My network recently got infected with a new variant of the teslacrypt ransomware trojian. I posted here because all topics concerning this matter are archived, and with the recent surge in reported infections across the internet I figured this was the best thing to do.
The infection arrived via email attachment and a user opened the file. The file made it right past symantec endpoint protection. Currently I have not identified the exact email which it arrived within.
Since infection large portions of the network (any network share) has since been encrypted which the user had access to. It did not encrypt everything however, mainly XLSX JPEG TXT and many others, and planting the ransom note everywhere across the computer and network shares. All files have the same original file name but a .vvv added to the end, “file.txt.vvv”. The classic but modified key file has been created recover_file_xxxxxxxxx.txt. Within the file are a few things. A bitcoin address, a 64bit key, 128 bit key, 16 bit key and finally a 2 digit number. Each file which was encrypted has some of the key information in the header of the file.
All recovery tools which I have tried have failed for one reason or another.
the actual cisco tool found here
and kaspersky link here
I am more then happy to provide any files or other information via private medium so they can be analyzed by respected members here and not posted directly to the web. Also if I have missed anything please notify me of further action to take which might lead to a swift resolution.
infection is localized to one computer.
encryption has spread to many network shares.
Shadow volumes have been removed.
no backups exist.
Thank you very much in advance,
Edited by Chris Cosgrove, 04 December 2015 - 04:54 AM.
Moved from AII to 'General security'