Solved

Ransom.CRYPTXXX Activity 2

Posted on 2016-08-30
9
107 Views
Last Modified: 2016-09-07
Trying to run Symantec SSR backup but Norton Security catches Ransom.CryptXXX Activity 2 ransomware attack and blocks suspected data port but does not clear the infection. So backup attempt fails. This attack is repeatable if same backup is executed again. How can we resolve this problem
0
Comment
Question by:Teddygtri
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 93

Expert Comment

by:John Hurst
ID: 41777050
Go to the Symantec Site and download (and run) Symantec's online scanner. There are others.

Follow this with a scan use Malwarebytes.

You do face the possibility of formatting and reinstalling Windows
0
 
LVL 29

Expert Comment

by:ScottCha
ID: 41777070
Be sure to pull the machine off of your network if you haven't done so already.
1
 
LVL 10

Accepted Solution

by:
Maclean earned 250 total points
ID: 41777196
On the server which holds the encrypted share data, see which username shows under file manager. Might even have active connections.
If will help you locate the source which you then as per ScottCha's comment, take of the network and just wipe. Don't remove virus and put it back on. Format & rebuild. Don't take risks.
Once the system is gone which has the infection, it should stop triggering Symantec, and allow you to complete the backup.
Unless you are trying to backup the infected machine. My recommendation is to cut your losses and just format it unfortunately. If it is a server try file restore to an external USB once you removed the virus using whichever AV (Contact Vendor for help is the best solution) and then wipe server.

When all done make sure you patch 3rd party products, Microsoft Patches & Virus definitions to the latest version, especially Java & Adobe Reader. Cryptoware exploits vulnerabilities in unpatched Java & Adobe apps.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 41777359
Should never do a backup or recovery if the  Ransomware has yet to be clean. Wasting effort as reinfection may recur and will not be successful. Take it Offline remove admin right to the user in the machine, do a clean build instead. Inspect all the external portable drive and mapped network drive to assess the root source as well as contain the damage.

Also reference bleedingcomputer, CryptXXX has had three versions released as of 5/24/16. Of these released versions, Version 1 and Version 2 have been able to be decrypted for free using Kaspersky's RannohDecryptor. If you are infected with Version 3.0, then RannohDecryptor does not currently work on it.
http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information#decrypt
0
 
LVL 28

Expert Comment

by:serialband
ID: 41777399
If you still have data you wish to keep that hasn't been backed up.  You're going to have to pull the disks offline, install it on another system as a secondary disk, scan it, then copy the files to something that isn't your primary backup.  You don't know what already got encrypted, so you should avoid wiping your backup.
0
 

Assisted Solution

by:Teddygtri
Teddygtri earned 0 total points
ID: 41784243
No contributors discuss the beta from Malwarebytes on Ransomware.

Malwarebytes claims their solution prevents many ransomware attacks.

Running the beta now. Will report results in few days.
0
 
LVL 62

Expert Comment

by:btan
ID: 41784503
The anti ransomware is more of the after effect cases to be preventive and alert when Ransomware starts to conduct their act. Not sure how effective is it in discovering Ransomware instead. Worth the try but note that it does not decrypt your files.

There are other AntiRansomware tools such as from Bitdefender AntiRansomware Winpatrol WinAntiRansom and SecureAPlus.
0
 

Author Comment

by:Teddygtri
ID: 41784889
Thanks
0
 
LVL 10

Expert Comment

by:Maclean
ID: 41788602
Glad to see I was able to assist. You could have a look at CryptoPrevent for prevention, I can't say how well it works or not, but I do recall them being one of the 1st to counter getting these type of infections. Perhaps MalWare Bytes does better.

Viruses however can learn and adapt against detection patterns, hence first line of defense is user training. If users know not to open up unexpected random bills/documents then that saves one in most cases already. Some pointers can be found online such as here
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question