Вы находитесь на странице: 1из 2


1. Executive Summary

On Monday 17 August 2015, Willis Malaysia Sdn Bhd our File Servers or H Drives are infected by a virus known as Cryptowall 3.0. It started infected one of the user workstations and spread widely to the network drive which connected to the workstations. I run a full system scan to both infected workstations and File Servers using third party online scanner. The virus detected and deleted but unable to clean the infected files.

Unfortunately our existing anti-virus Kaspersky, which used on workstations and servers, did not detect the virus. I already submit a report to anti-virus vendors regarding this issue.

The virus is known as a new version of Cryptowall which attack us two months ago. This new virus released earlier this month. Please refer to this link https://www.pcrisk.com/removal-

2. Virus Outbreak

The virus started to spread on 14 th August 2015 (based on infected files details) through our network from one of the workstations via opening spam mail, by opening a malicious file or by visiting suspicious sites. This new variant of virus not only encrypts the files but also appends .aaa after the original file name and extension, for example report.docx. aaa or statistics.xls. aaa . This new variant also drops slight modified ransom notes restore_files_hprjq.html and restore_files_hprjq.txt files in each folder where at least one file has been encrypted.

3. Infected Folders and Files

List of folders and files infected by the virus;

a. Unit 1 Folder (including subfolders and files)

b. Unit 2 Folder (including subfolders and files)

c. Group Shared Folders;

a. EB Folder (including subfolders and files)

b. Shared Folder (including subfolders and files)

4. Backup

The latest full backup is on 14 th August 2015, unfortunately the backup file which connected to the network drive also infected. Now the only clean and reliable full backup that can be use is on 7 th August 2015. For backup from 10 th to 13 th August 2015 the backup type is incremental which contains only those files which have been altered since the last full backup (7 th August 2015).

5. Backup Method

For your information, every end of the week (Friday) a full backup will be perform at 8:00 PM and will be save to server storage (WDC) using sharing files method. For daily backup, the type of the backup will be in incremental which contains only those files which have been altered

since the last full backup. Each successful backup will be transferred to HP RDX tape connected

to IT workstations and encrypted.

6. Actions Taken

From my findings through internet; here are the actions I took to remove and prevent the virus outbreak:

a) Disconnect source of infection from network.

The workstations which known source of the virus needs to be disconnect from Willis Malaysia Network to avoid the virus outbreak.

b) Make sure the virus is not running.

Before performing restoration process, the virus needs to be deleting permanently.

Run a full scan to infected servers/workstation and delete infected files.

c) Restore back corrupted and infected files.

The last full back up on 7 th August 2015 will be used to restore back all infected files. This will follow with incremental backup that need to be restore one by one from 10 th to 13 th August 2015.

The first restoration of full backup completed on 17/08/2015 at 6:16 PM. The second restorations complete on 18/08/2015 at 9:10 AM. Please refer restoration log attached herewith.

d) Report to Kaspersky vendor regarding virus not detected issues.

e) Run another full scan after restoration process finished.

7. Conclusions

The virus evolving from time to time so there is a possibility for the virus outbreak will happen again. The most effective method to recover the files is by using a backup. At moment the backup method managed to recover all files. An improvement for a proper backup system with preferably

a local or cloud-based backup schedule will go above and beyond to protect our data. Other

considerations for protection include safe internet practices. Don't visit questionable websites, never click links found within emails, and certainly never provide anyone any form of personally identifiable information in chat rooms, forums, discussion boards, or social media sites.