Ransom.CRYPTXXX Activity 2

Trying to run Symantec SSR backup but Norton Security catches Ransom.CryptXXX Activity 2 ransomware attack and blocks suspected data port but does not clear the infection. So backup attempt fails. This attack is repeatable if same backup is executed again. How can we resolve this problem
TeddygtriAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Go to the Symantec Site and download (and run) Symantec's online scanner. There are others.

Follow this with a scan use Malwarebytes.

You do face the possibility of formatting and reinstalling Windows
0
Scott CSenior EngineerCommented:
Be sure to pull the machine off of your network if you haven't done so already.
1
MacleanSystem EngineerCommented:
On the server which holds the encrypted share data, see which username shows under file manager. Might even have active connections.
If will help you locate the source which you then as per ScottCha's comment, take of the network and just wipe. Don't remove virus and put it back on. Format & rebuild. Don't take risks.
Once the system is gone which has the infection, it should stop triggering Symantec, and allow you to complete the backup.
Unless you are trying to backup the infected machine. My recommendation is to cut your losses and just format it unfortunately. If it is a server try file restore to an external USB once you removed the virus using whichever AV (Contact Vendor for help is the best solution) and then wipe server.

When all done make sure you patch 3rd party products, Microsoft Patches & Virus definitions to the latest version, especially Java & Adobe Reader. Cryptoware exploits vulnerabilities in unpatched Java & Adobe apps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

btanExec ConsultantCommented:
Should never do a backup or recovery if the  Ransomware has yet to be clean. Wasting effort as reinfection may recur and will not be successful. Take it Offline remove admin right to the user in the machine, do a clean build instead. Inspect all the external portable drive and mapped network drive to assess the root source as well as contain the damage.

Also reference bleedingcomputer, CryptXXX has had three versions released as of 5/24/16. Of these released versions, Version 1 and Version 2 have been able to be decrypted for free using Kaspersky's RannohDecryptor. If you are infected with Version 3.0, then RannohDecryptor does not currently work on it.
http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information#decrypt
0
serialbandCommented:
If you still have data you wish to keep that hasn't been backed up.  You're going to have to pull the disks offline, install it on another system as a secondary disk, scan it, then copy the files to something that isn't your primary backup.  You don't know what already got encrypted, so you should avoid wiping your backup.
0
TeddygtriAuthor Commented:
No contributors discuss the beta from Malwarebytes on Ransomware.

Malwarebytes claims their solution prevents many ransomware attacks.

Running the beta now. Will report results in few days.
0
btanExec ConsultantCommented:
The anti ransomware is more of the after effect cases to be preventive and alert when Ransomware starts to conduct their act. Not sure how effective is it in discovering Ransomware instead. Worth the try but note that it does not decrypt your files.

There are other AntiRansomware tools such as from Bitdefender AntiRansomware Winpatrol WinAntiRansom and SecureAPlus.
0
TeddygtriAuthor Commented:
Thanks
0
MacleanSystem EngineerCommented:
Glad to see I was able to assist. You could have a look at CryptoPrevent for prevention, I can't say how well it works or not, but I do recall them being one of the 1st to counter getting these type of infections. Perhaps MalWare Bytes does better.

Viruses however can learn and adapt against detection patterns, hence first line of defense is user training. If users know not to open up unexpected random bills/documents then that saves one in most cases already. Some pointers can be found online such as here
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.