Late last week we discovered about 14k files at one of our sites that were encrypted and the file names were also encrypted. At first glance we figured it was Cryptowall 4.0 due to the encrypted file names, but a couple of things are not adding up:
- There are no ransom note files anywhere. Not at the affected site, and not at any other sites.
- There are common file types left untouched sitting right next to encrypted files: pdf, txt, doc, pst, jpg, etc.
The files were all changed between 1/26/16 and 1/28/16. It took them a month to notice it! We are recovering the files from backup, but are left wondering what encrypted the files. The file ownership was changed to a person at a remote site, but that person's PC has come up clean. We reviewed our SEP logs for that time period and there was nothing of interest happening.
Is it possible to analyze the encrypted files to determine if a known crypto malware strain is the culprit? I have several examples available.