{"id":11013,"date":"2015-11-17T05:00:14","date_gmt":"2015-11-17T13:00:14","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=11013"},"modified":"2015-11-16T15:36:44","modified_gmt":"2015-11-16T23:36:44","slug":"network-shared-drive-encrypted-by-cryptowall-how-to-track-down-the-infected-pc","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2015\/11\/network-shared-drive-encrypted-by-cryptowall-how-to-track-down-the-infected-pc\/","title":{"rendered":"Network Shared Drive Encrypted by CryptoWall? How to Track Down the Infected PC"},"content":{"rendered":"

There is a lot of information on the web about preventing and recovering from CryptoWall or ransomware attacks in enterprise environments, but most don\u2019t answer this basic question:<\/p>\n

\u201cHow do I determine which CryptoWall-infected PC encrypted all the documents in one of my network-shared drives? I don\u2019t have audit logging enabled on my file server.<\/em>\u201d<\/p>\n

Although many organizations are working on migrating their document storage to the cloud, most still rely upon individual Microsoft network shares as a document repository for each business department. For example, the financial controller\u2019s office may have a network share dedicated to that department, the HR department has a different one, etc. When a user\u2019s PC in one of these departments becomes infected by CryptoWall, the ransomware iterates through all files<\/em> on all folders<\/em> on all local and mapped network drives<\/em> and encrypts certain file types that the user has permissions to modify.<\/p>\n

As a security lead for a hospital network, I created the following CryptoWall response plan specifically to deal with impacted department shared drives:<\/p>\n

    \n
  1. Identify the user account that modified (encrypted) the shared drive files.<\/li>\n
  2. Identify the infected PC and restrict network access.<\/li>\n
  3. Create inventory of all network share directories impacted.<\/li>\n
  4. Restore impacted directories from backup.<\/li>\n<\/ol>\n

    Identifying the user account in Step 1 can be challenging if you don\u2019t know where to look. The best way to identify the user account used to encrypt the files is to examine the \u201cowner\u201d attribute of one of the instruction files created by the ransomware. Here are the steps to identify the owner:<\/p>\n

    1. Right click on the instructions file (i.e., HELP_DECRYPT.txt) created by the ransomware on the network share, and select Properties.<\/p>\n

    \"cryptowall<\/span><\/div><\/a><\/p>\n

    2.\u00a0Select the Security<\/em> tab -->\u00a0Advanced\u00a0<\/em>-->\u00a0Owner,<\/em> and view the Current Owner attribute<\/em>. The Current Owner attribute is likely the username used to encrypt the files in the directory.<\/p>\n

    \"cryptowall<\/span><\/div><\/a>
    \"cryptowall<\/span><\/div><\/a><\/p>\n

    Once you know the username used to encrypt the files, you can reset the user\u2019s password, attempt to contact the person, and identify the user\u2019s assigned PC in order to block it on the network. Once the PC is blocked, the server team can then identify the impacted directories on the network share (Tip: Use PowerScript to identify directories containing the instructions file). Finally, the Backup team can restore the files in all of the identified directories.<\/p>\n

    For more information on the latest CryptoWall threat, take a look at a detailed analysis of CryptoWall v3<\/a> authored by the Cyber Threat Alliance<\/a>, cofounded by Palo Alto Networks.<\/p>\n","protected":false},"excerpt":{"rendered":"

    There is a lot of information on the web about preventing and recovering from CryptoWall or ransomware attacks in enterprise environments, but most don\u2019t answer this basic question: \u201cHow do I determine …<\/p>\n","protected":false},"author":142,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[155,131],"tags":[220,834,662,221],"coauthors":[1355],"class_list":["post-11013","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-2","category-malware-2","tag-cryptolocker","tag-cryptowall","tag-cyber-threat-alliance","tag-ransomware"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/11013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/142"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=11013"}],"version-history":[{"count":3,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/11013\/revisions"}],"predecessor-version":[{"id":11019,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/11013\/revisions\/11019"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=11013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=11013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=11013"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=11013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}