My office was hit by the CryptoWall 3.0 Trojan yesterday. I was able to find the workstation that the infection came through after some of the files on our ReadyNAS server were encrypted. My colleagues scanned their computers with MBAM and no additional instances of the CW executable (listed as aaaaaaaa.exe and attached) or its associated registry keys were detected. I quarantined and removed the executables and registry keys from the host computer and plan to re-format and re-image it entirely, since there are still startup scripts running that launch the ransomware messages. This brings me to the case of the ReadyNAS. Our IT consultant and I pulled it from our server tower and hooked it into an old computer that's been my playground for Windows 10 previewing of late. We're scanning it with MBAM, but the process is going exceedingly slowly (and there's about 3 TB of data on the ReadyNAS). The server takes nightly snapshots, so I'm hoping to be able to restore from one of them (fingers crossed) before this nightmare happened. I've been scanning each drive of the ReadyNAS for the aaaaaaaa.exe file, and for any other EXE files that look suspicious or have a date stamp within the last few days, and have found nothing of the sort. There are plenty of the HELP_DECRYPT files scattered all over the place, so I know affected files are there. Does the CW Trojan make also copies of the executable file to the network directories it is targeting in order to continue its commands, or are all commands issued from the executable file that were on my colleague's computer's user folder? By removing that executable file and the registry keys, did I stop the virus from spreading/sending commands to any further network locations? (Please note, I also unplugged my colleague's ethernet cable upon discovering his computer.)
