We've been hit by Cryptowall. It happened two days ago when we saw the DECRYPT_INSTRUCTION files show up on our network drives. They were all owned by a particular user, so we isolated that users laptop and have been running scans on it. As far as we are aware that is the only machine from which this user has logged in.
However, we cannot find any traces of the virus on this users machine, and none of the files on their laptop's hard drive have been encrypted.
The virus appears to have just hit the network drives mapped on the laptop at the time and nothing else.
We have tried Malware Bytes, the Bleeping Computer listcwall program, Trend OfficeScan (which was running on the laptop at the time), and have gone through the registry and user files looking for anything remotely suspicious and have found nothing...
Searching across the rest of the network for DECRYPT_INSTRUCTION files hasn't showed up anything on anyone else's machines, neither have Trend virus scans picked up anything.
So what are we missing?? We're restoring files from backup now, but would really like to make sure the affected machine is gone... so it'd be nice to find something to say that this was it.
Edited by hamluis, 25 September 2014 - 10:56 AM.
Moved from Am I Infected to Gen Security - Hamluis.