Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Identify machine infected with Cryptowall

  • This topic is locked This topic is locked
1 reply to this topic

#1 ableinc


  • Members
  • 1 posts
  • Local time:12:26 PM

Posted 03 October 2014 - 09:55 AM

     I have a small network with about 15 workstations connecting to a server.  They have mapped drives to shared directories on the server.  Something infected with Cryptowall is encrypting files in the shared directories.  We are having trouble identifying which machine is infected and doing the encrypting.  I am looking for ideas on how to identify the infected machine.  I have tried using Process Monitor from sysinternals and looking through the logs to see who is touching the affected files but I did not have much luck.  I looked at Openfilesview from NirSoft but it does not show the user who has the file open.  The manage open files console in Windows does show the user but does not give a real time view or save a log.  Is there something specific in the network traffic I could look for in Wireshark?  Open to any ideas.



BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,762 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:26 PM

Posted 03 October 2014 - 11:33 AM

A repository of all current knowledge regarding CryptoWall is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoDefense does and provide information for how to deal with it and possibly decrypt/recover your files. At this time there is no fix tool for CryptoWall.

There is an ongoing discussions in this topic where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users