• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 186
  • Last Modified:

Ransom.CRYPTXXX Activity 2

Trying to run Symantec SSR backup but Norton Security catches Ransom.CryptXXX Activity 2 ransomware attack and blocks suspected data port but does not clear the infection. So backup attempt fails. This attack is repeatable if same backup is executed again. How can we resolve this problem
0
Teddygtri
Asked:
Teddygtri
  • 2
  • 2
  • 2
  • +3
3 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
Go to the Symantec Site and download (and run) Symantec's online scanner. There are others.

Follow this with a scan use Malwarebytes.

You do face the possibility of formatting and reinstalling Windows
0
 
Scott CSenior Systems EnginerCommented:
Be sure to pull the machine off of your network if you haven't done so already.
1
 
MacleanSystem EngineerCommented:
On the server which holds the encrypted share data, see which username shows under file manager. Might even have active connections.
If will help you locate the source which you then as per ScottCha's comment, take of the network and just wipe. Don't remove virus and put it back on. Format & rebuild. Don't take risks.
Once the system is gone which has the infection, it should stop triggering Symantec, and allow you to complete the backup.
Unless you are trying to backup the infected machine. My recommendation is to cut your losses and just format it unfortunately. If it is a server try file restore to an external USB once you removed the virus using whichever AV (Contact Vendor for help is the best solution) and then wipe server.

When all done make sure you patch 3rd party products, Microsoft Patches & Virus definitions to the latest version, especially Java & Adobe Reader. Cryptoware exploits vulnerabilities in unpatched Java & Adobe apps.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
btanExec ConsultantCommented:
Should never do a backup or recovery if the  Ransomware has yet to be clean. Wasting effort as reinfection may recur and will not be successful. Take it Offline remove admin right to the user in the machine, do a clean build instead. Inspect all the external portable drive and mapped network drive to assess the root source as well as contain the damage.

Also reference bleedingcomputer, CryptXXX has had three versions released as of 5/24/16. Of these released versions, Version 1 and Version 2 have been able to be decrypted for free using Kaspersky's RannohDecryptor. If you are infected with Version 3.0, then RannohDecryptor does not currently work on it.
http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information#decrypt
0
 
serialbandCommented:
If you still have data you wish to keep that hasn't been backed up.  You're going to have to pull the disks offline, install it on another system as a secondary disk, scan it, then copy the files to something that isn't your primary backup.  You don't know what already got encrypted, so you should avoid wiping your backup.
0
 
TeddygtriAuthor Commented:
No contributors discuss the beta from Malwarebytes on Ransomware.

Malwarebytes claims their solution prevents many ransomware attacks.

Running the beta now. Will report results in few days.
0
 
btanExec ConsultantCommented:
The anti ransomware is more of the after effect cases to be preventive and alert when Ransomware starts to conduct their act. Not sure how effective is it in discovering Ransomware instead. Worth the try but note that it does not decrypt your files.

There are other AntiRansomware tools such as from Bitdefender AntiRansomware Winpatrol WinAntiRansom and SecureAPlus.
0
 
TeddygtriAuthor Commented:
Thanks
0
 
MacleanSystem EngineerCommented:
Glad to see I was able to assist. You could have a look at CryptoPrevent for prevention, I can't say how well it works or not, but I do recall them being one of the 1st to counter getting these type of infections. Perhaps MalWare Bytes does better.

Viruses however can learn and adapt against detection patterns, hence first line of defense is user training. If users know not to open up unexpected random bills/documents then that saves one in most cases already. Some pointers can be found online such as here
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 2
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now