RansomWare Detection
We have a client that recently got hit by a RansomWare virus that spread to 2 machines on their network. They use McAfee Antivirus along with MalwareBytes the free version. Looks like the virus infected the host machine which had a share which other devices accessed. McAfee and or Malwarebytes may have detected the virus and removed it but it had already done damage by encrypting hundreds of files. The vendor (Refunds Today) recommended that we wipe the drive and start from scratch,which is what we did.
I'm concerned because though we wiped the drive and restored the files (after scanning them with McAfee AntiVirus a second time) the vender has said that in their experience, restoring the files will cause the virus to come back after a few weeks. Is RansomWare not detectable via a virus scan or perhaps we need to switch to another antivirus solution. Wiping a drive is one thing, but destroying all of a customer's files because you're not sure where the virus is hiding is another. Just looking for some advice.
I'm concerned because though we wiped the drive and restored the files (after scanning them with McAfee AntiVirus a second time) the vender has said that in their experience, restoring the files will cause the virus to come back after a few weeks. Is RansomWare not detectable via a virus scan or perhaps we need to switch to another antivirus solution. Wiping a drive is one thing, but destroying all of a customer's files because you're not sure where the virus is hiding is another. Just looking for some advice.
0 Comments
[ + ] Show comments
Answers (2)
Please log in to answer
Posted by:
pcooper
8 years ago
I have seen ransomware leave copies of virus executables in the file share. If you Audit the file share and remove any executables and corrupted files then you will be fine. I created an open source program to Audit file shares and detect ransomware in file shares https://ransomwaredetectionservice.codeplex.com/ . Review any files created after the ransomware infection as well. Any executeable files or office files with macros created after the infection should be deleted.
Posted by:
rileyz
9 years ago
Geez that's a bit of a hard one.
My approach would be to read about about the RansomWare that you got attacked with, read up about the attack vectors and see if you can mitigate them. This would atleast mitigate the issue if the same ransomware is hiding in another file, also removing all exe etc blah blah.
Yeah, thats a complex one. Good luck!