Endpoint Protection

Expand all | Collapse all

I have virus Cryptowall

Migration User05-14-2014 09:05 PM

ℬrίαη06-15-2014 08:57 PM

Migration User07-02-2014 11:24 AM

Migration User07-24-2014 03:31 AM

  • 1.  I have virus Cryptowall

    Posted 05-14-2014 11:53 AM

    I have my computer infected with the virus cryptowall, I can not open any document, can someone help to neutralize the virus



  • 2.  RE: I have virus Cryptowall

    Posted 05-14-2014 11:54 AM

    Disconnect from the network. The problem is it will encrypt all your files. What components of SEP do you have running? Did SEP catch anything?

    Run the symhelp tool on it

    Troubleshooting computer issues with the Symantec Help support tool

    http://www.symantec.com/docs/HOWTO80839



  • 3.  RE: I have virus Cryptowall

    Posted 05-14-2014 12:09 PM
     
    I have SEP version 12, all my documents are infected, and disinfect my computer?. 

    as I do to identify the source of this virus? where the infecccion depiction.


  • 4.  RE: I have virus Cryptowall

    Posted 05-14-2014 12:13 PM

    The virus can be removed but unless you have a clean backup, all your files are likely not recoverable.

    Are you running network threat protection as well (IPS and firewall)?



  • 5.  RE: I have virus Cryptowall

    Posted 05-14-2014 12:55 PM

    Yes, I have a copy of the file information, it qeu require is to know how to remove the virus as the SEP did not detect me with my agent, and how will I know where the virus entered.



  • 6.  RE: I have virus Cryptowall

    Posted 05-14-2014 01:07 PM

    Do you have IPS and firewall enabled as well? AV definitions up to date?



  • 7.  RE: I have virus Cryptowall

    Posted 05-14-2014 01:12 PM

    I have enabled IPS but no firewall, and if you have any updates. 



  • 8.  RE: I have virus Cryptowall

    Posted 05-14-2014 09:05 PM

    as I stop the spread of the virus on my network??



  • 9.  RE: I have virus Cryptowall

    Posted 05-15-2014 04:54 AM

    Hi JuanJuarezM,

    Thanks for the post.  As long as that computer which was affected is isolated from the others on your network, this threat should not spread.  These generally attach the drives on the local computer and then any mapped network drives.

    Definitely open a case with Tech Supoprt for this infection, if you have not already done so.  Please run the SymHelp diagnostic on that computer with Threat Analysis Scan. Here’s an excellent illustrated guide:
     

    How to run the Threat Analysis Scan in Symantec Help (SymHelp)
    http://www.symantec.com/docs/TECH215519 
     

    Once that is done, please submit to Security Response any files that the tool has found to be suspicious!(Please also save the .sdbz file and send that to Technical Support.  There might be addditional malicious files that are not automatically detected, but that Tech Support can spot.)  Here's some advice about submitting:

    Symantec Insider Tip: Successful Submissions!
    https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

    Give your Tracking Numbers to Tech Support and ask them to expedite their analysis, please.

    Restoring the damaged files from backup is the best course of action.  Paying the ransom just gives R & D funding to the malware authors so they can come back and hit you again.

    Recovering Ransomlocked Files Using Built-In Windows Tools
    https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

    Hope this helps!  Please do keep this thread up-to-date with your progress.

    Mick

     



  • 10.  RE: I have virus Cryptowall

    Posted 05-15-2014 08:22 AM

    Is it just your machine? If so, remove it from the network and run a full scan on it.



  • 11.  RE: I have virus Cryptowall

    Posted 05-16-2014 08:22 AM

    Hi again,

    Symantec has broken out a new detection for this variant.  The following definitions cover cryptowall and BitCrypt.

    Trojan.Ransomcrypt.I

    http://www.symantec.com/security_response/writeup.jsp?docid=2014-051514-5659-99



  • 12.  RE: I have virus Cryptowall

    Posted 05-30-2014 05:20 AM

    Hi JuanJuarezM,

    Just curious as to the outcome.  This thread is still marked "needs solution" - if time allows, can you update it?

    Thanks

    Mick



  • 13.  RE: I have virus Cryptowall

    Posted 05-30-2014 03:58 PM

    We were infected May 29th by embedded link on an mail from Secure_Message@Natwest.com

    We are running Symantec Endpoint Antivirus and AntiSpyware Protection,Proactive Theat Management and Network Threat Protection. 

    Should this have been caught by Symantec?  I've had embedded viruses caught in the past.



  • 14.  RE: I have virus Cryptowall

    Posted 06-15-2014 02:15 AM

    I also have this cryptowall.  Virus FULL scan cannot detect it.  I downloaded Norton Power Eraser and it did not detect anything... Does Symanec have anything that can detect and remove this? Or should I try a different provider?



  • 15.  RE: I have virus Cryptowall

    Posted 06-15-2014 08:46 AM

    Run the threat analysis scan from the symhelp tool



  • 16.  RE: I have virus Cryptowall

    Posted 06-15-2014 08:37 PM

    OK. So that worked.  Does symantec have a program to delete all the encrypted files?



  • 17.  RE: I have virus Cryptowall

    Posted 06-15-2014 08:57 PM
    None that I'm aware of


  • 18.  RE: I have virus Cryptowall

    Posted 06-23-2014 09:02 AM

    Just posting an update: there have been additional refinements and improvements to defenses against this particular variant. Additional information is available in:

    Trojan.Cryptowall
    http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99

     



  • 19.  RE: I have virus Cryptowall

    Posted 06-24-2014 04:12 PM

    Just an FYI. We also got the cryptowall virus on 6-18. Ran all night through all our server shares. Endpoint 12.4 was worthless as was tech support. Called them and got Bob in India. No help and not a clue. All of my servers and workststions are up to date with Microsoft and Symancrap. User had no idea she had gotten a virus? Cant wait to be done with Symantec.



