files named to .vault

[paristotle]

I have something strange going on Windows 7 pro machine.
THE COMPUTER: The computer is configured as a local file share. It also had a modified owncloud implementation that is replicating the share for some offsite users.
THE PROBLEM: Today I get a get a call that progressively more and more docx files are being renamed to .vault. Strange. When I change the file name back to doc or docx it seems that the file is corrupt and unreadable. It's not happening to .pdf or .msg files only to Ms Word files types.
IDEAS: Today I added another owncloud user and configured the main user to share the files with them. I assumed it was locking the files one by one to change attributes and then restoring them but it looks like the files are remaining as .vault. I also suspect owncloud because only the files affected in the owncloud shared directory are affected, but I could be wrong.
There is no evidence of a virus and I do have a backup I can go to but I would like to find the problem. I just looked in and it's still marking all the files as .vault.

 

[phaZed]

Turn the machine OFF NOW!!!

You are likely infected with the Cryptowall/Cryptolocker virus and if it completes the encryption and subsequent sending of the encryption key your clients data is GONE.. unless you want to pay the ransom, in which case you have a 50/50 chance of it actually working.

 

[paristotle]

I actually do have a backup that's not currently connected to the system. So I can restore from there, but I don't see signs of infection. How can I confirm. I'm running malware bytes now but there must be another way.

 

[phaZed]

As far as I can tell, the only legitimate program that makes and uses .vault files is McAfee File Lock (Link). If not that, then the type of behavior that you describe would be exactly that of the ZEUS trojan and branded Cryptowall/Crytolocker virus. It traditionally affects all kinds of personal data such as documents of different type, images, video, Quickbooks, etc. It is a worm, so it can traverse network shares and will also encrypt external USB drives... pretty much anything that is mounted to the system.

Can't tell you how to remove it besides to say, run the gamut of different virus tools, check Autoruns for any AppData weirdness and perhaps even run Process Explorer and see what program is using the disk time to do the .vault renaming.

I can't see another way to explain this situation You may be victim of a 0-Day or new variant.

 

[paristotle]

Thanks for your reply. That was my initial thought and then I second guessed myself. Should not have.... Thanks again.

 

[phaZed]

Yep, no worries. Let us know if you find anything.. interested to know if there is something new in the wild!

 

[paristotle]

The got a zip attachment today which contained a javascript file. I'm quite sure that was it. The problem is not just cleaning and restoring the server. if it's a worm than all the workstations have to be be cleaned. It's a big day of them doing nothing tomorrow.

 

[phaZed]

The got a zip attachment today which contained a javascript file. I'm quite sure that was it. The problem is not just cleaning and restoring the server. if it's a worm than all the workstations have to be be cleaned. It's a big day of them doing nothing tomorrow.

Worm may be the incorrect term. In the past the virus was "aware" of network resources and would proceed to encrypt them. I'm not sure it actually exploits shell code or executes itself on the other machines like a worm would do... pretty wormy none the less!

 

[Markverhyden]

Aaron's spot on. That is a typical behavior when a machine is hit with a Crypto malware. Did you try running an updated Kaspersky Rescue Disk scan? At any rate I'd not bother with trying to clean unless they have irreplaceable apps.

 

[phaZed]

At any rate I'd not bother with trying to clean unless they have irreplaceable apps.

Good point. I have also been wiping customer's machines when they get hit. There's usually nothing to save and I just don't trust the machine after this infection.

 

[ohio_grad_06]

Unplug from the network and grab any data now.

 

[paristotle]

They have been using this as a file share and they were also using it to run a shared Windows app for Mac users so it's a pretty important machine right now. I think I will restore the useable data to another computer and share from there for the moment. But if the virus was triggered from one of the client computers the same process will repeat. I need to figure out what the attack vector was and if the original virus is still looking to infect open shares.

 

[paristotle]

Aaron's spot on. That is a typical behavior when a machine is hit with a Crypto malware. Did you try running an updated Kaspersky Rescue Disk scan? At any rate I'd not bother with trying to clean unless they have irreplaceable apps.

I've been using the standalone spysweeper from MS on their ERD disk for the last couple of years. It's usually pretty good at catching the autoruns and gives other tools the chance to remove the actual malware. Typically it detects a virus quite quickly but this time it's been going for a couple of hours without finding a thing.

 

[HFultzjr]

Unplug each and every device from network.
read again......Unplug each and every device from network.
Don't forget the wireless ones.
Disconnect all external drives or NAS
Make a clone of each device.
Recover what data you have left.
N&P everything, restore CLEAN backups if you have them.
Might want to check the router/modem while your at it.
Check and see if you have any Volume Shadow copies of encrypted files.
Sell them an offsite backup solution with versioning.

Probably won't help, but have a look.
https://www.technibble.com/panda-ransomware-decrypt-tool-restore-encrypted-files/

Man, I hope not, but you could be in for a "doozy".

Keep us posted.

 

[paristotle]

It's newish variant (not that I have personally seen many) I found the computer that got infected. One local drive had been encrypted with a nice little note for me to get the torborwser browser and visit their .onion site. Now I am just trying to figure out if the virus was encrypting the server files via network drive. Standalone spysweeper finds nothing on the actual server.

 

[Markverhyden]

It's newish variant (not that I have personally seen many) I found the computer that got infected. One local drive had been encrypted with a nice little note for me to get the torborwser browser and visit their .onion site. Now I am just trying to figure out if the virus was encrypting the server files via network drive. Standalone spysweeper finds nothing on the actual server.

Not sure you will find anything on the server. Some of those Cryptos just keep the encryption process running on the original machine and encrypt anything they can see via SMB shares. In my book any M$ anti-malware product is at the bottom of the list in terms of performance. I'd start with KRD and go from there.

 

[paristotle]

I used to be a Kapspersky reseller at one point but I let it lapse. Maybe I'll look at it again. I found the workstation that had been encrypting the files. It has been wiped and reset. So far so good. Thanks to everyone for their helpful comments. By the way can anybody suggest a good Amazon S3 client that they like? I would like to do some offsite backup for this client.

 

[JustInspired]

I like Jungle Disk. Use it for quite a few small businesses. A reseller account is pretty easy to get going and you get 10GB free with each licence per month.
Plus I can specify an EU server for S3 which means it is ok for compliance with the Data Protection laws.
Encryption is optional with JD but I always enable it.

 

[Mainstay]

shared Windows app for Mac users

Why not host on a Mac?

When mini's were good, we put them everywhere. No viruses, no tom-foolery, just simple afp and smb sharing.

That's all gone to pot with Yosemite, but still, our mac mini networks are running strong.

 

[ohio_grad_06]

I don't know the Mac os would help you here though if another computer on the network is doing the encrypting?