HELP_RESTORE_FILES on my server

RogueWatchmen

Distinguished
Jul 12, 2010
7
0
18,520
I have a file server in my office that is used by around 150 people and several departments. At some point we were hit with a cryptolocker but the virus is not on the server. By my best guess it's on an infected laptop and miking it's rounds over the last few months because a small number of files are encrypted every few weeks. Finding the virus on the computer could be troublesome since there are 5 sites and multiple visitors from the main office. That said does anyone know of a way to break the encryption? I've tried using what it has for removal and using the key.dat file but without the offending computer to get said file is there a different method anyone can suggest? Obviously finding the offending computer is the best solution in the long term but right now if I could unlock what we have I'd take it.
 
Solution
As I said in my opening post... You need to get anti-virus protection and malware protection on your entire network. I linked the ransomware remover. I suspect that the ransomware is on your servers, and possibly other systems on your network as well, which may well include the laptop you are talking about.

It is going to cost some money to get protected. But its going to cost money to not stay protected too. And not being protected is why you are where you are right now.

I would highly recommend that you get fully protected with Trend Micro Ultimate Protection immediately. I would also recommend that you go get a license from Malwarebytes for Business as additional protection against malware. My experience with Trend...

tman1

Distinguished
Jan 18, 2009
243
0
18,910
The Trend Micro site says nothing about decrypting files, only getting rid of the ransomware, which is actually quite easy.

Volume shadow copy can be used to recover most if not all encrypted files. Last one I worked on with Cryptolocker I was able to recover all but 3 excel files with VSC.
 

RogueWatchmen

Distinguished
Jul 12, 2010
7
0
18,520
How? I have 5 sites, plus remote users that use this file server. Assuming they didn't use the VPN from personal equipment which increases the number of devices I can't even narrow down who may have been connected to the file server when the virus started doing it's encryption.
 

MarkW

Distinguished
Dec 7, 2009
196
0
18,710
As I said in my opening post... You need to get anti-virus protection and malware protection on your entire network. I linked the ransomware remover. I suspect that the ransomware is on your servers, and possibly other systems on your network as well, which may well include the laptop you are talking about.

It is going to cost some money to get protected. But its going to cost money to not stay protected too. And not being protected is why you are where you are right now.

I would highly recommend that you get fully protected with Trend Micro Ultimate Protection immediately. I would also recommend that you go get a license from Malwarebytes for Business as additional protection against malware. My experience with Trend Micro is that it tends to catch every virus. Before it has a chance to do any damage. But you are already infected. And that is why I am recommending Malwarebytes as well.

If Trend Micro Ultimate Protection is properly installed on every computer at your company, any outside system that connects to your network will have every piece of data checked for viruses, and Malwarebytes will make sure none of your important files gets changed. They will work as a team to make sure this does not happen again.

If nothing else, contact Trend Micro, and explain your situation. They have experts on staff that can help you protect your business.

Read this page on the Trend Micro site: http://esupport.trendmicro.com/solution/en-US/1112223.aspx
 
Solution