Kill internet connectivity from the DC. Look for *HELP_DECRYPT* This will be in any directory that has affected files. Pretend like your help ticketing system is working and get a help ticket, you are going to need one. Rebuild and restore from backup. That being said, I am not sure how this nasty plays when it has the keys to the castle (DC) and is sitting behind the moat. See I am really concerns because the DC has access to all the remote shares but I really believe the CRYPTO bad guys only attack the Mapped drives but I honestly can not say.
From: [email protected] [mailto:[email protected]] On Behalf Of D R Sent: Friday, June 12, 2015 2:35 PM To: [email protected] Subject: Re: [NTSysADM] OT(perhaps) But need direction Oops?!? What do you mean 'Oops'!?! Nothing good comes after 'Oops'! On the DC Server. On Fri, Jun 12, 2015 at 1:31 PM, David McSpadden <[email protected]<mailto:[email protected]>> wrote: Was the popup on your laptop of the DC. CRYPTO attacked each mapped drive on the infected device. If it was the DC. That is not good. If it was the laptop, still not good but just wipe and restore. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of D R Sent: Friday, June 12, 2015 2:26 PM To: ntsysadm Subject: [NTSysADM] OT(perhaps) But need direction I am currently onsite working with the IT Admin about a new online ticketing system. Around 12:45pm, I was logged in to the Primary DC via a remote desktop connection from a company provided laptop, wasn't doing a thing, (seriously, I didn't have anything open, had just logged into the server, and I see a window pop-up that looked like a CMD/DOS window, and on the title of that window, in capital letters, it read CRYPTOWALL HAS TAKEN OVER, and then it looks like File Manager screens start popping up and the server starts running to a crawl. I have dealt with this Cryptowall Virus before And the only resolution was to reinstall Windows Server and restore from backup. Is this still the 'fix' for this issue? Or is there something else that can be done. Not in the position to try anything. Just need to know where to go from here so we can help them with this issue. -- Daniel Rodriguez [email protected]<mailto:[email protected]> This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. -- Daniel Rodriguez [email protected]<mailto:[email protected]> This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
