I cannot believe this happened .. Cryptolocker ... please help.

[thecomputerguy]

I got a call from a business client who I am in the process fixing. They had a home-built server that completely crashed, replaced it with an excellent Dell Server. Their internet was 5down/1up I got them signed up for a 35down/5up for no price increase. The next step was to replace their junk $300 AMD, home workstations with little or no AV on them and all of their pirated office installs with O365. Their previous tech was the definition of pizza.

I got a call today from them, hey were having a issue opening files. I login to the workstation and see HELP_DECRYPT HELP_DECRYPT HELP_DECRYPT HELP_DECRYPT on the mapped drives.

In almost all of the folders on the server.

This is an office with 15 workstations, I don't know which computer caused it. None of the computers are showing a DECRYPT pop-up on start-up. Thankfully I do have multiple backups running on the server keeping different versions of files, but if I can't pinpoint where it's coming from then I'm still screwed.

Restoring all of their files from a previous version is going to be an absolute nightmare. Especially if I can't find the culprit and it just goes and re-encrpyt's everything again.

What the hell do I do.

 

[YeOldeStonecat]

Have them power off the network switch, power off all workstations, and the server...until you get there.
Power up server...(without anything else on the network connecting to it except the router/internet)....clean it....clean it again....clean it again...line up your backups, copies of data, etc.
Talk to every user, someone likely opened a phish e-mail from "fedex" or "ups", or their "bank"....that's where most of it is coming from. Go back in time with them...it can lay dormant for days...probably some variants lay dormant for weeks....just because it hit this morning doesn't mean someone caught it this morning or last night. Could have been many days ago.

Keep workstations powered off and unplugged...and begin cleaning them 1 x 1....but not connecting ANYthing to the server until they are confirmed CLEAN.

If workstations are simple (Windows, Office, basic stuff)...might be better off ensuring local data is backed up (cleanly)...nuking and paving fresh.

Now's your opportunity to sell a good managed backup and security.

 

[Markverhyden]

No popup most likely means that the process has not completed. Either way, as YeOldeStonecat said, everything needs to be shutdown immediately. Keeping anything running just allows the process to continue as well as spread. This is serious stuff. And you can clean the machines simultaneously if you are using boot media such as KRD. Just make sure no network cables are plugged in. And you need to test your backups immediately as well.

As he mentioned if it's a simple setup and you have all the software images it might be quicker and cheaper to just do a nuke and pave on everything. This has the advantage of starting with a tabula rasa.

 

[YeOldeStonecat]

This has the advantage of starting with a tabula rasa.

...there ya go again making me Google something!

 

[Markverhyden]

LOL!!! Never to late to learn a little Latin.

 

[katz]

The only Latin I know is "In vino veritas, in aqua sanitas" which I learned on "Car Talk" years ago.


As far as Cryptolocker goes....I am absolutely dreading any calls regarding this. I have mentioned it to a few business clients as well as residential, and for the most part it falls on deaf ears.

Now that I think of it, here's a bit of Latin that is germaine to this subject...

"Qui procul ab oculis, procul a limite cordis"

 

[altrenda]

As far as Cryptolocker goes....I am absolutely dreading any calls regarding this. I have mentioned it to a few business clients as well as residential, and for the most part it falls on deaf ears.

The more that this spreads, the more opportunities to sell better backups. When one of my clients got hit, two of his friends called to find out how to protect themselves.

 

[Markverhyden]

And there is the modern version of Latin - Iyay eakspay igpay atinlay

 

[thecomputerguy]

All I hear is, "HODOR HODOR HODOR"

After 8 hours of unplugging all network cables, running full scans of MBAM, SAS, Combo, and Roguekiller, restoring the data then plugging everything back in, so far I am in the clear. Clean data, and no signs of re-encrpytion, we'll see how the next few hours/morning go.

 

[nlinecomputers]

So any data loss or was everything that got hit backed up?

 

[CompConfig]

I have a few related questions. It was mentioned that this is an opportunity to sell better virus protection. Can anyone tell me one piece of software that can prevent Crypto 100% because as far as I know there is no such thing. So if I sold a client better protection and they got hit it would be on me.
The only thing I sell that offers 100% protection is my backup solutions which are staggered and off-site and encrypted.

my second question is this.... Is there a specific program that you can bank on to clean this out of an infected computer that you consider 100% ? Again, other than nuke and pave I do not trust anything.

 

[citizensmith]

AV is like cars. Volvo make the safest cars - in the world. Volvo drivers still crash and kill themselves. Its the driver \ user error that causes the problem. I have clients who insist on using whatever AV i have. I got Security Essentials + MBAM.
They get malware \\ virus crap all the time - I don't. They just click on everything they see - like playing minesweeper -> User error.
As YOCS says - someone clicked on something phishy :facepalm:

 

[frase]

HODOR, seriously stfu
Is this a joke

 

[YeOldeStonecat]

I have a few related questions. It was mentioned that this is an opportunity to sell better virus protection. .

The OP stated "replace their workstations with little or no AV on them and all of their pirated office installs".
We all know no A/V is 100% effective, the top bunch are around 95-96% on average. But we also know just having an AV isn't all you need, there's patch management, 3rd party web player updates, and UTMs, save DNS services, and good e-mail filtering which can all be layered together to make a sum product which is as darned close to safe as you can be.

 

[nlinecomputers]

I have a few related questions. It was mentioned that this is an opportunity to sell better virus protection. Can anyone tell me one piece of software that can prevent Crypto 100% because as far as I know there is no such thing. So if I sold a client better protection and they got hit it would be on me.
The only thing I sell that offers 100% protection is my backup solutions which are staggered and off-site and encrypted.

my second question is this.... Is there a specific program that you can bank on to clean this out of an infected computer that you consider 100% ? Again, other than nuke and pave I do not trust anything.

As stated no AV can block all viruses and no AV can block user stupidity. That being said a good AV program is ONE LAYER in a good defense. Other layers are good spam filters, and good UTM firewall, and filtered DNS. Plus as part of a good MSP solution you can collect web browsing logs and show the Powers that Be what websites the users are going to and point out dangers. And as you mentioned a good off site backup program that will safely store data off the site in case something manages to penetrate your defenses. That way you can rebuild him stronger, better, and faster. *cue Six Million Dollar man theme music*