This is the nth time ransomware has gotten through our security. This was reported just a few minutes ago, and it has already managed to infect our shared drives. Working on this with our senior engineers. Wish us luck.
7 Spice ups
That sucks! I hope you find out how it got on the machine and can lock it down. Ransomware is terrifying.
2 Spice ups
We’re looking into the possibility that this came in via a suspicious email with an infected attachment. Or probably a phishing website. Still working on at this time.
1 Spice up
Keep us updated, really surprised how much you have gotten infected.
Will do. This specific computer uses McAfee VirusScan Enterprise. ESET is now being deployed to the said computer as their latest definitions file update already recognizes this specific ransomware strain.
3 Spice ups
Cryptowall is my current living nightmare. My users need local admin rights due to a business critical software design. (I kid you not. If they’re on the Local Admin Group list, the software crashes. It’s awful.) So they can easily unleash a wall. I’m working on tying up any loose ACLs and tuning our email appliance to filter out exe’s. Good luck mate! Hope your boss buys you some coffee!
2 Spice ups
Ugh. Sorry to hear about that.
In the future you might want to look at our company’s instant recovery software called RollBack Rx. It takes snapshots on a schedule you set that are stored and encrypted on the sector-level of the harddrive, so if something gets through (like this ransomware) you could load into an older snapshot in a few seconds and be done with it. Just a thought.
Good luck. I hope everything gets back online well and done soon.
2 Spice ups
Get everything attached to it off of the network before it spreads more. Nuke the system and all infected files. Rebuild the system and restore the files from backups. Try and limit the damage. recheck your AV to make sure it can detect this or use something like Malewarebytes to help prevent it again.
1 Spice up
Thanks man. I’m definitely going to need that. Haha!
2 Spice ups
Thanks for the suggestion Sam. Yeah I use RollBack RX on a friend’s internet café computers. Keeps those pesky browser add-ons and unwanted installations off the computer. One reboot is all I need. Haha!
Anyway, looks like our shared drive got hit too. Good thing we have backups ready. We just need to clean out this mess and restore everything from backup. Although sad to say this will not be the case on the local files saved in our user’s computers since we only have the backups set up on the server.
3 Spice ups
Done. SMB ports to the site has been blocked. We’ve isolated the issue to one site only (since we support multiple sites). ESET has already detected the ransomware strain. Using it in combination with SysInternals to perform a full cleanup.
2 Spice ups
You could try a memory scraper, but depending on the Crypto version, it never mounted the key so it won’t be in RAM. Plus scrapers are pricey. It sucks the user lost their data, but now maybe they won’t click random emails from Persia! lol
2 Spice ups
Bud-G
(Bud G.)
14
Take a look through the Security forums here and you’ll see plenty of things to lock yourself down further to prevent this from happening. You might even talk to management about some training for the users since they are usually the ones causing the problems. There’s a guy here, @stu-knowbe4 , who knows something about training 
5 Spice ups
scarey1s
(RSIRandy)
15
wow… that’s the closest looking one to crypolocker that I’ve seen.
I hate these…they’re a nightmare and just a plain PITA. I feel for ya.
3 Spice ups
legoman
(LegoMan)
16
“ransomware has gotten through our security”
…so no Internet filter then?
…no deny any any outbound firewall rules?
Gil. Did some digging for you and anyone else who is interested.
http://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated
^ GPOs created by the community that help lock down how these buggers fire off.
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
^ Intel on how the slimey bags run around.
@Lego. I’m assuming you mean at the host level?
1 Spice up
Yeah. Sometimes people need to learn the hard way to make sure they don’t do it again.
