I need some help on what to do. We found Cryptowall 3.0 .txt and .png and .html messages with instructions on how to pay the ransom on a department's directory on the company's NAS.
All department PCs have a free AV version due to lack of money.
Files that have been encrypted are mostly .doc and .xls.
Most of the department's files are unreadable. We still haven't find any evidence of the virus on the 3 PCs of the department. We tried FarBar Recovery Scan Tool on them which found nothing and that's a little strange since we try to find the PC that originated the virus.
Before we understand what's all about, we had had a problem with a specific PC (the most suspicious one) which couldn't open .doc or .xls files. We used Revo Uninstaller to uninstall Office 2007 from it which found some 50,000 leftovers which sadly we cleaned.
We could have used that info to find which files are encrypted using a tool from bleepingcomputer.com
Question is how to isolate the infection. Here I want your opinion:
We don't want to turn off the NAS, that would be a big problem for the business. Since we have a serious suspect PC we are almost sure that this is (was) the infected one. Also it is the only one that the user found browser links on how to pay the ransom. I know there could be other PCs infected from now on...
Anybody knows of a program that finds it for sure? We tried Malwarebyte's Antimalware at regular scan (no search for Rootkits or all the disk) which found nothing. Tomorrow we will try SpyHunter...
Sorry if I'm asking too much, you see our IT department is very small related to the company which employes 100-150 people and tomorrow will be only 2 of us on duty :((
Thanks in advance