//
you're reading...
IT & TECHNOLOGY, Palo Alto Networks

Network Shared Drive Encrypted by CryptoWall? How to Track Down the Infected PC


PANW-New-Logo-2

There is a lot of information on the web about preventing and recovering from CryptoWall or ransomware attacks in enterprise environments, but most don’t answer this basic question:

How do I determine which CryptoWall-infected PC encrypted all the documents in one of my network-shared drives? I don’t have audit logging enabled on my file server.

Although many organizations are working on migrating their document storage to the cloud, most still rely upon individual Microsoft network shares as a document repository for each business department. For example, the financial controller’s office may have a network share dedicated to that department, the HR department has a different one, etc. When a user’s PC in one of these departments becomes infected by CryptoWall, the ransomware iterates through all files on all folders on all local and mapped network drives and encrypts certain file types that the user has permissions to modify.

As a security lead for a hospital network, I created the following CryptoWall response plan specifically to deal with impacted department shared drives:

  1. Identify the user account that modified (encrypted) the shared drive files.
  2. Identify the infected PC and restrict network access.
  3. Create inventory of all network share directories impacted.
  4. Restore impacted directories from backup.

Identifying the user account in Step 1 can be challenging if you don’t know where to look. The best way to identify the user account used to encrypt the files is to examine the “owner” attribute of one of the instruction files created by the ransomware. Here are the steps to identify the owner:

1. Right click on the instructions file (i.e., HELP_DECRYPT.txt) created by the ransomware on the network share, and select Properties.

cryptowall matt 1

2. Select the Security tab –> Advanced –> Owner, and view the Current Owner attribute. The Current Owner attribute is likely the username used to encrypt the files in the directory.

cryptowall matt 2cryptowall matt 3

Once you know the username used to encrypt the files, you can reset the user’s password, attempt to contact the person, and identify the user’s assigned PC in order to block it on the network. Once the PC is blocked, the server team can then identify the impacted directories on the network share (Tip: Use PowerScript to identify directories containing the instructions file). Finally, the Backup team can restore the files in all of the identified directories.

For more information on the latest CryptoWall threat, take a look at a detailed analysis of CryptoWall v3 authored by the Cyber Threat Alliance, cofounded by Palo Alto Networks.

[Palo Alto Networks Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 124,682 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,533 other followers

Twitter Updates

Archives

November 2015
M T W T F S S
« Oct   Dec »
 1
2345678
9101112131415
16171819202122
23242526272829
30  
%d bloggers like this: