We have a client that recently got hit by a RansomWare virus that spread to 2 machines on their network. They use McAfee Antivirus along with MalwareBytes the free version. Looks like the virus infected the host machine which had a share which other devices accessed. McAfee and or Malwarebytes may have detected the virus and removed it but it had already done damage by encrypting hundreds of files. The vendor (Refunds Today) recommended that we wipe the drive and start from scratch,which is what we did.

I'm concerned because though we wiped the drive and restored the files (after scanning them with McAfee AntiVirus a second time) the vender has said that in their experience, restoring the files will cause the virus to come back after a few weeks. Is RansomWare not detectable via a virus scan or perhaps we need to switch to another antivirus solution. Wiping a drive is one thing, but destroying all of a customer's files because you're not sure where the virus is hiding is another. Just looking for some advice.

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

1
I have seen ransomware leave copies of virus executables in the file share.  If you Audit the file share and remove any executables and corrupted files then you will be fine.   I created an open source program to Audit file shares and detect ransomware in file shares https://ransomwaredetectionservice.codeplex.com/ .  Review any files created after the ransomware infection as well.  Any executeable files or office files with macros created after the infection should be deleted.
Answered 04/12/2016 by: pcooper
Senior White Belt

Please log in to comment
1
Geez that's a bit of a hard one.

My approach would be to read about about the RansomWare that you got attacked with, read up about the attack vectors and see if you can mitigate them. This would atleast mitigate the issue if the same ransomware is hiding in another file, also removing all exe etc blah blah.

Yeah, thats a complex one. Good luck!
Answered 09/17/2015 by: rileyz
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity