You are on page 1of 2

VIRUS ATTACK ON 17 AUGUST 2015

1. Executive Summary
On Monday 17 August 2015, Willis Malaysia Sdn Bhd our File Servers or H Drives are infected
by a virus known as Cryptowall 3.0. It started infected one of the user workstations and spread
widely to the network drive which connected to the workstations. I run a full system scan to both
infected workstations and File Servers using third party online scanner. The virus detected and
deleted but unable to clean the infected files.
Unfortunately our existing anti-virus Kaspersky, which used on workstations and servers, did not
detect the virus. I already submit a report to anti-virus vendors regarding this issue.
The virus is known as a new version of Cryptowall which attack us two months ago. This new
virus released earlier this month. Please refer to this link https://www.pcrisk.com/removalguides/7844-cryptowall-virus.
2. Virus Outbreak
The virus started to spread on 14th August 2015 (based on infected files details) through our
network from one of the workstations via opening spam mail, by opening a malicious file or by
visiting suspicious sites. This new variant of virus not only encrypts the files but also appends
.aaa after the original file name and extension, for example report.docx.aaa or statistics.xls.aaa.
This new variant also drops slight modified ransom notes restore_files_hprjq.html and
restore_files_hprjq.txt files in each folder where at least one file has been encrypted.
3. Infected Folders and Files
List of folders and files infected by the virus;
a. Unit 1 Folder (including subfolders and files)
b. Unit 2 Folder (including subfolders and files)
c. Group Shared Folders;
a. EB Folder (including subfolders and files)
b. Shared Folder (including subfolders and files)
4. Backup
The latest full backup is on 14th August 2015, unfortunately the backup file which connected to
the network drive also infected. Now the only clean and reliable full backup that can be use is on
7th August 2015. For backup from 10th to 13th August 2015 the backup type is incremental which
contains only those files which have been altered since the last full backup (7th August 2015).

5. Backup Method
For your information, every end of the week (Friday) a full backup will be perform at 8:00 PM
and will be save to server storage (WDC) using sharing files method. For daily backup, the type
of the backup will be in incremental which contains only those files which have been altered
since the last full backup. Each successful backup will be transferred to HP RDX tape connected
to IT workstations and encrypted.
6. Actions Taken
From my findings through internet; here are the actions I took to remove and prevent the virus
outbreak:
a) Disconnect source of infection from network.
The workstations which known source of the virus needs to be disconnect from Willis
Malaysia Network to avoid the virus outbreak.
b) Make sure the virus is not running.
Before performing restoration process, the virus needs to be deleting permanently.
Run a full scan to infected servers/workstation and delete infected files.
c) Restore back corrupted and infected files.
The last full back up on 7th August 2015 will be used to restore back all infected files.
This will follow with incremental backup that need to be restore one by one from 10th to
13th August 2015.
The first restoration of full backup completed on 17/08/2015 at 6:16 PM. The second
restorations complete on 18/08/2015 at 9:10 AM. Please refer restoration log attached
herewith.
d) Report to Kaspersky vendor regarding virus not detected issues.
e) Run another full scan after restoration process finished.

7. Conclusions
The virus evolving from time to time so there is a possibility for the virus outbreak will happen
again. The most effective method to recover the files is by using a backup. At moment the backup
method managed to recover all files. An improvement for a proper backup system with preferably
a local or cloud-based backup schedule will go above and beyond to protect our data. Other
considerations for protection include safe internet practices. Don't visit questionable websites,
never click links found within emails, and certainly never provide anyone any form of personally
identifiable information in chat rooms, forums, discussion boards, or social media sites.

You might also like