Well, we have finished finding all the virus installations and infections across our network. We got something called the Teslacrypt virus. This virus encrypts data like Cryptolocker. It then asks for a ransom to get the data back. Luckily we found it before many files were locked or it could have gotten really bad.
To combat this, we immediately shut down all our production systems and logged all our users off the network. We then used LAN Search Pro to look all over our network for files with the “_RECoVERY_” name. As we found these files in user profiles we then locked those accounts and ran both Norton Power Eraser and McAfee Stinger. Both of these programs removed the virus, but only Stinger works on servers. Power Eraser is a desktop only installation and removal program.
After we removed all the files associated with the virus and all the files that had been encrypted, we restored backup version of all the afflicted files.
We did remove the hard drive of the original system that had been infected. I plan on shooting it with either a 45-70 or a .50 BMG just to make sure it is completely dead. There is no reason to take any chances considering how much all the data on our network is worth.
This virus is nasty. The truth is that we were really lucky to have found it as quickly as we did and to have been able to mitigate the impact on our business. An infection like this can be catastrophic if you aren’t on top of things.
Keep your eyes open out there and if you see something that doesn’t look right, don’t be afraid to lock everything down until you can figure out what is causing the issue. A few hours of lost production is much better than a 6000 bitcoin ransom on your data.