Solved

Ransom.CRYPTXXX Activity 2

Posted on 2016-08-30
9
137 Views
Last Modified: 2016-09-07
Trying to run Symantec SSR backup but Norton Security catches Ransom.CryptXXX Activity 2 ransomware attack and blocks suspected data port but does not clear the infection. So backup attempt fails. This attack is repeatable if same backup is executed again. How can we resolve this problem
0
Comment
Question by:Teddygtri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 41777050
Go to the Symantec Site and download (and run) Symantec's online scanner. There are others.

Follow this with a scan use Malwarebytes.

You do face the possibility of formatting and reinstalling Windows
0
 
LVL 31

Expert Comment

by:Scott C
ID: 41777070
Be sure to pull the machine off of your network if you haven't done so already.
1
 
LVL 11

Accepted Solution

by:
Maclean earned 250 total points
ID: 41777196
On the server which holds the encrypted share data, see which username shows under file manager. Might even have active connections.
If will help you locate the source which you then as per ScottCha's comment, take of the network and just wipe. Don't remove virus and put it back on. Format & rebuild. Don't take risks.
Once the system is gone which has the infection, it should stop triggering Symantec, and allow you to complete the backup.
Unless you are trying to backup the infected machine. My recommendation is to cut your losses and just format it unfortunately. If it is a server try file restore to an external USB once you removed the virus using whichever AV (Contact Vendor for help is the best solution) and then wipe server.

When all done make sure you patch 3rd party products, Microsoft Patches & Virus definitions to the latest version, especially Java & Adobe Reader. Cryptoware exploits vulnerabilities in unpatched Java & Adobe apps.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 41777359
Should never do a backup or recovery if the  Ransomware has yet to be clean. Wasting effort as reinfection may recur and will not be successful. Take it Offline remove admin right to the user in the machine, do a clean build instead. Inspect all the external portable drive and mapped network drive to assess the root source as well as contain the damage.

Also reference bleedingcomputer, CryptXXX has had three versions released as of 5/24/16. Of these released versions, Version 1 and Version 2 have been able to be decrypted for free using Kaspersky's RannohDecryptor. If you are infected with Version 3.0, then RannohDecryptor does not currently work on it.
http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information#decrypt
0
 
LVL 29

Expert Comment

by:serialband
ID: 41777399
If you still have data you wish to keep that hasn't been backed up.  You're going to have to pull the disks offline, install it on another system as a secondary disk, scan it, then copy the files to something that isn't your primary backup.  You don't know what already got encrypted, so you should avoid wiping your backup.
0
 

Assisted Solution

by:Teddygtri
Teddygtri earned 0 total points
ID: 41784243
No contributors discuss the beta from Malwarebytes on Ransomware.

Malwarebytes claims their solution prevents many ransomware attacks.

Running the beta now. Will report results in few days.
0
 
LVL 64

Expert Comment

by:btan
ID: 41784503
The anti ransomware is more of the after effect cases to be preventive and alert when Ransomware starts to conduct their act. Not sure how effective is it in discovering Ransomware instead. Worth the try but note that it does not decrypt your files.

There are other AntiRansomware tools such as from Bitdefender AntiRansomware Winpatrol WinAntiRansom and SecureAPlus.
0
 

Author Comment

by:Teddygtri
ID: 41784889
Thanks
0
 
LVL 11

Expert Comment

by:Maclean
ID: 41788602
Glad to see I was able to assist. You could have a look at CryptoPrevent for prevention, I can't say how well it works or not, but I do recall them being one of the 1st to counter getting these type of infections. Perhaps MalWare Bytes does better.

Viruses however can learn and adapt against detection patterns, hence first line of defense is user training. If users know not to open up unexpected random bills/documents then that saves one in most cases already. Some pointers can be found online such as here
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question