1

I've recently started working in a small subsidiary of a larger international organisation. My work is on the help desk, and there's 3 developers on the team, and our boss is the manager and acting sysadmin. There's been a high turnover of staff, in which 3 sysadmins have come and gone in the last 18 months, so the system isn't in the best condition.

We have 64 users who have 8 - 12 mapped drives - they mount at startup with a batch file set by active directory; depending on what part of the organisation they're in. Yesterday I get a call from one user who said she couldn't open a word document she had been working in the evening before. When I went to investigate I saw that the file was showing a .crypt extension. I then realised that every word document on this network share was also encrypted, but .jpg files were fine. (After further investigation i found .doc, .xls, .pdf, .zip and .txt files were encrypted) I did a quick check of all other network shares that are used by employees but found no trace of ransom ware anywhere else. The affected network share had a text file in every sub folder with instructions of how to pay the ransom.

The one network share affected resides on a net gear NAS box that is linked with Active Directory.

my understanding of this virus, from hearing about other companies, is that it needs to be imitated on a Pc, whether through an email link or something downloaded from the web, and that ALL local and network drives, including any possible USB drives should be encrypted. However, we can find no traces of this virus on any of our PCs, and we also find it strange that none of the other network shares have been infected.

We've been going to all the PCs and checking local directories for .txt files etc. and once we see that they open we assume that the machine is clean and isn't the one that initiated the virus. We also search for .crypt files.

-Is there something else we can do to find the PC that caused this? -Are we wrong to assume that a user caused this by opening an attachment, or clicking a link in the web? -Are we wrong to assume there'd be a trace on any of the PCs? -How have none of the other drives been affected? As I mentioned, users always have several drives mapped at any given time. -is there anything else we should look out for? -how would you go about trying to identify the machine/employee that caused this?

Apologies for the Long post, I've tried to give as much detail as possible. I'd be grateful for any advice. Thank you.

Ned F-LAN-ders
  • 11
  • 1
  • It came from somewhere. What antivirus/antimalware do you use? Is it centrally managed? Have you run a full scan of all systems? – joeqwerty May 13 '16 at 18:45
  • 2
    Don't bother trying to figure out who caused it. Waste of time. These campaigns are increasingly using malvertising as an infection vector, so it's entirely possible that there's no user to blame for this. Just clean it up and move on. Consider mitigating this threat by blocking application execution from %APPDATA% by default. Provided you have backups and good permissions settings on your shared drives, that's the best you'll be able to do about this threat type. – HopelessN00b May 13 '16 at 19:41

1 Answers1

0

Edit the properties of the file, Security tab, Advanced. Check the Owner. That should provide the user.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82