The best friend of every backup vendor is back on the blog – cryptolocker / teslacrytp /etc. I am writing this as a posthumous analysis of a yet another ransomware infection I had the personal displeasure of dealing with.
The whole ‘project’ is about 2 weeks in right now and no point of entry has been identified. This is not for the lack of trying: after going through a myriad of tools and logs on the entire windows domain server farm no source of infection has been identified still. Sounds incredible right? What about the backups or firewall logs? Well…there aren’t any. A halfway .crypt-ed isolated Esxi snapshot I made during the first call is all we got.
All of this is info from last week, because today I did find out what the actual source of infection is: Non domain joined workstations are logging in with Domain Admin creds and mapping drives. Lovely.
This is where the title of this post is coming from: you think you’ve seen it all? Think again.
Lesson learned from this one is pretty simple – do not take for granted the information you have been provided. The first step in stopping a crypto disaster should always be an isolated read-only backup, the second step has to be immediate termination of all accounts with write access to the encrypted files.
Sounds pretty harsh. It is. Now good luck convincing the person on the other end to follow through with this.
Jacob R, PEI
