First off I follow these forums a long time, you know its bad news when I am returning.
Anyway why I am here, I work for a company and we have been infected twice in the last week by first Teslacrypt 2.0 and secondly Cryptowall 4.0 , this looks like two isolated incidents on two different computers and neither of the guys have admin rights on the PC. Both machines have AVG pro 2015.
Infection1 - A user opened some internet windows and files in his own words, AVG went nuts, picked it up and did nothing it encrypted our whole file server and his machine, I restored our fileserver from backup and everything went fine the following day. I have sourced the infection here and am happy this came in through a flash file that was opened in the app data folder. FYI Teslacrypt also encrypted the open permission network shares.
Infection2 - This is a more tricky one, we do not know how this got in, we have identified the machine and the virus looks like a completely different one I can confirm it is cryptowall 4.0. different type of encryption and encryption strength also this did not set of the AVG anti virus, it backdoored AVG encrypted the file server again about 24 hours after the first incident, quite unbelievable really.
Obviously I realize we need to up our game here in regards to security, the main questions I have are.
1. How can I find out how the virus got onto the second machine? Malware bytes did pick it up but I would like a way to be sure so I can report back.
- I have checked all the email the user received, cannot find anything remotely suspicious
- I have went through her PC with MBAM, Combofix, Stinger, Housecall and AVG.
- Like to add that it is unclear what malware bytes found here specifically.
2. I have pasted a list of the actions we have taken to prevent this below, is there anything I am missing? or can be added?
Actions we have taken.
- Enabled IPS on our firewall - (Cryptowall 4 apparently bypasses this)
- Enabled a proxy system for the users blocking .EXE and .SWF files amongst some others (Cryptowall 4 apparently bypasses this)
- Looking at getting fireeye or AV on our firewall. (Cryptowall 4 apparently bypasses this)
- Full scan of malware bytes free on all of our machines - this turned up pretty much nothing tbh. Not surprised as we are generally on top of things here. (Cryptowall 4 apparently bypasses this)
- %appdata% folder in windows, we are adding some GPO's to block files running from here from non whitelisted applications, I reckon this will cut all viruses out. (Cryptowall 4 apparently bypasses this)
- GPO's to disable running of .EXE in general
- Changed NTFS share permissions to modify
Edited by billo1007, 23 December 2015 - 10:43 AM.