Good backups. Getting data restored. Looking for needle.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jonathan Raper Sent: Thursday, May 28, 2015 11:49 AM To: [email protected] Subject: RE: [NTSysADM] Cryptlocker And beware - I've seen it encrypt file shares on a server from an infected workstation that had the server share mapped..... 4,800 files encrypted within minutes. Fortunately I had a good backup. Jonathan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Susan Bradley Sent: Thursday, May 28, 2015 11:45 AM To: [email protected] Subject: Re: [NTSysADM] Cryptlocker First off be aware that the only way to really make sure something is gone from an impacted machine is to rebuilt it. Cryptolocker (and it's variants) want to encrypt data, so how's your backups as you'll need to restore that data and shadowcopies may be gone. http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information *_What should you do when you discover your computer is infected with CryptoWall_* If you discover that your computer is infected with CryptoWall you should immediately scan your computer with an anti-virus or anti-malware program. Unfortunately, most people do not realize CryptoWall is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove any other malware that may have been installed along with CryptoWall. Some of the files where associated malware have been found are: *%Temp% C:\<random>\<random>.exe %AppData% %LocalAppData% %ProgramData% * * * If trend is coming back with nothing, use malwarelbytes or even a boot under the OS a/v tool to scan that system. MS wants feedback on patching: http://tinyurl.com/patchingsurvey On 5/28/2015 8:30 AM, David McSpadden wrote: > > I am pretty sure I have pc with this on it in my network. > > I have ran scans on workstations. > > I still do not see it but I have the tell tale signs. > > The HELP_DECRYPT files in network folders. > > The word and excel files not being able to be opened etc. > > How do I remove something that Trend is not seeing? > > Nor Windows Endpoint protection? > > *David McSpadden* > > Systems Administrator > > Indiana Members Credit Union > > P: 317.554.8190 |F: 317.554.8106 > > Description: imcu email icon <http://imcu.com/> Description: facebook > email icon <https://www.facebook.com/IndianaMembersCU> Description: > twitter email icon <https://twitter.com/IndMembersCU> > > Description: email logo > > mcp2 > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for > the use of the individual or entity to whom this e-mail is addressed. > If you are not one of the named recipient(s) or otherwise have reason > to believe that you have received this message in error, please notify > the sender and delete this message immediately from your computer. Any > other use, retention, dissemination, forwarding, printing, or copying > of this email is strictly prohibited. > > > Please consider the environment before printing this email. > This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
