 41742396
How to find effected machines,What is the Anti Virus software for this
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 41742399
There is no particular AV for Cryptolocker. All paid good products protect.

To find an infected machine, isolate it and look through local documents. They are likely encrypted.
0
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 125 total points (awarded by participants)
ID: 41742411
You have to identify what kind of cryptolocker are you dealing with.

https://id-ransomware.malwarehunterteam.com/

Then google for removing methodes.

Some version of cryptolocker encrypt network shares to.

what extensions have encrypted files?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 29

Accepted Solution

by:
ScottCha earned 125 total points (awarded by participants)
ID: 41742419
Many times you will find a .txt or image document in each encrypted folder with instructions on how to "recover" your data.

As stated, restoring from backup is the best way.

If not, an the data is mission critical, and I mean LIVES CAN BE AT STAKE.  Such as a hospital, etc.  then you can try to pay the ransom.  This is not suggested as, again, you cannot be sure you will be able to recover the files and paying the people who did this only encourages them to continue.

But that is a decision YOU will have to make.

A local hospital was hit with ransomware, they paid the 17K and were able to get their data back, but there is no guarantee....you are dealing with criminals after all.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 125 total points (awarded by participants)
ID: 41742579
Suggest you check out bleedingcomputer article which bring thru the steps
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

To do when infected by Cryptolocker
-Confirm it is Cryptolocker (check out the https://id-ransomware.malwarehunterteam.com/)
-Disconnect infected machine from your wireless or wired network. (prevent it from further encrypting any files)
-Recommend that you do not pay the ransom. If you decided no need to pay the ransom, you can simply delete the Registry values and files and the program will not load anymore. (details under "Known file paths and registry keys used by CryptoLocker" section)
-Restore your data via other methods (see below listed and found in the article).

In case, you will want to find all encrypted files, they are actually listed by the ransomware and stored in the registry, you can use the ListCrilock program to export a human readable list of these encrypted files from the registry into a text file. See "How to find files that have been encrypted by CryptoLocker" section for more methods.

The article also suggested on a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

Also to determine encrypted files over the network, it is suggested you can also examine your network switches and look for the ports that have "heavy" or very "busy" lights that are continuously blinking as it indicate very heavy traffic. Likely the Ransomware is encrypting those files that are accessible in the infected machine network mapped folder. From there you can trace down the source IP to those computers may be infected.

For restoration approaches - not 100% as CL can remove them too. See section
-How to restore files encrypted by CryptoLocker using Shadow Volume Copies
-How to restore files that have been encrypted on DropBox folders

Moving ahead, I suggest a clean build though you may have done scanning and with alternate AV. See section below. Consider use of WinAntiRansom or Malwarebytes Anti-Ransomware
-How to prevent your computer from becoming infected by CryptoLocker
-How to allow specific applications to run when using Software Restriction Policies
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41742985
The only acceptable way to recover from a Cryptolocker attack is restore from a backup. Most Cryptolocker variants will purge Shadow Copies before running, so don't rely on VSS to save you from these attacks. Protect *all* user accessible shared folders with a full backup suite that stores backups securely.

Don't even think about paying ransom, as doing so both encourages continued development of this kind of attack and puts you at risk of spending money and not getting anything from the attackers. They're already criminals, so they will certainly not care about actually delivering on their promises if you pay them.

It's actually pretty easy to determine which user was attacked by a Cryptolocker if your shared folders get hit. Right click the encrypted file, go to properties, select security tab, select Advanced. Whichever user is shown as the file's "Owner" is the one who got hit. Once that is identified, it's pretty easy to figure out which computers they've used (Ask them) and take them off the network.
0
 
LVL 10

Author Comment

by:ukerandi
ID: 41751310
Thank you very much for all advice.

I found one of our server had a the same virus,But it's NOT public shared folder.It's Shared only
Domain Controller and Administrator. So how is this happen?
0
 
LVL 62

Expert Comment

by:btan
ID: 41751333
Rsnsomware can encrypt file in unmapped drive so long the logon account has the privilege to access and map the network shares. Some even are spread and carried by USB which is infected and may be plugged into that file server systems.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
encryption of data at rest on server 6 65
SSL RA VPN 7 104
Changing Passwords for  Windows and Linux servers  in bulk 7 63
Saving BitLocker key to AD DS 7 50
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now