Solved

I think we have a virus

Posted on 2016-10-07
5
58 Views
Last Modified: 2016-10-07
Hi Experts,

many files on shares are changed to .odin
can you help me out ?
What is the best way to restore or clean all machines ?
0
Comment
Question by:Eprs_Admin
5 Comments
 
LVL 19

Accepted Solution

by:
helpfinder earned 251 total points
ID: 41833167
could be ransomware
the best was would be to unplug all affected machines  from network as soon as possible, reinstall all affected machines and restore all necessary documents from offline backup.
But this works only if you have backups :)

if you want to remove ransomware manually (not 100% sure you will get a rid of it) check this guide
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 83 total points
ID: 41833168
First of all, stop the Server service on file servers. If you cannot detect at a glance which department or area of PCs could be responsilble, shut them off all. Then you need to detect which PCs are infected, but that can get difficult. I'm certain other Experts can give you good advice on that.
1
 
LVL 18

Assisted Solution

by:hopeleonie
hopeleonie earned 83 total points
ID: 41833170
Hi

You are infected with the Locky Ransomware. Disconnect all infected Clients that are locally encrypted and reinstall or reimage them as already recommended. Do you have a valid backup to restore?
1
 
LVL 11

Assisted Solution

by:andreas
andreas earned 83 total points
ID: 41833235
Its a version of the locky ransomware.
Shut down all systems with access to the affected server shares, as any of them could be the source which is running the exncryption malware.

then offline scan all PCs with an anti virus rescue cd/dvd or USB-Pen for the ransomware. Do not scan online on the systems, the malware will continue to encrypt files on network if still accessible and locally on your harddrive.

Also scan the server offline itself too to ensure the malware is not running on the server itself.

To narrow down which client has the malware you can check owner information on encrypted files on the server shares. So you can see under which user account the malware was/is running. Check different files in different directories, maybe several users are involved.

Then track down from which clients the users are working recently.
0
 

Author Comment

by:Eprs_Admin
ID: 41833460
ok thanks so far.
We found the infected machine.
many shares are encrypted but I could use my storage snapshot to recreate all files.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now