  • 20.  RE: I have virus Cryptowall

    Posted 06-30-2014 01:09 PM

    I have a wondering about this, having just been infected on our company network with this nasty piece of work.

    I had what I thought was an isolated infection on a PC on Friday and after having immediately isolated the PC by removing from the network and then performing a full scan of the network shares that this PC had access to, I felt that we were good, nothing was showing on the network in terms of infected files.

    However this morning, we got another infection that came from a seperate PC (the original PC is still off the network), the files that were created and encrypted by the virus all get the modification timestamp on the files from the original infection.

    So my question is, does anyone know if the virus can be spread by attempting to open an already encrypted document? or is it only spread by a PC / Server contracing the infection from web site / internet drive-by, running aqn infected executable



  • 21.  RE: I have virus Cryptowall

    Posted 07-01-2014 03:52 AM

    Hi Mike_winsp,

    I believe I can help.

    So my question is, does anyone know if the virus can be spread by attempting to open an already encrypted document? or is it only spread by a PC / Server contracing the infection from web site / internet drive-by, running aqn infected executable

    The encrypted files themselves are harmless: the threat cannot spread by attempting to open them.

    You are correct that the the threat can only infect a machine via drive-by download or if a user is tricked into running an executable (something that arrived by email, for example, a .pdf pretending to be an invoice but actually had a .exe).

    With Cryptowall, I believe that drive-by downloads are the most common means of infection.  Definitely be sure that all browsers and third-party plugings to browsers (Flash, Java, etc) are patched up-to-date.  Also be sure that IPS and Download Insight components are in palce on the endpoints- AV alone is no longer enough for comprehensive protection!

    The other big recommendation is to close open network shares: that would limit any damage just to that one computer. If that computer has mapped network drives that it can access without prompting the use for a password, then the threat running on the victim computer will go there and sabotage all the material it can on that remote drive, too.

    Hope this helps!!

    Mick



  • 22.  RE: I have virus Cryptowall

    Posted 07-02-2014 11:12 AM

    Here is a new Blog post from Security Response:

    Rig Exploit Kit Used in Recent Website Compromise
    https://www-secure.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise

    That kit has been a tool used by attackers for pushing Trojan.Cryptodefense and Trojan.Cryptowall onto victims' computers.

    Definitely ensure your organization's browsers have been patched up-to-date to avoid exploits of those vulnerabilities!



  • 23.  RE: I have virus Cryptowall

    Posted 07-02-2014 11:24 AM

    Thanks for the response Mick, great help.



  • 24.  RE: I have virus Cryptowall

    Posted 07-02-2014 03:23 PM

    Actually just a further thought on this, from what I've read and what Mick has responded with, it feels as if there isn't a great deal of defense against the Cryptowall variant right now. I have seen that our firewall perimeter defenses are seeing a good few hits from Cryptolocker & Cryptodefense but nothing in relation to Cryptowall.

    The best defense appears to be vigilance.



  • 25.  RE: I have virus Cryptowall

    Posted 07-24-2014 03:31 AM

    Use any antivirus, before you lost your all data.



  • 26.  RE: I have virus Cryptowall

    Posted 10-22-2014 10:21 PM

    So, I haven't fully tested this, but I had a client who got hit with it.

    This thing starts by making a copy of itself and then deleting the original or some other stupid algorithm; the Symantec guys could verify exactly how it executes.
    The workstation where it started had the 'everyone' share open on the server (2008 SR2).
    About 8000 files; extremely sensitive stuff, you know.
    Well, the quick thinking office manager, who was told "I can't open this Word document, it's weird!" immediately shut the workstation down and called me.
    In the meantime, she started asking the 20+ employees if anyone else was having the same issue. About six were. She shut those machines down before I got there. None of the workstations were infected, only the server...and it doesn't have Office on it so the only thing that was affected were the shares...and really just one.
    Anyway, to make a long story longer, my Vipre on the server caught it and stopped it but it managed to encrypt about a third of the folders, all of the shadow copies as well as the Backup Exec stuff.
    I removed the encrypted files from the share by copying them and put them in a folder on the desktop. They weren't infected, just encrypted.
    Then, I deleted the originals off the share. The remainder of the share was fine.
    I then proceeded to delete all the DECRYPT_INSTRUCTION and INSTALL_TOR files from the encrypted stuff.
    The minute I opened one of the encrypted files, it opened with no problem and completely perfect.
    I couldn't believe my eyes! I thought I must have opened an unaffected file so I checked again. Wow, all of the copies I created were totally fine! Editable and saveable!

    As I said I haven't fully tested this theory, but just today, I moved all of the data back to the share.

    Life is good!



  • 27.  RE: I have virus Cryptowall

    Posted 01-07-2015 04:01 AM

    I will recommend you to use a powerful antispyware software, turn on firewall, update your PC on regular basis.

    http://www.removepcthreats.com/remove-cryptowall-from-pc-step-by-step-guide



  • 28.  RE: I have virus Cryptowall

    Posted 05-12-2015 01:36 PM

    i have the infection--it appears to have spared my itunes account--is it safe to copy all my songs in my library to a disc and then reload them after i restore my computer?!

    ALSO--what is in my "cloud" that i can salvage after wiping my laptop--photos?? websites?? songs??



  • 29.  RE: I have virus Cryptowall

    Posted 08-27-2015 05:20 PM

    If you have no important files, you can back up your PC. But if you have something , what is very important for you-try to scann your computer: http://malwareprotectioncenter.com/2015/07/17/cryptowall/ , and now use ADW cleaner. You can download it everywhere. Do not pay in Bitcoin!!! It will not help you.