Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

I have virus Cryptowall

Created: 14 May 2014 | 26 comments

I have my computer infected with the virus cryptowall, I can not open any document, can someone help to neutralize the virus

Operating Systems:

Comments 26 CommentsJump to latest comment

Brɨan's picture

Disconnect from the network. The problem is it will encrypt all your files. What components of SEP do you have running? Did SEP catch anything?

Run the symhelp tool on it

Troubleshooting computer issues with the Symantec Help support tool

http://www.symantec.com/docs/HOWTO80839

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JuanJuarezM's picture
 
I have SEP version 12, all my documents are infected, and disinfect my computer?. 



as I do to identify the source of this virus? where the infecccion depiction.
Brɨan's picture

The virus can be removed but unless you have a clean backup, all your files are likely not recoverable.

Are you running network threat protection as well (IPS and firewall)?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JuanJuarezM's picture

Yes, I have a copy of the file information, it qeu require is to know how to remove the virus as the SEP did not detect me with my agent, and how will I know where the virus entered.

Brɨan's picture

Do you have IPS and firewall enabled as well? AV definitions up to date?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JuanJuarezM's picture

I have enabled IPS but no firewall, and if you have any updates. 

JuanJuarezM's picture

as I stop the spread of the virus on my network??

Brɨan's picture

Is it just your machine? If so, remove it from the network and run a full scan on it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi JuanJuarezM,

Thanks for the post.  As long as that computer which was affected is isolated from the others on your network, this threat should not spread.  These generally attach the drives on the local computer and then any mapped network drives.

Definitely open a case with Tech Supoprt for this infection, if you have not already done so.  Please run the SymHelp diagnostic on that computer with Threat Analysis Scan. Here’s an excellent illustrated guide:
 

How to run the Threat Analysis Scan in Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH215519 
 

Once that is done, please submit to Security Response any files that the tool has found to be suspicious!(Please also save the .sdbz file and send that to Technical Support.  There might be addditional malicious files that are not automatically detected, but that Tech Support can spot.)  Here's some advice about submitting:

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

Give your Tracking Numbers to Tech Support and ask them to expedite their analysis, please.

Restoring the damaged files from backup is the best course of action.  Paying the ransom just gives R & D funding to the malware authors so they can come back and hit you again.

Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

Hope this helps!  Please do keep this thread up-to-date with your progress.

Mick

With thanks and best regards,

Mick

Mick2009's picture

Hi again,

Symantec has broken out a new detection for this variant.  The following definitions cover cryptowall and BitCrypt.

Trojan.Ransomcrypt.I

http://www.symantec.com/security_response/writeup.jsp?docid=2014-051514-5659-99

With thanks and best regards,

Mick

Mick2009's picture

Just posting an update: there have been additional refinements and improvements to defenses against this particular variant. Additional information is available in:

Trojan.Cryptowall
http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99

With thanks and best regards,

Mick

Mick2009's picture

Hi JuanJuarezM,

Just curious as to the outcome.  This thread is still marked "needs solution" - if time allows, can you update it?

Thanks

Mick

With thanks and best regards,

Mick

Glenn H.'s picture

We were infected May 29th by embedded link on an mail from Secure_Message@Natwest.com

We are running Symantec Endpoint Antivirus and AntiSpyware Protection,Proactive Theat Management and Network Threat Protection. 

Should this have been caught by Symantec?  I've had embedded viruses caught in the past.

Amerikan's picture

I also have this cryptowall.  Virus FULL scan cannot detect it.  I downloaded Norton Power Eraser and it did not detect anything... Does Symanec have anything that can detect and remove this? Or should I try a different provider?

Brɨan's picture

Run the threat analysis scan from the symhelp tool

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Amerikan's picture

OK. So that worked.  Does symantec have a program to delete all the encrypted files?

Brɨan's picture

None that I'm aware of

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

gregsmtn's picture

Just an FYI. We also got the cryptowall virus on 6-18. Ran all night through all our server shares. Endpoint 12.4 was worthless as was tech support. Called them and got Bob in India. No help and not a clue. All of my servers and workststions are up to date with Microsoft and Symancrap. User had no idea she had gotten a virus? Cant wait to be done with Symantec.

Mike_winsp's picture

I have a wondering about this, having just been infected on our company network with this nasty piece of work.

