how do you figure out which machine is running cryptolocker
-
@Mike-Davis said in how do you figure out which machine is running cryptolocker:
I'm working on a network that is getting cryptolockered. How do I figure out which machine it's running on? I can't find one of those .txt files with the removal instructions to check the owner. All the encrypted files have maintained their ownership from the original creator.
Pull power from the switches, and check every system individually.
-
This post is deleted! -
@DustinB3403 said in how do you figure out which machine is running cryptolocker:
@Mike-Davis said in how do you figure out which machine is running cryptolocker:
I'm working on a network that is getting cryptolockered. How do I figure out which machine it's running on? I can't find one of those .txt files with the removal instructions to check the owner. All the encrypted files have maintained their ownership from the original creator.
Pull power from the switches, and check every system individually.
Yep. @Mike-Davis Consider your entire network as down. Hopefully you can figure it out from whatever files were already hit on the file server. If not, then it's gonna be down to going and checking every workstation/device.
-
File server logs might tell you if adequate logging and accounting is turned on. But it rarely is, that would be a huge amount of logs.
-
Running AV scans hopefully will find it, but in a case like this, I'd want every machine to be rebuilt. Which one it was on isn't the same as which ones it is on.
-
Figured out how it happened. Shut it down and started on the ugly analysis. In this case there was no ransom note file. Therefore there was no .txt file to check the permissions on. In the filename that got changed, the hacker put his email address.... Restores should be done in 2 hours. The infection bypassed cryptolocker group policies because a hacker launched it. It was not picked up by Microsoft Endpoint Protection (no surprise there) or MalwareBytes. Webroot detected it. It looks like a weak password on a service account that was allowed to log in to remote desktop caused all this.
-
@Mike-Davis said in how do you figure out which machine is running cryptolocker:
It looks like a weak password on a service account that was allowed to log in to remote desktop caused all this.
Is the service account something that was setup internally, or by a service provider? If a service provider, I think we want to know who it was.
-
It was set up by internal staff. The sad thing is, it doesn't even look like it was still in use. Lesson for all admins out there.
-
@Mike-Davis said in how do you figure out which machine is running cryptolocker:
It was set up by internal staff. The sad thing is, it doesn't even look like it was still in use. Lesson for all admins out there.
regular audits are just part of IT life.
-
@Mike-Davis Interesting. The note file creation was what tipped it off for me at my last company.