Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to find CryptoWall


  • Please log in to reply
7 replies to this topic

#1 becomethesignal

becomethesignal

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 13 November 2014 - 09:21 PM

Hello all,

Security Essentials notified me that on our Server 2008 R2 system there were malicious files. These kept coming up quickly, so we disconnected the internal and external networks.

Cryptowall didn't finish running itself to encrypt all the files - it only encrypted some of them (which I can restore from a backup).

So the problem is locating the machine that is infected. We've been running regedit searches for "cryptlist" and have been running Malwarebytes on each machine and have turned up nothing.

 

How do we locat where Cryptowall is? I can't seem to find which specific machine has it.

Any thoughts?


Edited by becomethesignal, 13 November 2014 - 09:31 PM.


BC AdBot (Login to Remove)

 


m

#2 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 13 November 2014 - 09:41 PM

Odds are it was only the server that was infected.  Question you need to ask is how.  Someone invited this in.  It didn't come by itself.



#3 becomethesignal

becomethesignal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 13 November 2014 - 09:50 PM

Odds are it was only the server that was infected.  Question you need to ask is how.  Someone invited this in.  It didn't come by itself.

 

I'm pretty much the only one who logs onto the server and was not browsing the web or opening emails or anything. I've run a few anti-virus and anti-spyware programs and haven't found anything significant yet.

I'm not sure why the encryption would have stopped and the virus process didn't finish itself.

Any ideas on how to locate it.



#4 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 13 November 2014 - 10:29 PM

Email, web site or even a ad on a web site can download it to your server.

 

I wouldn't look for it.  I would do a system restore point to at least a week before you were hit.



#5 _JamesTM

_JamesTM

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:02:02 AM

Posted 13 November 2014 - 11:02 PM

Check out the link below ;

 

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

 

Has all the information you're searching for.



#6 becomethesignal

becomethesignal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 13 November 2014 - 11:28 PM

Thanks, guys, but I've already read that.

The problem is that the malware didn't finish running itself on whatever machine it originated on, so there's no way to tell which machine it is.

I can't do System Restore on the server (Server OS's don't have that option) and I need to look for it to determine which machine among our 50 machines has it.



#7 JohnnyJammer

JohnnyJammer

  • Members
  • 1,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:07:02 PM

Posted 14 November 2014 - 12:01 AM

Dont suppose you get get the details froma  file thats been crypted hey? Right click properties/details? shoudl show the last user.



#8 becomethesignal

becomethesignal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 14 November 2014 - 01:29 AM

Dont suppose you get get the details froma  file thats been crypted hey? Right click properties/details? shoudl show the last user.

That's a good thought.

Ultimately, the very last machine we ran scans on happened to be the one that was infected. It was a pain, but we scanned all the other machines and made sure they were malware-free, so it ended up being the best thing that could have happened. Now, I'm fairly confident that the problem is resolved.
I took that machine off the network and will reinstall Windows on it. Our backups are intact and once I'm sure nothing else is wrong, I'll restore the data from the backup.

Thanks for your suggestions.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users