Question about Cryptowall 3.0

[Tex_Cin]

Two of my workstations were hit with Cryptowall 3.0 this week. I've taken down the network and we're running all workstations independent of the network while trying to figure out how it got in. The two workstations affected were both running an Outlook (2013) add-in called Save as PDF. We believe the malware may have been delivered with an email containing a resume attachment that neither user opened. Both users had unopened copies of that email in their delected folders. Is it possible the add-in activated the malware when it converted the email and the attachment to pdf? Here is a copy of the Sperry description of the add-in.

The add-in first converts the email to PDF, then takes each attachment and inserts that into the PDF as well. It works on Microsoft® Word® files (.doc and .docx), Microsoft Excel® files (.xls and .xlsx), Microsoft Powerpoint® files (.ppt and .pptx), plain text files (.txt), HTML files (.htm and .html), PDF files, image files (.tif, .jpg, .gif, .png, plus other image file formats) and even unpacks compressed zip files!

Fortunately even though this malware made it to the network through mapped drives, our backup system (I call it 3-2-1 and a spare) saved us from shutting down the business.

Any thoughts on this would be appreciated. I want to take whatever steps are necessary to prevent this from happening again.

[AdvancedSetup]

Not always easy to determine the "how" but protection from it can certainly be increased. Please review the links below for some of the best public information about the subject.

 

http://www.bleepingcomputer.com/forums/t/533715/cryptowall-a-new-ransomware-from-the-creators-of-cryptodefense/

 

 

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

 

Thanks

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.