Moved to Malware Discussion > Corporate User Assistance.
Someone with Enterprise knowledge will hopefully chip in here to help but in the meanwhile read the link below.
It is focussed at Consumers but may help you, especially the bit about Ransomware, and then lower down the Hijackthis section.
If the machine can be identified, which I hope you can.........
When hit by these things you should do NOTHING, touch NO keys, No mouse and power off cold.
Then reboot into Safe Mode and see if a System Restore can take you back to before it happened.
That hopefully would work for system files but it may not help if your personal files are affected.
If successful temporarily turn off System Restore to erase the infected restore point.
Original edited to remove clickable links.
Thank you for setting the subject into the correct box.
One small item: none of the computers shows a sign of infection or a screen asking to pay ransom.
All computers have been scanned, I even used kaspersky and Symantec and antimalwarebytes to scan the pcs.
4 programs: nothing.
On the server where the share is hosted we added the user log so we can trace down which user is opening and closing so many files at one time.
So far: one big nothing. November 19 was the black day. Maybe another one will be emerge.
It would great to find the affected pc or device which is causing this problem, but so far I haven't found a thing.
Malware such as this is rarely detectable by antivirus software.
One of those malware specialist forums would be probably better equipped to help you in this matter.
I can thoroughly recommend BleepingComputer.
But hopefully someone with Enterprise knowledge, which I do not have, sorry, will spot this soon.
I have the same problem than you. Have you found the solution??
I haven't found a solution so far.
What I tried so far:
-Stinger latest version: nothing
-McAfee Antivirus Protection 8.8 patch 5: nothing
-Kaspersky Security Scan: nothing
-I had a test with the file decrypter tools from Kaspersky: nothing
The only thing that I find very strange is the c:\windows\temp folder.
McAfee is in warning and if you look in the access protection log you will see this: C:\WINDOWS\SYSWOW64\CSCRIPT.EXE C:\Windows\Temp\m_aCBC7.tmp
The last part m_aCBC7.tmp is changing each time and it changes names every minute. I have blocked this by applying a rule saying no files can be executed from the temp folder.
The encryption of our documents at a Windows Server has occurres als at our organization at 19 november 10:27 in the Netherlands.
We are Lucky that we can restore the corrupted files from our backup. If somebody can give me more backgrond information to prevent this situation in the future.
Thanks for your corporation.
Make sure your organization knows NOT to click risky links or download anything from unknown sources. It's difficult to avoid these things.
Best ask that question at a professional malware removal forum such as BleepingComputer.
As far as dealing with this sort of thing, backups are probably the best approach as the previous poster said, but make sure the "infected" backup is destroyed.
I outlined what people should NOT do and should do (in that order) when these things hit, in my 1st reply.
OK I'm mainly on the Consumer side, but that principle applies to all types of installations.
in our company we've also found one server with most of the filenames changed after we came from lunch.
original-filename-and-extension.id-1248068004_email1_key at yellowrotation.com_email2_key at yellowseamail.com
We have Viruscan Enterprise + AntiSpyware Enterprise 8.8 patch 4 and dat files updated
EPO sever controlling all the computers.
I've checked 3 computer from now and none is infected
I've made an scan in the server findind nothing strange.
what can we do?