School network struck by a piece of encrypting malware. It infected a school administrators computer who had access to a lot of data. Combination of a poorly planned backup rotation cycle / active mounted backup volumes / and the amount of time it took detect the problem means that we don't have good recent backups. Any help is very much appreciated.
The infection began middle of last week and, due to a long weekend, wasn't detected until early this week. That give it quite a bit of time to chew up terabytes of network data.
I have 4 files found the users folder named:
I can provide the files if useful. I also have samples of encrypted and unencrypted (before and after) files as well.
Once we realized what was going on, we shut off the file server to protect the remaining data until we isolated the affected computer (which is now off the network). We've made a copy of the file shares that we're hit and also cloned the drove from the originally infected machine.
I have not received any popups or ransomeware requests (maybe because we interrupted it?). I don't care about the workstation (it's easy to re-image). It's the encrypted data on the network shares that is the tragedy. Any advice much appreciated.
Can anyone help identify the malware and is there any hope of reversing the encryption?
Edited by scotru, 03 October 2013 - 12:55 AM.