Posted 03 November 2015 - 08:34 AM

Warning some of the specific infection information provided in this topic on subsequent pages could trigger a warning or alert from your Antivirus...avast has already been reported to have done this.



Mod Edit by quietman7...12/22/15







Everybody,



Appy polly loggies if this is the wrong forum, move if needed.



Working at a fast pace, and I will update with what artifacts and items I can as soon as possible, but wanted to let everyone know that a client of ours was hit with a crypto family that is supposedly CryptoWall, but I am not entirely sure that is true.



There are "HELP_YOUR_FILES" .PNG files scattered across the system in affected directories, and it traversed SMB connections, too. The .PNG images give pay portal instructions, and it all looks like CryptoWall, but it usually uses "HELP_DECRYPT" files, and I don't see the .HTM or .TXT files with this one. In addition, and this is the big factor, all the files that were affected were completely and utterly renamed ("0ausbffwh.p5", "72lcvn.iv6nn", "x83o8x.ux7", etc.) Shadow Copies appear to have been obliterated, too. Internet searches for the artifact .PNG showed few results, and all of them are brand new.



Unfortunately, I was out of the office for the day when this occurred, and the technicians that handled it kinda just blasted things away, so I am try my best to gather artifacts. I am grabbing the registry and file structure list, samples of encrypted files, browser history, logs from various anti-x tools, etc.



DecrypterFixer... if this is something you are interested in tackling, would having a copy of an encrypted file and a copy of the pre-encrypted file help? Not sure if that would expedite your usual processes. I am unfamiliar with your magic ways, so just let me know.

Edited by quietman7, 23 December 2015 - 08:02 AM.