What type of Ransomware were we dealing with?

CTB-Locker is usually delivered through SPAM e-mail, there is no way to get the data back except by restoring from backup or paying the ransom as per this analysis.

“CTB Locker and Network Shares – CTB Locker will encrypt data files on network shares only if that network share is mapped as a drive letter on the infected computer. If it is not mapped as a drive letter, then CTB Locker will not encrypt any files on a network share.

It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CTB Locker.”

How we found the source of the Ransomware

Using the LANGuardian forensic dashboard to focus on the specific IP address given (X.X.81.61) for investigation we detected some strange fileshare traffic. If you have a LANGuardian you can do this yourself by following these steps:

Go to the LANGuardian search page (search button top left in GUI). Enter the IP address (X.X.81.61) in the Forensics search panel.