Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 6698 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CryptoWall 2.0

Coretex

Hello,

Recently we have had a CryptoWall 2.0 infection hit one of our machines. We were fortunate enough for it to just encrypt the local content, and nothing on the servers.

We have been having a hell of a time trying to locate the file that this infection originated from, to try and prevent a repeat infection.

After spending some time looking for anything (ANYTHING) of interest, we have found nothing. It does appear that CryptoWall 2.0 removes itself once it's finished encrypting everything it can.

Does anyone have any experience or helpful tips with this?

Cheers :)

:54111


This thread was automatically locked due to age.
  • 0

    Hello Coretex,

    I've probably not encountered this one back then in May

    prevent a repeat infection

    Locating an involved file and sending it in as a sample might result in a timely detection upon the next encounter. FWIW you shouldn't reckon that you can prevent a next time with absolute certainty. It's advisable that you (also) assess your data's exposure and review your backups - strategy as well as actual operation.

    Christian

    :54125
  • 0

    Hi, thanks for the response.

    While I understand it's difficult to 100% prevent a repeat infection, finding the file that caused the issue in the first place would go a long way towards at least knowing what we are dealing with, so we can take steps to protect our data.

    The main reason for posting was because we could not find any trace left behind besides some .txt and .html files it floods the profile with.

    Any excecutables related to the virus seem to be gone.

    As far as I can tell at this point it seems to remove itself as part of the encryption process.

    :54129
  • 0

    Hello Coretex,

    we could not find any trace left behind

    yeah, it's tricky as the malware uses drive-by. If you know the time it started check the browser caches, the user's %TEMP% and other commonly writable locations for anything from around this time - usually the stuff is not more than a few hundred kB. That's all I can suggest - so far I've always found at least a little something.

    Christian

    :54137