Problem: I got a call from a client stating that all of their files were inaccessible on the network drives. At first I thought it was a problem with the server being down or connectivity issues. After further investigation, the network was fine and we could access the files but we couldn’t read them and in every directory on our network shares/drives we had three files: Decrypt_Instruction.html, Decrypt_Instruction.txt and Install_Tor.html. After reading one of the files that were left, it turns out our files were encrypted and being held for ransom; to a tune of $500 and increased to $1000 if not paid within a certain amount of time. If we pay, we get the key to unencrypt the files and if we don’t, we lose them all. About 30GB worth of data we had so just a bit more than a my docs folder. The culprit was the CryptoWall virus.
Solution: Thankfully we had shadow copy turned on our Windows 2008 servers so I was able to recover our files from our last snapshot which was about 4 hours prior. That was the easy fix but finding the source of the encryption was a bit more of an issue. How can we know if this won’t happen again and again??
What I did:
- I did a search for the Decrypt_Instruction.html on the server. It was on all the shares but not on the staff home directories… Except one. I had one staff home directory that was encrypted. With that i was able to determine the workstation of origin and immediately had it disconnected from the network.
- Ran a virus scan on the whole computer but didn’t find anything. After further research, this isn’t uncommon with the CryptoWall virus because from what I gather, they creators took great pains into making this look like a legit program to the OS and AV programs.
- After a little bit of research, I found out that that CryptoWall likes to be installed in the %APPDATA% directory. *Note: The files within the workstation weren’t encrypted like I thought they would be but once I got into the %APPDATA% directory, I found the Decrypt_Instruction files in some subdirectories. I was getting closer.
- After failing to find any offending file by browsing, I did an inventory of all files within the %APPDATA% directory by searching for *.*. All of the decrypt_instruction files had a time stamp of about 3:00pm so I organized my search by time and looked within that time frame.
- I found it… The filename was obupdate.exe and after a few searches, learned it needed to be deleted right away. The exact location of the file was in the %APPDATA%\local\temp directory. I deleted the file and all of the decryption_instruction files on the workstation and we were clean. No recurrences and now I have happy clients.
Lesson is to make sure that you have a good backup because shadow copy may not work on your workstation because CryptoWall is programmed to delete all Previous Versions while it’s encrypting your hard drive so you can’t completely rely on it. As Leo Laporte recommends, you should have 3 backups of your data (Online, shadow copy, external HD for example).
How to prevent this from happening? Don’t click on any links from any emails you don’t know the sender. That is how this virus is propagated the most. Usually by a fake baking “wire transfer” document or a fax, etc… My user claims to have not received any emails as such so the next possible place of origin is a comprised website that had a link or add that initiated the download of the file. Bleeping computer also has some great suggestions using Active Directory or 3rd party programs to block the execution of these ransom-ware programs. Link below:
Have you had an experience with CryptoWall or similar ransom-ware programs? What did you have to do to fix it?