Solved

I think we have a virus

Posted on 2016-10-07
5
92 Views
Last Modified: 2016-10-07
Hi Experts,

many files on shares are changed to .odin
can you help me out ?
What is the best way to restore or clean all machines ?
0
Comment
Question by:Eprs_Admin
5 Comments
 
LVL 19

Accepted Solution

by:
helpfinder earned 251 total points
ID: 41833167
could be ransomware
the best was would be to unplug all affected machines  from network as soon as possible, reinstall all affected machines and restore all necessary documents from offline backup.
But this works only if you have backups :)

if you want to remove ransomware manually (not 100% sure you will get a rid of it) check this guide
0
 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 83 total points
ID: 41833168
First of all, stop the Server service on file servers. If you cannot detect at a glance which department or area of PCs could be responsilble, shut them off all. Then you need to detect which PCs are infected, but that can get difficult. I'm certain other Experts can give you good advice on that.
1
 
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 83 total points
ID: 41833170
Hi

You are infected with the Locky Ransomware. Disconnect all infected Clients that are locally encrypted and reinstall or reimage them as already recommended. Do you have a valid backup to restore?
1
 
LVL 11

Assisted Solution

by:andreas
andreas earned 83 total points
ID: 41833235
Its a version of the locky ransomware.
Shut down all systems with access to the affected server shares, as any of them could be the source which is running the exncryption malware.

then offline scan all PCs with an anti virus rescue cd/dvd or USB-Pen for the ransomware. Do not scan online on the systems, the malware will continue to encrypt files on network if still accessible and locally on your harddrive.

Also scan the server offline itself too to ensure the malware is not running on the server itself.

To narrow down which client has the malware you can check owner information on encrypted files on the server shares. So you can see under which user account the malware was/is running. Check different files in different directories, maybe several users are involved.

Then track down from which clients the users are working recently.
0
 

Author Comment

by:Eprs_Admin
ID: 41833460
ok thanks so far.
We found the infected machine.
many shares are encrypted but I could use my storage snapshot to recreate all files.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
OnPage: Incident management and secure messaging on your smartphone
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question