Ransomware infection: What to do

Question

t seems that somehow our domain computers have been infected by rasomware, turning files into encrypted files ending with .crypted. Lots of file have been changed and we do have back up.

At the same time, scanning for actual malware/virus/trojan have so far not resulted with anything. I haven't scanned all the computers, but I did notice that the files that have been changed were only on shared folders.

I've tried a couple of tools because I have copies of the original files (at least some) but I cannot seems to be able to decrypt them. At least not yet.

I think - but I could be wrong, that maybe only one computer with access to all these shared folders is actually infected, and it's changed those file names. Is this possible ? No encrypted local files have been found yet on the computers I've checked.

How do I check ? any ideas ? the files have changed to "filename.exe.NUMBER{payfornature@india.com}. I tried communicating with the address - and some guy who knows where behind proxies is demanding for $5000.

Any ideas would be appreciated.

Wipe the shares and restore from a known good backup. This question will probably be closed as a duplicate soon. If the answers from the duplicates don't fully address your question please edit it to include why and flag this for re-opening. Thanks! — Frederik, Jul 18 '16 at 08:56

score 2 · Answer 1 · answered Jul 18 '16 at 08:58

I think - but I could be wrong, that maybe only one computer with access to all these shared folders is actually infected, and it's changed those file names. Is this possible ? No encrypted local files have been found yet on the computers I've checked.

Yes, that's quite possible. One computer is all it takes with shared folders.

However: If you are not 100% sure (and I mean 100%!) that a computer is not infected, you REALLY should reinstall it from scratch and restore from the last known good backup. This might even include your DCs and file servers.

I've tried a couple of tools because I have copies of the original files (at least some) but I cannot seems to be able to decrypt them. At least not yet.

I really don't understand what you mean with that. With the exception of a few variants that hand out the decryption key for free for whatever reason, you have zero chance to decrypt yourself without paying the ransom (and if you pay, you would have to hope that a known criminal honors his "word" to give you the key after payment).

How do I check ?

You need to scan every computer connected to the network from a known-good boot medium and run a virus check from there. Don't scan in the running system, that's not effective.

score 0 · Answer 2 · answered Jul 18 '16 at 08:59

Any single computer that has been infected can encrypt any files it has write access to. So, shared folders can be encrypted by a single computer.

Decrypting any of those files is very likely impossible. You need to restore them from backups.

However, before you restore them from backups, you need to make sure that the ransomware cannot access those files again. There are two things you can do:

Remove sharing from the system that hosts these files, and then restore backups. Meanwhile, find the computer that hosts the ransomware.

You can use this method for finding the computer that has the ransomware:

Allow access to the files for one computer at a time. As soon as you find encrypted files, you know that the latest computer most likely has the ransomware. Then you can restore that computer from a clean backup.

You can go through every computer on your network, and find which one hosts the ransomware. Once you find it, restore from backup. After that you can restore files on your server from clean backup.

If you don't have backups, then you are in a bad shape. Even if you pay the money the criminal is asking for, it is likely that he won't help you decrypt the files.

Ransomware infection: What to do

2 Answers2