Company got hit with a ransomware this morning and it spread to several systems. Haven't been able to track down the origin computer yet, just that it was wreaking so much havoc that it took down the network temporarily and that seem to stop the spread. Never seen a ransom so high before. I have included the details below:
Ransom Note: txt file named: README_IMPORTANT
YOUR FILES ARE FULLY ENCRYPTED
MAKE THE PAYMENT OF 100 BITCOINS TO THE BTC ADDRESS BELOW
AFTER WE RECEIVE THE PAYMENT THE DECRYPTION PROGRAM AND KEY WILL BE SENT TO YOUR EMAIL
THE DECRYPTION PROGRAM WILL RESTORE YOUR FILES BACK TO NORMAL.
TO ASSURE YOU WE CAN RESTORE YOUR FILES, WE WILL DECRYPT A SINGLE FILE YOU SEND US.
## YOU HAVE 48 HOURS TO SAVE YOUR FILES ##
CONTACT US ONLY AFTER MAKING THE PAYMENT,
ALL PRICE NEGOTIATIONS WILL BE IGNORED
THE ABOVE EMAIL ADDRESS WILL EXPIRE AFTERWARDS AND NO COMMUNICATIONS WILL BE AVAILABLE
* In %localappdata% I'm seeing a file with 0 bytes called 9030138 that was created about the time we started seeing the virus.
* Seems in propagated to several machines including our Exchange server. We had Symantec on all of our machines and was reported as SONAR.Cryrptolocker!g44
* All files have an .eclr extension appended
* I have a sample file I could upload for checking if needed as well.
Offsite backups are encrypted as well due to backups replicated offsite so recovery doesn't seem to be a very viable option for most of our stuff.
Any ideas or suggestions to the variant as well would be appreciated to determine what tools or options we may have.