A “Lessons Learned” evaluation from ISC is shared with two valuable recommendations
QUOTE: Cryptodefense made its appearance around February this year on the back of the success of Cryptolocker. The basics remain the same though and once infected the malware searches out PDF, doc(x), jpg and a few more document types and encrypts those. Files are encrypted using a RSA 2048 bit key which is placed in the user’s AppData Directory. The impact of this particular malware can be devastating. Looking at what is left of the hard drive every directory that looks like it may have documents or pictures in it has been touched. This includes things like dropbox and network shares. In an incident elsewhere earlier in the year external harddrives were also encrypted.
So what were the lessons learned in this instance? Well for starters backups are your friend. In this particular instance the organization had good backups of the files on the servers. The other lesson learned was to take AV responses more seriously. Just because the AV says it has cleaned something does not necessarily mean that everything is gone, only the bits it knows about.