Solved Cryptowall 3.0 ransomware on company's NAS. Some help...

Intel / D945gnt
June 24, 2015 at 07:30:12
Specs: Win7, P4 2,58 GHZ /2GB
Hello everybody,
I need some help on what to do. We found Cryptowall 3.0 .txt and .png and .html messages with instructions on how to pay the ransom on a department's directory on the company's NAS.
All department PCs have a free AV version due to lack of money.
Files that have been encrypted are mostly .doc and .xls.
Most of the department's files are unreadable. We still haven't find any evidence of the virus on the 3 PCs of the department. We tried FarBar Recovery Scan Tool on them which found nothing and that's a little strange since we try to find the PC that originated the virus.
Before we understand what's all about, we had had a problem with a specific PC (the most suspicious one) which couldn't open .doc or .xls files. We used Revo Uninstaller to uninstall Office 2007 from it which found some 50,000 leftovers which sadly we cleaned.
We could have used that info to find which files are encrypted using a tool from bleepingcomputer.com

http://www.bleepingcomputer.com/dow...

Question is how to isolate the infection. Here I want your opinion:
We don't want to turn off the NAS, that would be a big problem for the business. Since we have a serious suspect PC we are almost sure that this is (was) the infected one. Also it is the only one that the user found browser links on how to pay the ransom. I know there could be other PCs infected from now on...
Anybody knows of a program that finds it for sure? We tried Malwarebyte's Antimalware at regular scan (no search for Rootkits or all the disk) which found nothing. Tomorrow we will try SpyHunter...
Sorry if I'm asking too much, you see our IT department is very small related to the company which employes 100-150 people and tomorrow will be only 2 of us on duty :((

Thanks in advance


See More: Cryptowall 3.0 ransomware on companys NAS. Some help...

Report •


#1
June 24, 2015 at 07:39:26
Just to say keep an eye on this thread too - there might be some useful tips:
http://www.computing.net/answers/se...

Always pop back and let us know the outcome - thanks


Report •

#2
June 24, 2015 at 14:48:23
✔ Best Answer

Report •

#3
June 24, 2015 at 15:29:43
This is worth a try.

How to remove CryptoWall 3.0 virus (New version CryptoWall removal guide)
https://www.youtube.com/watch?v=gPe...


Report •

Related Solutions

#4
June 24, 2015 at 16:15:46
If you have off site or off system back ups of your NAS or other important files, you should make a copy of these files on other equipment to help ensure you can recover as much as possible after the system is deemed clean. Back ups are your best protection.

You have to be a little bit crazy to keep you from going insane.


Report •

#5
July 1, 2015 at 21:43:04
Here is an Group Policy edit that may suit.
Start > Run, Copy & Paste > gpedit.msc & press OK.
Computer configuration/policies/administrative templates/system/filesystem/NTFS/ Do not allow encryption on all NTFS volumes.
Right click on > Do not allow encryption on all NTFS volumes & select Edit. Click on Enable > Apply > OK.

Report •

#6
July 2, 2015 at 13:31:00
Just to add to #5 that gpedit is not available in Windows 7 Starter, Home Basic or Home Premium. So if it doesn't work that's the reason.

Always pop back and let us know the outcome - thanks


Report •

#7
July 2, 2015 at 16:26:15
Thanks Derek.

How to Enable “Group Policy Editor” (gpedit.msc) in Windows 7 Home Premium, Home Basic and Starter Editions?
http://www.askvg.com/how-to-enable-...


Report •


Ask Question