Anyone ran into this before?

**rush2049** · 10-23-15, 11:12 AM

Ok, so I get a call early this morning about one of our clients think they have a virus.

So I open my computer before taking my shower and take a quick look.....

and I find that they are infected with Crypto Wall 3.0 Just great.

Now I am at their place of business and I have to cleanup their PC and investigate everyone else for being infected as well.

The worst part, they had mapped network drives, and a couple terrabytes of files are gone on the file servers.....

What a horrible day.

**Phyrelight** · 10-23-15, 11:14 AM

yup, its an encrypted ransom-ware. Down the shared server immediately. Clean/remove the malware from machine preferably via a reimage to make sure it gone. Restore the missing data from backups or shadow copies. The data isn't missing, its been encrypted and unless you pay the ransom-ware demand it won't decrypt. Its a nasty one.

**Phyrelight** · 10-23-15, 11:17 AM

Oh, DO NOT pay the ransom....that should be obvious. The only way to be completely sure you are free of its hold is a complete reimage of every machine infected and a complete restore of the file share to a preinfected state.

I don't trust 3rd party "cleaning tools" even if they claim they can decrypt cypto wall 3.0 infections

Sucks to be you today......

**DJ Ms. White** · 10-23-15, 12:44 PM

Man, that's bad luck.

**rush2049** · 10-23-15, 01:23 PM

Oh I know exactly how this thing works......

Well, for the local machine I basically told the user, too bad, you lost all your files stored locally. (about 18,000 some files).

For the network file shares we have backups (thank the heavens) but they lose two days of work for every employee in the company...... and they can't work till the restore is completed, which is going to take a day or more.

Luckily Trend Micro and Malwarebytes got rid of the infection. Now I just have to cleanup all the encrypted files and get rid of the Ransom Files all over.

I also found the email that got the user infected. It had an attached word document. And when opened if you enabled macros you were screwed.

**Phyrelight** · 10-23-15, 01:24 PM

Originally Posted by DJ Mr. White

Man, that's job security.

**Phyrelight** · 10-23-15, 01:29 PM

Originally Posted by rush2049

Oh I know exactly how this thing works......

Well, for the local machine I basically told the user, too bad, you lost all your files stored locally. (about 18,000 some files).

For the network file shares we have backups (thank the heavens) but they lose two days of work for every employee in the company...... and they can't work till the restore is completed, which is going to take a day or more.

Luckily Trend Micro and Malwarebytes got rid of the infection. Now I just have to cleanup all the encrypted files and get rid of the Ransom Files all over.

I also found the email that got the user infected. It had an attached word document. And when opened if you enabled macros you were screwed.

Sounds about right. Lucky when we had to deal with it our users don't have documents stored locally. We remap everything but desktop to server. We were only down for as long as we were because we scanned the entire network before bringing the network shares back online just to make sure it hadn't moved horizontally to another system.

We have imaging technology in place (thick image MDT2013 sticks that I made) so all desk-side machines where re-imaged and back online in less than 4 hours.

As a side note, since then we have 100% encryption of all devices. Its mandated on high. Great side effect of being encrypted...these SOBs can't encrypt whats already encrypted. At least, not yet.

**DJ Ms. White** · 10-23-15, 04:49 PM

Originally Posted by rush2049

Oh I know exactly how this thing works......

Well, for the local machine I basically told the user, too bad, you lost all your files stored locally. (about 18,000 some files).

For the network file shares we have backups (thank the heavens) but they lose two days of work for every employee in the company...... and they can't work till the restore is completed, which is going to take a day or more.

Luckily Trend Micro and Malwarebytes got rid of the infection. Now I just have to cleanup all the encrypted files and get rid of the Ransom Files all over.

I also found the email that got the user infected. It had an attached word document. And when opened if you enabled macros you were screwed.

I'm chuckling a bit more than usual since I've been replaying Vampire: The Masquerade -- Bloodlines, and last night I had my first meeting with Mitnick.

**DancingCorpse** · 10-27-15, 02:56 AM

According to the FBI, you should have just paid the ransom.

The FBI Thinks Ransomware Victims Should 'Just Pay Up'

**Phyrelight** · 10-27-15, 09:50 AM

Originally Posted by DancingCorpse

According to the FBI, you should have just paid the ransom.

The FBI Thinks Ransomware Victims Should 'Just Pay Up'

That's ironic considering the special agent from the FBI that just did a security review at my University for IT staff last month strictly said don't pay.

That article is more of a, yes let us know but please be aware that the FBI can't get your files back.......So if you contact them just know that if you don't have backups you will end up having to pay the ransom if you need the files