Jump to content

CryptoWall 3.0 Behavior


Recommended Posts

My office was hit by the CryptoWall 3.0 Trojan yesterday.  I was able to find the workstation that the infection came through after some of the files on our ReadyNAS server were encrypted.  My colleagues scanned their computers with MBAM and no additional instances of the CW executable (listed as aaaaaaaa.exe and attached) or its associated registry keys were detected.  I quarantined and removed the executables and registry keys from the host computer and plan to re-format and re-image it entirely, since there are still startup scripts running that launch the ransomware messages.

 

This brings me to the case of the ReadyNAS.  Our IT consultant and I pulled it from our server tower and hooked it into an old computer that's been my playground for Windows 10 previewing of late.  We're scanning it with MBAM, but the process is going exceedingly slowly (and there's about 3 TB of data on the ReadyNAS).  The server takes nightly snapshots, so I'm hoping to be able to restore from one of them (fingers crossed) before this nightmare happened.  I've been scanning each drive of the ReadyNAS for the aaaaaaaa.exe file, and for any other EXE files that look suspicious or have a date stamp within the last few days, and have found nothing of the sort.  There are plenty of the HELP_DECRYPT files scattered all over the place, so I know affected files are there.

 

Does the CW Trojan make also copies of the executable file to the network directories it is targeting in order to continue its commands, or are all commands issued from the executable file that were on my colleague's computer's user folder?  By removing that executable file and the registry keys, did I stop the virus from spreading/sending commands to any further network locations?  (Please note, I also unplugged my colleague's ethernet cable upon discovering his computer.)

post-183674-0-52900300-1424295130_thumb.

post-183674-0-44824800-1424295175_thumb.

Link to post
Share on other sites

  • 2 months later...
  • Root Admin

We're sorry. It looks like your topic was somehow overlooked. Due to the length of time we'll go ahead and close this topic now but if you still actually need help please send a private message to one of the Moderators and we'll assist you.

Thank you and sorry we missed your topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.