And Shadow Explorer
I recently was blessed with a user who was fooled by an email about a package and tracking. The email of course had nothing to do with a shipping company, but contained Cryptowall, a variant of the Cryptodefender trojan. And it was methodical. After basically locking them out of all their databases for a day while it did its business, it popped up the obligatory message about all the files being encrypted with an RSA 2048 key, and if you did not give them $500 in bitcoins (that one was new to me, but I guess they are untraceable), you would never see your files again.
Needless to say the lady was panic stricken. And I was ashen. It got her computer and every shared drive on the network. That was years worth of stuff. She called me about 5:30 on a Thursday, and I told her to stop everything and I would start looking at it that night (thank god for Teamviewer).
It was that bad. Every picture, word document, text file, spreadsheet, etc. EVERYTHING. As I said, it was methodical.
So I took a day off work, explaining to my boss what had happened, and headed over to the Church. I had turned off the shares so that on the odd chance the trojan had left some infecting mechanism on them, none of the other 10 computers would be infected. And started running Malwarebytes and Eset Online Scanner on every computer in safe mode (with networking). All the other 10 computers came up clean (well, they did not have Cryptowall, but they did have other less fatal bugs). But neither Eset nor Malwarebytes would run to conclusion on the "Trojan Prime" computer, so I worked on it over night. I managed to get it to run to conclusion (and hence how I found it was a phony shipping company email) by limiting what it scanned for successive scans until I was able to run a complete scan.
The Trojan was gone. But what to do about the data? Fortunately I had set up a backup program. A simple affair that backed up the data to a jump drive, full on Friday and then incremental the rest of the week. Each Friday, someone was supposed to take the drive off site (home with them) and put the second drive in. I do not know if that had been happening, but at least the backup was still running! SO I was able to restore the data on the server to the night before the infection.
But what about "Trojan Prime"? I could see no way around it. Her files looked like toast. But I downloaded and ran recuva, hoping to find some deleted files that had escaped encryption and restore them. What I found surprised me (ok, so I am not keeping up with what Microsoft is doing). Microsoft had ported Shadow Copy to Windows Vista (and beyond)! I was familiar with it as I have worked with Windows 2003, but how to get to the shadow copies without doing a complete restore?
Bing (or Google - YMMV) is your friend. Yep, I asked Bing and it told me about "Shadow Explorer". Freeware. So I downloaded it and gave it a shot.
And it recovered EVERYTHING (of course you do have to have System Restore turned on). Nice little utility that I have added to my Batcomputer Utility belt! It saved that Church's files, and is great! I know many do not like System Restore (I have yet to have good experience with it doing anything for the "system"), but with Windows Vista and beyond, it has a nice side job that can be a real life saver. With Shadow Explorer!