Problem Definition:
Users report they are unable to access files on a network share. The files are not able to be opened by their associated programs.Error messages may include “not supported file type,” “file has been damaged,” or “select the encoding that makes your document readable.” Sample error messages appear below:
Cause:
If the files are accessed through a Mapped Network Drive, it is likely the symptom of a Malware infection of CryptoWALL ransomware. A ransomware is a malware, that when executed by a user, searches for and encrypts all files, typically mapped network drives that the end user has access to.The encryption is not able to be brute forced, and the only way to unlock the files is to pay the ransom to the cybercriminal organization.CloudConnect does not recommend you pay any ransom, rather adhere to the resolution documented in this CCT Article. Ransomware generally does not constitute a security breach or theft of data/information. Rather cybercriminals encrypt the data and generally only issue unlock keys when a ransom has been paid through an anonymous currency transaction.
Resolution:
Contact CloudConnect Technical Support. Ask the Support Engineer to escalate your case pursuant to CCT-2014271. The Escalation Engineer should check the Malware detection history for a ransomware. Once verified, the data will need to be restored from CloudConnect nightly backup.
Additional Information:
CloudConnect discourages the use of Mapped Network drives in any environment. Use UNC path shortcuts to shared files instead.However, this may not be possible in all implementations, as such use limited, explicitly defined NTFS permissions on data that must be shared using a mapped network drive.
CloudConnect utilizes a centrally monitored AntiMalware system to guard against this sort of attack, and has other measures in place to mitigate the effects of CryptoWALL. However, cyber criminals continue to develop and revise this exploit to be undetectable by most commercial-grade antimalware agents. In many cases, a reliance on data recovery is the only option to respond to such a threat. Customers with enhanced security needs can also consider implementing a “Whitelist Only” software restriction policy. This will prevent users from running unsigned/unknown executables including CryptoWALL.
Applies To:
Citrix XenApp 6.5
Microsoft Windows