I had what I thought was an isolated infection on a PC on Friday and after having immediately isolated the PC by removing from the network and then performing a full scan of the network shares that this PC had access to, I felt that we were good, nothing was showing on the network in terms of infected files.

However this morning, we got another infection that came from a seperate PC (the original PC is still off the network), the files that were created and encrypted by the virus all get the modification timestamp on the files from the original infection.

So my question is, does anyone know if the virus can be spread by attempting to open an already encrypted document? or is it only spread by a PC / Server contracing the infection from web site / internet drive-by, running aqn infected executable

Mick2009's picture

Hi Mike_winsp,

I believe I can help.

So my question is, does anyone know if the virus can be spread by attempting to open an already encrypted document? or is it only spread by a PC / Server contracing the infection from web site / internet drive-by, running aqn infected executable

The encrypted files themselves are harmless: the threat cannot spread by attempting to open them.

You are correct that the the threat can only infect a machine via drive-by download or if a user is tricked into running an executable (something that arrived by email, for example, a .pdf pretending to be an invoice but actually had a .exe).

With Cryptowall, I believe that drive-by downloads are the most common means of infection.  Definitely be sure that all browsers and third-party plugings to browsers (Flash, Java, etc) are patched up-to-date.  Also be sure that IPS and Download Insight components are in palce on the endpoints- AV alone is no longer enough for comprehensive protection!

The other big recommendation is to close open network shares: that would limit any damage just to that one computer. If that computer has mapped network drives that it can access without prompting the use for a password, then the threat running on the victim computer will go there and sabotage all the material it can on that remote drive, too.

Hope this helps!!

Mick

With thanks and best regards,

Mick

Mick2009's picture

Here is a new Blog post from Security Response:

Rig Exploit Kit Used in Recent Website Compromise
https://www-secure.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise

That kit has been a tool used by attackers for pushing Trojan.Cryptodefense and Trojan.Cryptowall onto victims' computers.

Definitely ensure your organization's browsers have been patched up-to-date to avoid exploits of those vulnerabilities!

With thanks and best regards,

Mick

Mike_winsp's picture

Thanks for the response Mick, great help.

Mike_winsp's picture

Actually just a further thought on this, from what I've read and what Mick has responded with, it feels as if there isn't a great deal of defense against the Cryptowall variant right now. I have seen that our firewall perimeter defenses are seeing a good few hits from Cryptolocker & Cryptodefense but nothing in relation to Cryptowall.

The best defense appears to be vigilance.

James1231's picture

Use any antivirus, before you lost your all data.

IXAGR8's picture

So, I haven't fully tested this, but I had a client who got hit with it.

This thing starts by making a copy of itself and then deleting the original or some other stupid algorithm; the Symantec guys could verify exactly how it executes.
The workstation where it started had the 'everyone' share open on the server (2008 SR2).
About 8000 files; extremely sensitive stuff, you know.
Well, the quick thinking office manager, who was told "I can't open this Word document, it's weird!" immediately shut the workstation down and called me.
In the meantime, she started asking the 20+ employees if anyone else was having the same issue. About six were. She shut those machines down before I got there. None of the workstations were infected, only the server...and it doesn't have Office on it so the only thing that was affected were the shares...and really just one.
Anyway, to make a long story longer, my Vipre on the server caught it and stopped it but it managed to encrypt about a third of the folders, all of the shadow copies as well as the Backup Exec stuff.
I removed the encrypted files from the share by copying them and put them in a folder on the desktop. They weren't infected, just encrypted.
Then, I deleted the originals off the share. The remainder of the share was fine.
I then proceeded to delete all the DECRYPT_INSTRUCTION and INSTALL_TOR files from the encrypted stuff.
The minute I opened one of the encrypted files, it opened with no problem and completely perfect.
I couldn't believe my eyes! I thought I must have opened an unaffected file so I checked again. Wow, all of the copies I created were totally fine! Editable and saveable!

As I said I haven't fully tested this theory, but just today, I moved all of the data back to the share.

Life is good!

alva114's picture

I will recommend you to use a powerful antispyware software, turn on firewall, update your PC on regular basis.

http://www.removepcthreats.com/remove-cryptowall-from-pc-step-by-step-guide