Hi,

Today our fileserver has been infected with virus/malware.

Server :Windows 2008 R2 Standard .64

Antivirus : Symantec Endpoint Protection 12.1.3001.165

Most of our files has been rename with additional extension end like this .dnezmja

 

If we manually rename the file by removing the extension, file is broken. We cannot open the files anymore.

Symantec does not detect any virus/malware. Please advise.

Run the risk analysis tool

Download the Symantec Help (SymHelp) diagnostic tool to detect Symantec product issues

Article:TECH170752

|

Created: 2011-09-29

|

Updated: 2014-10-01

|

Article URL http://www.symantec.com/docs/TECH170752

You can't receover your file. See below blog Support Perspective: CTB-Locker and other forms of Crypto malware https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-mforms-crypto-malware See mick2009 articles Recovering Ransomlocked Files Using Built In Windows Tools https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools - Ransomcrypt: A Thriving Menace (aka Cryptolocker: A Thriving Menace) https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace - Cryptolocker Q&A: Menace of the Year https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year

This is cryptolocker. If you don't have a backup, your files are not recoverable.

Hi,

If SEP is not detecting a threat then need to submit suspicious files to the Symantec.

Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec. 

• Locate a sample of a threat
• Submit a suspicious file to Symantec

Prevention is far better than a cure for ransomware and ransomlock threats

In that case if your organization has been following best Disaster Recovery practice and maintaining a routine schedule of backups, then simply delete all the encrypted files and restore them from their last known-good backup.

Submit suspected files: 

Trojan.Ransomcrypt.P

http://www.symantec.com/security_response/writeup.jsp?docid=2015-010516-1936-99&tabid=2

Trojan.Cryptolocker.E

http://www.symantec.com/security_response/writeup.jsp?docid=2014-050702-0428-99&tabid=2

Trojan.Cryptolocker.F

http://www.symantec.com/security_response/writeup.jsp?docid=2014-060208-2817-99&tabid=2

Hi Redha.Hamzah,

The posts above are accurate.  What you are describing is a major malicious spam campaign that is currently underway.  The recommendations in https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-malware will help you protect yourself.

Please warn your end users to expect more of these malicious files to arrive in the coming days.  Ensure that they are not opened- submit them to Security Response if they are not detected.

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
 

Additional good advice:

https://www-secure.symantec.com/connect/forums/cryptolockercryptodefense-defenses

and

The Day After: Necessary Steps after a Virus Outbreak
https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak 
 

Please do update your thread if there is anything additional required or mark it solved if the question has been addessed.

With thanks and best regards,

Mick

 

Hi Redha.Hamzah,

Just wondering if there were any additional questions?  This thread is still marked "needs solution."

With thanks and best regards,

Mick