After several clients have faced this issue, it time to write out some best practices for how to immediately deal with an infection from one of the Cryptolocker / Cryptowall network ransomware infection variants. These usually infect a single workstation on the network, encrypt all local files, encrypt all network file shares and leave an instruction file on how to pay for the decrypt key in every folder. A good backup of the network file servers is key for this network ransomware infection not to do devastating damage to a company.
Steps for cleaning up after the network ransomware infection:
1. Login to file server and find one of the instruction files (usually HELP_DECRYPT.txt or decrypt_instruction.html) on the affected network share.
2. Right click on the file, chose Properties and click on the Details tab. The Owner listed is most likely the username for the person using the only infected computer on the network.
3. Isolate this machine from the network, deep virus clean or wipe / reload the operating system to get rid of the infection.
4. It is also good to run basic virus scanning on all workstation and servers on the network to determine if further infection has happened. Clean as needed.
5. It is good to know all the infected files on the file server, so here is a Powershell script to do so (change the instruction file as needed):
get-childitem [local path of file share] -include HELP_DECRYPT.* -recurse | select fullname >> C:\TEMP\InfectedFiles.txt
6. Send a copy of an encrypted file and of one of the instruction files to your Antivirus vendor because obviously they missed something.
7. Next comes the cleaning of the instruction files, so more Powershell to automate this (change the instruction file as needed):
get-childitem [local path of file share] -include HELP_DECRYPT.* -recurse | foreach ($) {remove-item $.fullname}
8. Use backup software to restore affected file shares to an alternate location.
9. Copy / replace files into their original location from the alternate location.
10. Test to make sure that users are able to get back into their files.
If your company has been infected with a network ransomware infection or would like to be proactive about protecting your important company files from disaster, then contact us for assistance.