Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All Shared Folders' Files On Network Encrypted by Ransomware Virus


  • Please log in to reply
3 replies to this topic

#1 mozzergr

mozzergr

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 01 July 2015 - 08:58 AM

Hello.

 

Here's my company's unfortunate situation:

- 1 Windows 2003 Server with many shared (to a group of 31 users) folders, all shared folders' files untouched (Symantec AV).

- 30 Windows XP SP3 machines, "protected" only by MS Security Essentials, all their shared folders' files encrypted and renamed to "originalfilename-123somenumber789-recovery@inbox.com".

All "My Documents" folders' contents are OK on the PCS, just a "common" shared folder that each PC has, with RW rights for the Group of 31 users, is infected 

- 1 Windows XP machine with ALL files encrypted (thus I suspect this is the guilty PC that started the infection on the network).

 

The only thing I've been able to do so far was logging as admin to all 100 PCs and un-sharing the 'common' folder (there are actually 100 PCs, 31 is the number of the infected ones).

 

The virus remains.

The need for sharing files remains.

I'm really stuck and do not know how to begin the repairing process and get them to a working state again.

 

-What is the exact name of the virus?

-Where does the virus hide?

-What antivirus should I use to clean the PCs?

-The .com suffix means that when clicked the file will re-spread the virus or is it just an email address that the ransomware team uses?

-Does removing the infected files or deleting the whole "common" folder solve the problem for the 30 PCs? or the virus is "hidden" somewhere in the OS making it possible for it to re-trigger itself again in the future?

-Will I have to format all 31 PCs?

 

I realize it's impossible to retrieve the infected files without paying (not an option).

 

Any help cleaning this mess will be really appreciated

 

M.

 

ps: sorry for my bad english, obviously it's not my native language 

 

 

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 AM

Posted 01 July 2015 - 05:25 PM


I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here with a link to this topic: http://www.bleepingcomputer.com/submit-malware.php?channel=3

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.


If you need individual assistance with malware infection, you should follow the instructions provided in the Malware Removal and Log Section Preparation Guide starting at Step 6.

However, if possible I suggest you wait for a reply before attempting disinfection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mozzergr

mozzergr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 02 July 2015 - 12:53 AM

Hello.

Thank you for the response.

I submitted the sampe as advised.

Thanks again!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 AM

Posted 02 July 2015 - 04:50 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users