Ransom.CRYPTXXX Activity 2

Teddygtri
Teddygtri used Ask the Experts™
on
Trying to run Symantec SSR backup but Norton Security catches Ransom.CryptXXX Activity 2 ransomware attack and blocks suspected data port but does not clear the infection. So backup attempt fails. This attack is repeatable if same backup is executed again. How can we resolve this problem
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Go to the Symantec Site and download (and run) Symantec's online scanner. There are others.

Follow this with a scan use Malwarebytes.

You do face the possibility of formatting and reinstalling Windows
Scott CSenior Engineer

Commented:
Be sure to pull the machine off of your network if you haven't done so already.
System Engineer
Commented:
On the server which holds the encrypted share data, see which username shows under file manager. Might even have active connections.
If will help you locate the source which you then as per ScottCha's comment, take of the network and just wipe. Don't remove virus and put it back on. Format & rebuild. Don't take risks.
Once the system is gone which has the infection, it should stop triggering Symantec, and allow you to complete the backup.
Unless you are trying to backup the infected machine. My recommendation is to cut your losses and just format it unfortunately. If it is a server try file restore to an external USB once you removed the virus using whichever AV (Contact Vendor for help is the best solution) and then wipe server.

When all done make sure you patch 3rd party products, Microsoft Patches & Virus definitions to the latest version, especially Java & Adobe Reader. Cryptoware exploits vulnerabilities in unpatched Java & Adobe apps.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

btanExec Consultant
Distinguished Expert 2018
Commented:
Should never do a backup or recovery if the  Ransomware has yet to be clean. Wasting effort as reinfection may recur and will not be successful. Take it Offline remove admin right to the user in the machine, do a clean build instead. Inspect all the external portable drive and mapped network drive to assess the root source as well as contain the damage.

Also reference bleedingcomputer, CryptXXX has had three versions released as of 5/24/16. Of these released versions, Version 1 and Version 2 have been able to be decrypted for free using Kaspersky's RannohDecryptor. If you are infected with Version 3.0, then RannohDecryptor does not currently work on it.
http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information#decrypt
If you still have data you wish to keep that hasn't been backed up.  You're going to have to pull the disks offline, install it on another system as a secondary disk, scan it, then copy the files to something that isn't your primary backup.  You don't know what already got encrypted, so you should avoid wiping your backup.
No contributors discuss the beta from Malwarebytes on Ransomware.

Malwarebytes claims their solution prevents many ransomware attacks.

Running the beta now. Will report results in few days.
btanExec Consultant
Distinguished Expert 2018

Commented:
The anti ransomware is more of the after effect cases to be preventive and alert when Ransomware starts to conduct their act. Not sure how effective is it in discovering Ransomware instead. Worth the try but note that it does not decrypt your files.

There are other AntiRansomware tools such as from Bitdefender AntiRansomware Winpatrol WinAntiRansom and SecureAPlus.

Author

Commented:
Thanks
MacleanSystem Engineer

Commented:
Glad to see I was able to assist. You could have a look at CryptoPrevent for prevention, I can't say how well it works or not, but I do recall them being one of the 1st to counter getting these type of infections. Perhaps MalWare Bytes does better.

Viruses however can learn and adapt against detection patterns, hence first line of defense is user training. If users know not to open up unexpected random bills/documents then that saves one in most cases already. Some pointers can be found online such as here

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial